Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • GIMP GIMP
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 3.9k
    • Issues 3.9k
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 96
    • Merge requests 96
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • GIMPGIMP
  • Issues
  • #8120
Closed
Open
Issue created Apr 25, 2022 by Loeng@gdmzyzl

GIMP 2.10.30 crashed when allocate large memory

Environment/Versions

  • GIMP version:2.10.30 and 2.99.10
  • Package: https://download.gimp.org/pub/gimp/v2.10/gimp-2.10.30.tar.bz2

https://download.gimp.org/pub/gimp/v2.99/gimp-2.99.10.tar.bz2

  • Operating System: Ubuntu 21.10

Description of the bug

Through a crafted XCF file, the program will allocate for a huge amount of memory, resulting in insufficient memory or program crash. This ASAN report:

==286446==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xab9e16000 bytes

#0 0x7f0dfc859a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154

#1 0x7f0dfbbd45b0 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e5b0)

#2 0x562b862c20a7 in xcf_load_old_paths /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf-load.c:2724

#3 0x562b862b8ca6 in xcf_load_image_props /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf-load.c:1055

#4 0x562b862b4586 in xcf_load_image /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf-load.c:253

#5 0x562b862b267e in xcf_load_stream /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf.c:315

#6 0x562b862b3630 in xcf_load_invoker /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf.c:445

#7 0x562b863c33ac in gimp_procedure_real_execute /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/pdb/gimpprocedure.c:213

#8 0x562b863eda5d in gimp_plug_in_procedure_execute /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/plug-in/gimppluginprocedure.c:417

#9 0x562b863c50d0 in gimp_procedure_execute /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/pdb/gimpprocedure.c:431

#10 0x562b863b6325 in gimp_pdb_execute_procedure_by_name_args /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/pdb/gimppdb.c:322

#11 0x562b863b77d0 in gimp_pdb_execute_procedure_by_name /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/pdb/gimppdb.c:451

#12 0x562b866a9998 in file_open_image /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/file/file-open.c:217

#13 0x562b866ab9db in file_open_with_proc_and_display /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/file/file-open.c:522

#14 0x562b866ab2f2 in file_open_with_display /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/file/file-open.c:492

#15 0x562b866acc28 in file_open_from_command_line /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/file/file-open.c:706

#16 0x562b862aa21a in app_run /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/app.c:417

#17 0x562b862b0bc1 in main /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/main.c:656

#18 0x7f0dfb7d7fcf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

==286446==HINT: if you don't care about these errors you may set allocator_may_return_null=1

SUMMARY: AddressSanitizer: out-of-memory ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 in __interceptor_calloc

==286446==ABORTING

The reason: Missing size check for num_points

//gimp-2.10.30/app/xcf/xcf-load.c:2755
xcf_read_int32  (info, &num_points, 1);
....
//gimp-2.10.30/app/xcf/xcf-load.c:2780
if (num_points == 0)
    {
      g_free (name);
      return FALSE;
    }

  points = g_new0 (GimpVectorsCompatPoint, num_points);

Thread 1 "gimp-console-2." hit Breakpoint 1, xcf_load_old_path (image=0x555555a16860, info=0x7fffffffda90) at xcf-load.c:2787 2787 points = g_new0 (GimpVectorsCompatPoint, num_points); (gdb) p/x num_points $1 = 0x72696400 (gdb) n

(gimp-console-2.10:287033): GLib-ERROR **: 19:00:44.570: ../../../glib/gmem.c:142: failed to allocate 46068228096 bytes

Reproduction

Is the bug reproducible? Always Reproduction steps:

  1. download the crafted XCF file:https://github.com/leung-yao/poc/raw/main/poc%20for%20gimp poc_for_gimp
  2. compiler gimp 2.10.30 with console, my compiler command:
PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$HOME/fuzzing_gimp/gegl-0.4.36/  ./configure --disable-gtktest --disable-glibtest --disable-alsatest --disable-nls --without-libtiff --without-libjpeg --without-bzip2 --without-gs --without-libpng --without-libmng --without-libexif --without-aa --without-libxpm --without-webkit --without-librsvg --without-print --without-poppler --without-cairo-pdf --without-gvfs --without-libcurl --without-wmf --without-libjasper --without-alsa --without-gudev --disable-python --enable-gimp-console --without-mac-twain --without-script-fu --without-gudev --without-dbus --disable-mp --without-linux-input --without-xvfb-run --with-gif-compression=none --without-xmc --with-shm=none --enable-debug  --prefix="$HOME/fuzzing_gimp/gimp-2.10.30/install"
make
make install
  1. use gimp console
  2. ./gimp-console-2.10 -d -f [poc file]

Expected result:normal

Actual result:crash aa

Additional information

gimp2.99.10 also will crashed by this xcf file.

Assignee
Assign to
Time tracking