-
Pixel data in XPM files consists of color characters. XPM allows up to 31 characters per pixel (cpp). If the file defines a width larger than G_MAXINT / cpp, the calculated memory required to parse a single line (wbytes) leads to a signed integer overflow. On common systems, a signed integer overflow works as expected on a bit level. Properly crafted files can overflow the variable wbytes in a way that it is positive again, which leads to a "successful" parsing of the XPM file. The pixel values itself are not assigned by gdk-pixbuf code, therefore leaking raw memory returned by malloc. This might leak sensitive information through pixel values, depending on the actual application. Proof of Concept: /* XPM */ static char * poc_xpm[] = { "138547333 1 1 31", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx c None", "---------------------------"};