Commit 8dba67cb authored by Benjamin Otte's avatar Benjamin Otte

pixops: Fix oversight for CVE-2015-4491

The n_x variable could be made large enough to overflow, too.

Also included are various testcases for this vulnerability:
- The original exploit (adapted for the testsuite)
- Causing overflow by making both X and Y variables large
- Causing overflow using only the X variable
- Causing overflow using only the Y variable

https://bugzilla.gnome.org/show_bug.cgi?id=752297
parent 0ed6637e
......@@ -1275,7 +1275,11 @@ make_filter_table (PixopsFilter *filter)
gsize n_weights;
int *weights;
n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
n_weights = SUBSAMPLE * SUBSAMPLE * n_x;
if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x)
return NULL; /* overflow, bail */
n_weights *= n_y;
if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
return NULL; /* overflow, bail */
......
......@@ -24,6 +24,7 @@ noinst_PROGRAMS += \
test_programs = \
animation \
cve-2015-4491 \
pixbuf-icon-serialize \
pixbuf-randomly-modified \
pixbuf-threads \
......@@ -54,6 +55,12 @@ dist_installed_test_data = \
bug725582-testrotate.png \
$(wildcard $(srcdir)/test-images/*)
cve_2015_4491_SOURCES = \
cve-2015-4491.c \
resources.h \
resources.c \
$(NULL)
pixbuf_icc_SOURCES = \
pixbuf-icc.c \
test-common.c \
......
/* GdkPixbuf library - test compositing
*
* Copyright (C) 2015 Red Hat, Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*
* Author: Benjamin Otte
*/
#include <gdk-pixbuf.h>
static void
test_original (void)
{
GdkPixbuf* buf;
int size = 32;
GError* err = NULL;
buf = gdk_pixbuf_new_from_resource_at_scale ("/test/resource/cve-2015-4491.bmp", size, size, FALSE, &err);
g_assert_no_error (err);
g_object_unref (buf);
}
static void
test_scale_overflow (void)
{
GdkPixbuf *src, *dest;
src = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, 1 << 12, 1 << 12);
dest = gdk_pixbuf_scale_simple (src, 1, 1, GDK_INTERP_BILINEAR);
g_object_unref (dest);
g_object_unref (src);
}
static void
test_scalex_overflow (void)
{
GdkPixbuf *src, *dest;
src = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, (((guint) G_MAXINT) + 1) >> 7, 1);
dest = gdk_pixbuf_scale_simple (src, 1, 1, GDK_INTERP_BILINEAR);
g_object_unref (dest);
g_object_unref (src);
}
static void
test_scaley_overflow (void)
{
GdkPixbuf *src, *dest;
src = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, 1, (((guint) G_MAXINT) + 1) >> 7);
dest = gdk_pixbuf_scale_simple (src, 1, 1, GDK_INTERP_BILINEAR);
g_object_unref (dest);
g_object_unref (src);
}
int
main (int argc, char *argv[])
{
g_test_init (&argc, &argv, NULL);
g_test_add_func ("/pixbuf/cve-2015-4491/original", test_original);
g_test_add_func ("/pixbuf/cve-2015-4491/scale-overflow", test_scale_overflow);
g_test_add_func ("/pixbuf/cve-2015-4491/scale-x-overflow", test_scalex_overflow);
g_test_add_func ("/pixbuf/cve-2015-4491/scale-y-overflow", test_scaley_overflow);
return g_test_run ();
}
......@@ -3,6 +3,7 @@
<gresource prefix="/test/resource">
<file>icc-profile.png</file>
<file preprocess="to-pixdata" alias="icc-profile.pixdata">icc-profile.png</file>
<file>cve-2015-4491.bmp</file>
</gresource>
</gresources>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment