Package: libgdk-pixbuf2.0-0
Version: 2.31.1
Severity: important
Dear Maintainer,
I would like to report a bug where a large image can
cause an overflow which is unhandled. This results in a segmentation fault.
The bug affects the gdk_pixbuf_add_alpha() - function in gdk-pixbuf-util.c
when using a grayscale image with a resolution of 27k x 27k pixels.
Both y and pixbuf->rowstride are int-vars. Therefore the result of the
multiplication is an int-var too.
A rowstride of 108000 and y > than approx. 18000 doesn't fit in this var.
The patch could be to change those two lines from
src = src_pixels + y * pixbuf->rowstride;
dest = ret_pixels + y * new_pixbuf->rowstride;
to
src = src_pixels + (unsigned long)y * pixbuf->rowstride;
dest = ret_pixels + (unsigned long)y * new_pixbuf->rowstride;
Furthermore there should be a check added to ensure the multiplication doesn't
exceed
ULONG_MAX.
Please see attached the backtrace.
This bug has been reported some days ago by me to Inkscape without knowing that
this package here was the real problem:
https://bugs.launchpad.net/inkscape/+bug/1483061
Best regards
[New Thread 0x7fffe3030700 (LWP 84746)]
Program received signal SIGSEGV, Segmentation fault.
0x00000000006ce2d0 in convert_pixels_pixbuf_to_argb32 (data=0x7ffdfe07a010 "",
w=27000,
h=27000, stride=108000) at display/cairo-utils.cpp:1213
1213 *px = argb32_from_pixbuf(*px);
(gdb) bt
#0 0x00000000006ce2d0 in convert_pixels_pixbuf_to_argb32 (data=0x7ffdfe07a010
"", w=27000,
h=27000, stride=108000) at display/cairo-utils.cpp:1213
#1 0x00000000006cb4c9 in Inkscape::Pixbuf::ensurePixelFormat (this=0x79550f0,
fmt=Inkscape::Pixbuf::PF_CAIRO) at display/cairo-utils.cpp:488
#2 0x00000000006cb088 in Inkscape::Pixbuf::getSurfaceRaw (this=0x79550f0,
convert_format=true)
at display/cairo-utils.cpp:367
#3 0x00000000006f3d63 in Inkscape::DrawingImage::_renderItem (this=0x79881b0,
dc=...)
at display/drawing-image.cpp:123
#4 0x00000000006f7078 in Inkscape::DrawingItem::render (this=0x79881b0,
dc=..., area=...,
flags=0, stop_at=0x0) at display/drawing-item.cpp:741
#5 0x00000000006f2c15 in Inkscape::DrawingGroup::_renderItem (this=0x7988080,
dc=...,
area=..., flags=0, stop_at=0x0) at display/drawing-group.cpp:106
#6 0x00000000006f7078 in Inkscape::DrawingItem::render (this=0x7988080,
dc=..., area=...,
flags=0, stop_at=0x0) at display/drawing-item.cpp:741
#7 0x00000000006f2c15 in Inkscape::DrawingGroup::_renderItem (this=0x36a0350,
dc=...,
area=..., flags=0, stop_at=0x0) at display/drawing-group.cpp:106
#8 0x00000000006f7078 in Inkscape::DrawingItem::render (this=0x36a0350,
dc=..., area=...,
flags=0, stop_at=0x0) at display/drawing-item.cpp:741
#9 0x00000000006ee57e in Inkscape::Drawing::render (this=0x36fc108, dc=...,
area=..., flags=0)
at display/drawing.cpp:173
#10 0x00000000006d0d39 in sp_canvas_arena_render (item=0x36fc040,
buf=0x7fffffffd850)
at display/canvas-arena.cpp:222
#11 0x00000000007414da in SPCanvasGroup::render (item=0x36378e0,
buf=0x7fffffffd850)
at display/sp-canvas.cpp:1132
#12 0x00000000007414da in SPCanvasGroup::render (item=0x35d2840,
buf=0x7fffffffd850)
at display/sp-canvas.cpp:1132
#13 0x0000000000743290 in SPCanvasImpl::sp_canvas_paint_single_buffer
(canvas=0x35da000,
paint_rect=..., canvas_rect=...) at display/sp-canvas.cpp:1906
#14 0x0000000000743681 in SPCanvasImpl::sp_canvas_paint_rect_internal
(setup=0x7fffffffdcf0,
this_rect=...) at display/sp-canvas.cpp:2018
#15 0x00000000007439fe in SPCanvasImpl::sp_canvas_paint_rect_internal
(setup=0x7fffffffdcf0,
this_rect=...) at display/sp-canvas.cpp:2069
---Type <return> to continue, or q <return> to quit---
#16 0x00000000007439fe in SPCanvasImpl::sp_canvas_paint_rect_internal
(setup=0x7fffffffdcf0,
this_rect=...) at display/sp-canvas.cpp:2069
#17 0x00000000007439fe in SPCanvasImpl::sp_canvas_paint_rect_internal
(setup=0x7fffffffdcf0,
this_rect=...) at display/sp-canvas.cpp:2069
#18 0x00000000007439fe in SPCanvasImpl::sp_canvas_paint_rect_internal
(setup=0x7fffffffdcf0,
this_rect=...) at display/sp-canvas.cpp:2069
#19 0x0000000000743cea in SPCanvasImpl::sp_canvas_paint_rect (canvas=0x35da000,
xx0=-752,
yy0=-704, xx1=432, yy1=16) at display/sp-canvas.cpp:2127
#20 0x00000000007442ab in SPCanvasImpl::paint (canvas=0x35da000) at
display/sp-canvas.cpp:2267
#21 0x00000000007443fa in SPCanvasImpl::do_update (canvas=0x35da000)
at display/sp-canvas.cpp:2302
#22 0x0000000000744479 in SPCanvasImpl::idle_handler (data=0x35da000)
at display/sp-canvas.cpp:2318
#23 0x00007ffff67e3d97 in gdk_threads_dispatch (data=0x367df60)
at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gdk/gdk.c:534
#24 0x00007ffff0ee7b6d in g_main_dispatch (context=0x18fd610)
at /tmp/buildd/glib2.0-2.42.1/./glib/gmain.c:3111
#25 g_main_context_dispatch (context=context@entry=0x18fd610)
at /tmp/buildd/glib2.0-2.42.1/./glib/gmain.c:3710
#26 0x00007ffff0ee7f48 in g_main_context_iterate (context=0x18fd610,
block=block@entry=1,
dispatch=dispatch@entry=1, self=<optimized out>)
at /tmp/buildd/glib2.0-2.42.1/./glib/gmain.c:3781
#27 0x00007ffff0ee8272 in g_main_loop_run (loop=0x3703a10)
at /tmp/buildd/glib2.0-2.42.1/./glib/gmain.c:3975
#28 0x00007ffff6bac597 in IA__gtk_main ()
at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gtk/gtkmain.c:1257
#29 0x000000000044ffc3 in sp_main_gui (argc=1, argv=0x7fffffffe338) at
main.cpp:1075
#30 0x000000000044f580 in main (argc=1, argv=0x7fffffffe338) at main.cpp:789
