Crash in GIF decoder on crafted input
Given a crafted input, gdk-pixbuf-thumbnailer crashes with SIGSEGV. Judging by the backtrace, the GIF loader in gdk-pixbuf is the culprit, which contains an entirely custom implementation of GIF decoding instead of relying on a commonly used library. I have not investigated the issue in detail, but at a glance it appears to be either a buffer overflow or a use-after-free and may pose a security issue.
The issue has been identified using AFLplusplus in gdk-pixbuf version 2.40.0+dfsg-3 shipped by Ubuntu 20.04.
Steps to reproduce:
- Set $crashing_input environment variable to the path to any of the attached files triggering the issue
- Run
gdk-pixbuf-thumbnailer $crashing_input /dev/null
- Observe a segmentation fault
Files triggering the issue: gdk-pixbuf-2.40-crashes.tar.gz
Backtrace according to gdb:
Program received signal SIGSEGV, Segmentation fault.
__memset_avx2_erms () at ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:151
151 ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S: No such file or directory.
(gdb) bt
#0 __memset_avx2_erms () at ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:151
#1 0x00007ffff7665983 in memset (__len=18446744071918129152, __ch=0, __dest=<optimized out>)
at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
#2 gdk_pixbuf_gif_anim_iter_get_pixbuf (anim_iter=0x55555555c180) at ../gdk-pixbuf/io-gif-animation.c:418
#3 0x00007ffff7665a5c in gdk_pixbuf_gif_anim_get_static_image (animation=0x555555578100) at ../gdk-pixbuf/io-gif-animation.c:115
#4 0x00007ffff7664601 in gif_get_lzw (context=0x555555574c50) at ../gdk-pixbuf/io-gif.c:506
#5 gif_main_loop (context=0x555555574c50) at ../gdk-pixbuf/io-gif.c:821
#6 0x00007ffff7664bd0 in gdk_pixbuf__gif_image_load_increment
(data=0x555555574c50, buf=0x55555557071c "GIF89a \177 K\361\003", size=179, error=<optimized out>) at ../gdk-pixbuf/io-gif.c:1013
#7 0x00007ffff7fa9281 in gdk_pixbuf_loader_load_module
(loader=loader@entry=0x555555567f40, image_type=image_type@entry=0x0, error=error@entry=0x7ffffffee1f0) at ../gdk-pixbuf/gdk-pixbuf-loader.c:426
#8 0x00007ffff7fa9b15 in gdk_pixbuf_loader_close (loader=loader@entry=0x555555567f40, error=error@entry=0x7fffffffe300)
at ../gdk-pixbuf/gdk-pixbuf-loader.c:835
#9 0x00007ffff7fa700a in gdk_pixbuf_new_from_file_at_scale
(filename=0x5555555643c0 "/home/sdavydov/gdk-pixbuf-2.40-crashes/id:000001,sig:06,src:000008+000613,time:242007522,op:splice,rep:8", width=<optimized out>, height=<optimized out>, preserve_aspect_ratio=preserve_aspect_ratio@entry=1, error=error@entry=0x7fffffffe300)
at ../gdk-pixbuf/gdk-pixbuf-io.c:1417
#10 0x00007ffff7fa71c1 in gdk_pixbuf_new_from_file_at_size
(filename=<optimized out>, width=<optimized out>, height=<optimized out>, error=error@entry=0x7fffffffe300) at ../gdk-pixbuf/gdk-pixbuf-io.c:1230
#11 0x000055555555695c in file_to_pixbuf (path=<optimized out>, destination_size=<optimized out>, error=0x7fffffffe300)
at ../thumbnailer/gdk-pixbuf-thumbnailer.c:35
#12 0x00005555555565a6 in main (argc=<optimized out>, argv=<optimized out>) at ../thumbnailer/gnome-thumbnailer-skeleton.c:281
Edited by Sergey "Shnatsel" Davidoff