GIMP 2.10.30 crashed when allocate large memory
Environment/Versions
- GIMP version:2.10.30 and 2.99.10
- Package: https://download.gimp.org/pub/gimp/v2.10/gimp-2.10.30.tar.bz2
https://download.gimp.org/pub/gimp/v2.99/gimp-2.99.10.tar.bz2
- Operating System: Ubuntu 21.10
Description of the bug
Through a crafted XCF file, the program will allocate for a huge amount of memory, resulting in insufficient memory or program crash. This ASAN report:
==286446==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xab9e16000 bytes
#0 0x7f0dfc859a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7f0dfbbd45b0 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e5b0)
#2 0x562b862c20a7 in xcf_load_old_paths /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf-load.c:2724
#3 0x562b862b8ca6 in xcf_load_image_props /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf-load.c:1055
#4 0x562b862b4586 in xcf_load_image /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf-load.c:253
#5 0x562b862b267e in xcf_load_stream /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf.c:315
#6 0x562b862b3630 in xcf_load_invoker /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf.c:445
#7 0x562b863c33ac in gimp_procedure_real_execute /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/pdb/gimpprocedure.c:213
#8 0x562b863eda5d in gimp_plug_in_procedure_execute /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/plug-in/gimppluginprocedure.c:417
#9 0x562b863c50d0 in gimp_procedure_execute /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/pdb/gimpprocedure.c:431
#10 0x562b863b6325 in gimp_pdb_execute_procedure_by_name_args /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/pdb/gimppdb.c:322
#11 0x562b863b77d0 in gimp_pdb_execute_procedure_by_name /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/pdb/gimppdb.c:451
#12 0x562b866a9998 in file_open_image /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/file/file-open.c:217
#13 0x562b866ab9db in file_open_with_proc_and_display /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/file/file-open.c:522
#14 0x562b866ab2f2 in file_open_with_display /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/file/file-open.c:492
#15 0x562b866acc28 in file_open_from_command_line /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/file/file-open.c:706
#16 0x562b862aa21a in app_run /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/app.c:417
#17 0x562b862b0bc1 in main /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/main.c:656
#18 0x7f0dfb7d7fcf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
==286446==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 in __interceptor_calloc
==286446==ABORTING
The reason: Missing size check for num_points
//gimp-2.10.30/app/xcf/xcf-load.c:2755
xcf_read_int32 (info, &num_points, 1);
....
//gimp-2.10.30/app/xcf/xcf-load.c:2780
if (num_points == 0)
{
g_free (name);
return FALSE;
}
points = g_new0 (GimpVectorsCompatPoint, num_points);
Thread 1 "gimp-console-2." hit Breakpoint 1, xcf_load_old_path (image=0x555555a16860, info=0x7fffffffda90) at xcf-load.c:2787 2787 points = g_new0 (GimpVectorsCompatPoint, num_points); (gdb) p/x num_points $1 = 0x72696400 (gdb) n
(gimp-console-2.10:287033): GLib-ERROR **: 19:00:44.570: ../../../glib/gmem.c:142: failed to allocate 46068228096 bytes
Reproduction
Is the bug reproducible? Always Reproduction steps:
- download the crafted XCF file:https://github.com/leung-yao/poc/raw/main/poc%20for%20gimp poc_for_gimp
- compiler gimp 2.10.30 with console, my compiler command:
PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$HOME/fuzzing_gimp/gegl-0.4.36/ ./configure --disable-gtktest --disable-glibtest --disable-alsatest --disable-nls --without-libtiff --without-libjpeg --without-bzip2 --without-gs --without-libpng --without-libmng --without-libexif --without-aa --without-libxpm --without-webkit --without-librsvg --without-print --without-poppler --without-cairo-pdf --without-gvfs --without-libcurl --without-wmf --without-libjasper --without-alsa --without-gudev --disable-python --enable-gimp-console --without-mac-twain --without-script-fu --without-gudev --without-dbus --disable-mp --without-linux-input --without-xvfb-run --with-gif-compression=none --without-xmc --with-shm=none --enable-debug --prefix="$HOME/fuzzing_gimp/gimp-2.10.30/install"
make
make install
- use gimp console
- ./gimp-console-2.10 -d -f [poc file]
Expected result:normal
Additional information
gimp2.99.10 also will crashed by this xcf file.