Denial of service with JPEG images
Original reporter: Sam Ezeh
Area: Platform component
Message
There's a denial of service vulnerability with gdk-pixbuf, affecting various GNOME components.
Steps to reproduce
- Create a 1 by 1 JPEG image (size isn't important)
- Modify the image file so that the listed size of the JPEG image has hex 0xfbfbfbfb (64507x64507). I did this by hand using GHex.
- Run
gsettings set org.gnome.desktop.background picture-uri file:///PATH/TO/IMAGE.jpg
GNOME crashes.
Additionally if nautilus finds the jpeg file GNOME crashes as nautilus automatically runs gdk-pixbuf-thumbnailer. Opening an en email containing this image in Geary also caused GNOME to crash.
Because of those two events, I think this might also affect other components.
Explanation
While the true size of the image is very small, gdk-pixbuf attempts to allocate a very large amount of memory to store the pixel data.
Notes
It's possible the converse scenario of a larger image with a small listed size could lead to a buffer overflow, but I wasn't able to immediately find anything and I'd like to stress that I haven't yet seen evidence of this.
System Specification
OS: Arch Linux x86_64
Host: Inspiron 5593
Kernel: 5.16.2-arch1-1
GNOME Version: 41.3