Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • gdk-pixbuf gdk-pixbuf
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 84
    • Issues 84
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 16
    • Merge requests 16
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • gdk-pixbufgdk-pixbuf
  • Issues
  • #164
Closed
Open
Issue created Nov 29, 2020 by melvin@melvinkool.nl via GitLab Support Bot@support-bot

endless loop in the write_indexes function in gdk-pixbuf/lzw.c (from melvin@melvinkool.nl)

Original reporter: Melvin Kool

Area: Application

Message

Dear Gnome security team, We are fuzzing gdk-pixbuf for a university project. So far we found approx. 289 hangs and 439 crashes, of which one crash and one hang are interesting. The hang results in an endless loop in the write_indexes function in gdk-pixbuf/lzw.c.

When c = self->code = 10, in the while loop it will assign self->code_table[10].extends to c, which is 11. After that it assigns self->code_table[11].extends = 10 to c, so the loop will run forever and take full CPU resources. We are still investigating the interesting crash, which is probably a signed integer overflow in GIF images. I have a file available on my computer that triggers the denial of service.

My PGP key fingerprint is: b27668e77e4184273865660fec403209c3fdd742

Full stacktrace:

#0 0x00007ffff4f62d98 in write_indexes (output_length=1018, output=0x5555557672f6 "", self=0x555555786260) at ../gdk-pixbuf/lzw.c:90
#1 0x00007ffff4f62d98 in lzw_decoder_feed (self=self@entry=0x555555786260, input=, input_length=, output=output@entry=0x5555557672f0 "\001\001\001\001\001\001", output_length=1024) at ../gdk-pixbuf/lzw.c:212
#2 0x00007ffff4f61fa4 in composite_frame (anim=0x5555557780c0, frame=0x5555557735a0) at ../gdk-pixbuf/io-gif-animation.c:367
#3 0x00007ffff4f625e9 in gdk_pixbuf_gif_anim_iter_get_pixbuf (anim_iter=anim_iter@entry=0x55555575a1e0) at ../gdk-pixbuf/io-gif-animation.c:428
#4 0x00007ffff4f6281a in gdk_pixbuf_gif_anim_get_static_image (animation=) at ../gdk-pixbuf/io-gif-animation.c:117
#5 0x00007ffff4f61289 in gif_get_lzw (context=0x555555772da0) at ../gdk-pixbuf/io-gif.c:467
#6 0x00007ffff4f61289 in gif_main_loop (context=context@entry=0x555555772da0) at ../gdk-pixbuf/io-gif.c:760
#7 0x00007ffff4f61b2f in gdk_pixbuf__gif_image_load_increment (data=0x555555772da0, buf=, size=, error=) at ../gdk-pixbuf/io-gif.c:958
#8 0x00007ffff7bbcc9b in gdk_pixbuf_loader_load_module (loader=loader@entry=0x5555557650c0, image_type=image_type@entry=0x0, error=error@entry=0x7fffffffe390) at ../gdk-pixbuf/gdk-pixbuf-loader.c:467
#9 0x00007ffff7bbd7f9 in gdk_pixbuf_loader_eat_header_write (error=0x7fffffffe390, count=5561, buf=0x7ffffffee2f0 "GIF89a", loader=0x5555557650c0) at ../gdk-pixbuf/gdk-pixbuf-loader.c:489
#10 0x00007ffff7bbd7f9 in gdk_pixbuf_loader_write (loader=loader@entry=0x5555557650c0, buf=buf@entry=0x7ffffffee2f0 "GIF89a", count=5561, error=error@entry=0x7fffffffe390) at ../gdk-pixbuf/gdk-pixbuf-loader.c:535
#11 0x00007ffff7bbac06 in gdk_pixbuf_new_from_file_at_scale (filename=0x55555576c100 "/home/azureuser/findings_melvin/hang_114", width=, height=, preserve_aspect_ratio=preserve_aspect_ratio@entry=1, error=error@entry=0x7fffffffe390) at ../gdk-pixbuf/gdk-pixbuf-io.c:1408
#12 0x00007ffff7bbaddd in gdk_pixbuf_new_from_file_at_size (filename=, width=, height=, error=error@entry=0x7fffffffe390) at ../gdk-pixbuf/gdk-pixbuf-io.c:1240
#13 0x0000555555555731 in file_to_pixbuf (path=, destination_size=, error=0x7fffffffe390) at ../thumbnailer/gdk-pixbuf-thumbnailer.c:35
#14 0x0000555555555408 in main (argc=, argv=) at ../thumbnailer/gnome-thumbnailer-skeleton.c:281
(gdb) p self->code_table $28 = {{index = 0 '\000', extends = 9}, {index = 1 '\001', extends = 9}, {index = 2 '\002', extends = 9}, { index = 3 '\003', extends = 9}, {index = 4 '\004', extends = 9}, {index = 5 '\005', extends = 9}, { index = 6 '\006', extends = 9}, {index = 7 '\a', extends = 9}, {index = 8 '\b', extends = 9}, {index = 9 '\t', extends = 9}, {index = 1 '\001', extends = 11}, {index = 1 '\001', extends = 10}, {index = 0 '\000', extends = 0} }

Should I file a CVE for this issue, since it's possible to trigger this crash from the file manager in fedora with gnome, Chromium, Thunderbird, Firefox, Discord etc?

Kind regards, Melvin Kool

Edited Nov 29, 2020 by Andre Klapper
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking