Bug#795277: marked as done (libgdk-pixbuf2.0-0: Unhandled integer-overflow leads to segmentation fault)

Debian Bug Tracking System Tue, 17 May 2016 17:24:36 -0700

Your message dated Wed, 18 May 2016 02:20:33 +0200
with message-id <[email protected]>
and subject line Re: fixed upstream, fixed in debian
has caused the Debian Bug report #795277,
regarding libgdk-pixbuf2.0-0: Unhandled integer-overflow leads to segmentation 
fault
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
795277: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795277
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: libgdk-pixbuf2.0-0
Version: 2.31.1
Severity: important

Dear Maintainer,

I would like to report a bug where a large image can 
cause an overflow which is unhandled. This results in a segmentation fault.

The bug affects the gdk_pixbuf_add_alpha() - function in gdk-pixbuf-util.c
when using a grayscale image with a resolution of 27k x 27k pixels.

Both y and pixbuf->rowstride are int-vars. Therefore the result of the 
multiplication is an int-var too.
A rowstride of 108000 and y > than approx. 18000 doesn't fit in this var.

The patch could be to change those two lines from
src = src_pixels + y * pixbuf->rowstride;
dest = ret_pixels + y * new_pixbuf->rowstride;

to

src = src_pixels + (unsigned long)y * pixbuf->rowstride;
dest = ret_pixels + (unsigned long)y * new_pixbuf->rowstride;

Furthermore there should be a check added to ensure the multiplication doesn't 
exceed 
ULONG_MAX.

Please see attached the backtrace.

This bug has been reported some days ago by me to Inkscape without knowing that 
this package here was the real problem:
https://bugs.launchpad.net/inkscape/+bug/1483061

Best regards

[New Thread 0x7fffe3030700 (LWP 84746)]

