(CVE-2020-29385) endless loop in the write_indexes function in gdk-pixbuf/lzw.c (from melvin@melvinkool.nl)

Original reporter: Melvin Kool

Area: Application

Message

Dear Gnome security team, We are fuzzing gdk-pixbuf for a university project. So far we found approx. 289 hangs and 439 crashes, of which one crash and one hang are interesting. The hang results in an endless loop in the write_indexes function in gdk-pixbuf/lzw.c.

When c = self->code = 10, in the while loop it will assign self->code_table[10].extends to c, which is 11. After that it assigns self->code_table[11].extends = 10 to c, so the loop will run forever and take full CPU resources. We are still investigating the interesting crash, which is probably a signed integer overflow in GIF images. I have a file available on my computer that triggers the denial of service.

My PGP key fingerprint is: b27668e77e4184273865660fec403209c3fdd742

Full stacktrace:

#0 0x00007ffff4f62d98 in write_indexes (output_length=1018, output=0x5555557672f6 "", self=0x555555786260) at ../gdk-pixbuf/lzw.c:90
#1 0x00007ffff4f62d98 in lzw_decoder_feed (self=self@entry=0x555555786260, input=, input_length=, output=output@entry=0x5555557672f0 "\001\001\001\001\001\001", output_length=1024) at ../gdk-pixbuf/lzw.c:212
#2 0x00007ffff4f61fa4 in composite_frame (anim=0x5555557780c0, frame=0x5555557735a0) at ../gdk-pixbuf/io-gif-animation.c:367
#3 0x00007ffff4f625e9 in gdk_pixbuf_gif_anim_iter_get_pixbuf (anim_iter=anim_iter@entry=0x55555575a1e0) at ../gdk-pixbuf/io-gif-animation.c:428
#4 0x00007ffff4f6281a in gdk_pixbuf_gif_anim_get_static_image (animation=) at ../gdk-pixbuf/io-gif-animation.c:117
#5 0x00007ffff4f61289 in gif_get_lzw (context=0x555555772da0) at ../gdk-pixbuf/io-gif.c:467
#6 0x00007ffff4f61289 in gif_main_loop (context=context@entry=0x555555772da0) at ../gdk-pixbuf/io-gif.c:760
#7 0x00007ffff4f61b2f in gdk_pixbuf__gif_image_load_increment (data=0x555555772da0, buf=, size=, error=) at ../gdk-pixbuf/io-gif.c:958
#8 0x00007ffff7bbcc9b in gdk_pixbuf_loader_load_module (loader=loader@entry=0x5555557650c0, image_type=image_type@entry=0x0, error=error@entry=0x7fffffffe390) at ../gdk-pixbuf/gdk-pixbuf-loader.c:467
#9 0x00007ffff7bbd7f9 in gdk_pixbuf_loader_eat_header_write (error=0x7fffffffe390, count=5561, buf=0x7ffffffee2f0 "GIF89a", loader=0x5555557650c0) at ../gdk-pixbuf/gdk-pixbuf-loader.c:489
#10 0x00007ffff7bbd7f9 in gdk_pixbuf_loader_write (loader=loader@entry=0x5555557650c0, buf=buf@entry=0x7ffffffee2f0 "GIF89a", count=5561, error=error@entry=0x7fffffffe390) at ../gdk-pixbuf/gdk-pixbuf-loader.c:535
#11 0x00007ffff7bbac06 in gdk_pixbuf_new_from_file_at_scale (filename=0x55555576c100 "/home/azureuser/findings_melvin/hang_114", width=, height=, preserve_aspect_ratio=preserve_aspect_ratio@entry=1, error=error@entry=0x7fffffffe390) at ../gdk-pixbuf/gdk-pixbuf-io.c:1408
#12 0x00007ffff7bbaddd in gdk_pixbuf_new_from_file_at_size (filename=, width=, height=, error=error@entry=0x7fffffffe390) at ../gdk-pixbuf/gdk-pixbuf-io.c:1240
#13 0x0000555555555731 in file_to_pixbuf (path=, destination_size=, error=0x7fffffffe390) at ../thumbnailer/gdk-pixbuf-thumbnailer.c:35
#14 0x0000555555555408 in main (argc=, argv=) at ../thumbnailer/gnome-thumbnailer-skeleton.c:281
(gdb) p self->code_table $28 = {{index = 0 '\000', extends = 9}, {index = 1 '\001', extends = 9}, {index = 2 '\002', extends = 9}, { index = 3 '\003', extends = 9}, {index = 4 '\004', extends = 9}, {index = 5 '\005', extends = 9}, { index = 6 '\006', extends = 9}, {index = 7 '\a', extends = 9}, {index = 8 '\b', extends = 9}, {index = 9 '\t', extends = 9}, {index = 1 '\001', extends = 11}, {index = 1 '\001', extends = 10}, {index = 0 '\000', extends = 0} }

Should I file a CVE for this issue, since it's possible to trigger this crash from the file manager in fedora with gnome, Chromium, Thunderbird, Firefox, Discord etc?

Kind regards, Melvin Kool