Program received signal SIGSEGV, Segmentation fault.
0x00000000006ce2d0 in convert_pixels_pixbuf_to_argb32 (data=0x7ffdfe07a010 "", 
w=27000, 
    h=27000, stride=108000) at display/cairo-utils.cpp:1213
1213                *px = argb32_from_pixbuf(*px);
(gdb) bt
#0  0x00000000006ce2d0 in convert_pixels_pixbuf_to_argb32 (data=0x7ffdfe07a010 
"", w=27000, 
    h=27000, stride=108000) at display/cairo-utils.cpp:1213
#1  0x00000000006cb4c9 in Inkscape::Pixbuf::ensurePixelFormat (this=0x79550f0, 
    fmt=Inkscape::Pixbuf::PF_CAIRO) at display/cairo-utils.cpp:488
#2  0x00000000006cb088 in Inkscape::Pixbuf::getSurfaceRaw (this=0x79550f0, 
convert_format=true)
    at display/cairo-utils.cpp:367
#3  0x00000000006f3d63 in Inkscape::DrawingImage::_renderItem (this=0x79881b0, 
dc=...)
    at display/drawing-image.cpp:123
#4  0x00000000006f7078 in Inkscape::DrawingItem::render (this=0x79881b0, 
dc=..., area=..., 
    flags=0, stop_at=0x0) at display/drawing-item.cpp:741
#5  0x00000000006f2c15 in Inkscape::DrawingGroup::_renderItem (this=0x7988080, 
dc=..., 
    area=..., flags=0, stop_at=0x0) at display/drawing-group.cpp:106
#6  0x00000000006f7078 in Inkscape::DrawingItem::render (this=0x7988080, 
dc=..., area=..., 
    flags=0, stop_at=0x0) at display/drawing-item.cpp:741
#7  0x00000000006f2c15 in Inkscape::DrawingGroup::_renderItem (this=0x36a0350, 
dc=..., 
    area=..., flags=0, stop_at=0x0) at display/drawing-group.cpp:106
#8  0x00000000006f7078 in Inkscape::DrawingItem::render (this=0x36a0350, 
dc=..., area=..., 
    flags=0, stop_at=0x0) at display/drawing-item.cpp:741
#9  0x00000000006ee57e in Inkscape::Drawing::render (this=0x36fc108, dc=..., 
area=..., flags=0)
    at display/drawing.cpp:173
#10 0x00000000006d0d39 in sp_canvas_arena_render (item=0x36fc040, 
buf=0x7fffffffd850)
    at display/canvas-arena.cpp:222
#11 0x00000000007414da in SPCanvasGroup::render (item=0x36378e0, 
buf=0x7fffffffd850)
    at display/sp-canvas.cpp:1132
#12 0x00000000007414da in SPCanvasGroup::render (item=0x35d2840, 
buf=0x7fffffffd850)
    at display/sp-canvas.cpp:1132
#13 0x0000000000743290 in SPCanvasImpl::sp_canvas_paint_single_buffer 
(canvas=0x35da000, 
    paint_rect=..., canvas_rect=...) at display/sp-canvas.cpp:1906
#14 0x0000000000743681 in SPCanvasImpl::sp_canvas_paint_rect_internal 
(setup=0x7fffffffdcf0, 
    this_rect=...) at display/sp-canvas.cpp:2018
#15 0x00000000007439fe in SPCanvasImpl::sp_canvas_paint_rect_internal 
(setup=0x7fffffffdcf0, 
    this_rect=...) at display/sp-canvas.cpp:2069
---Type <return> to continue, or q <return> to quit--- 
#16 0x00000000007439fe in SPCanvasImpl::sp_canvas_paint_rect_internal 
(setup=0x7fffffffdcf0, 
    this_rect=...) at display/sp-canvas.cpp:2069
#17 0x00000000007439fe in SPCanvasImpl::sp_canvas_paint_rect_internal 
(setup=0x7fffffffdcf0, 
    this_rect=...) at display/sp-canvas.cpp:2069
#18 0x00000000007439fe in SPCanvasImpl::sp_canvas_paint_rect_internal 
(setup=0x7fffffffdcf0, 
    this_rect=...) at display/sp-canvas.cpp:2069
#19 0x0000000000743cea in SPCanvasImpl::sp_canvas_paint_rect (canvas=0x35da000, 
xx0=-752, 
    yy0=-704, xx1=432, yy1=16) at display/sp-canvas.cpp:2127
#20 0x00000000007442ab in SPCanvasImpl::paint (canvas=0x35da000) at 
display/sp-canvas.cpp:2267
#21 0x00000000007443fa in SPCanvasImpl::do_update (canvas=0x35da000)
    at display/sp-canvas.cpp:2302
#22 0x0000000000744479 in SPCanvasImpl::idle_handler (data=0x35da000)
    at display/sp-canvas.cpp:2318
#23 0x00007ffff67e3d97 in gdk_threads_dispatch (data=0x367df60)
    at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gdk/gdk.c:534
#24 0x00007ffff0ee7b6d in g_main_dispatch (context=0x18fd610)
    at /tmp/buildd/glib2.0-2.42.1/./glib/gmain.c:3111
#25 g_main_context_dispatch (context=context@entry=0x18fd610)
    at /tmp/buildd/glib2.0-2.42.1/./glib/gmain.c:3710
#26 0x00007ffff0ee7f48 in g_main_context_iterate (context=0x18fd610, 
block=block@entry=1, 
    dispatch=dispatch@entry=1, self=<optimized out>)
    at /tmp/buildd/glib2.0-2.42.1/./glib/gmain.c:3781
#27 0x00007ffff0ee8272 in g_main_loop_run (loop=0x3703a10)
    at /tmp/buildd/glib2.0-2.42.1/./glib/gmain.c:3975
#28 0x00007ffff6bac597 in IA__gtk_main ()
    at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gtk/gtkmain.c:1257
#29 0x000000000044ffc3 in sp_main_gui (argc=1, argv=0x7fffffffe338) at 
main.cpp:1075
#30 0x000000000044f580 in main (argc=1, argv=0x7fffffffe338) at main.cpp:789

--- End Message ---

--- Begin Message ---

Version: 2.31.7-1

On Wed, 9 Mar 2016 12:44:36 +0100 Andreas Henriksson <[email protected]>
wrote:
> Version: 2.31.7-1
> 
> Hello.
> 
> After this was forwarded upstream it was fixed and the new upstream release
> has since made it into Debian (a long time ago already).
> 
> Closing this bug now. Fix first appeared in version mentioned above.

Closing for real


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

signature.asc
Description: OpenPGP digital signature

--- End Message ---

Bug#795277: marked as done (libgdk-pixbuf2.0-0: Unhandled integer-overflow leads to segmentation fault)

Reply via email to