On Mon, 2018-09-10 at 22:29 +0200, Magnus Bergman wrote:
> On Mon, 10 Sep 2018 11:31:42 +0200
> Bastien Nocera <had...@hadess.net> wrote:
> 
> > > I've written loader for GIF that simply wraps abydos. In lines of
> > > code it's about a quarter the size of the current loader, even
> > > including
> > > the GIF plugin for abydos. It might even be slightly smaller with
> > > the whole of abydos included in the equation. On the downside it
> > > probably doesn't pass the test suite since I haven't tried it.
> > > But
> > > I will, and hopefully publish the whole thing in a couple of
> > > days.  
> > 
> > That's unfortunately not mergeable, and unless you use a library
> > for
> > your GIF plugin in abydos, would just be shifting the potential
> > bugs
> > to the abydos code base.
> 
> I do use a library (or two). I've written one plugin that uses giflib
> and one that uses ImageMagick. I assumed using giflib would be a
> straighter path, but it wasn't. Firstly it only supports reading
> images
> from disk (but abydos automatically creates temporary files then
> needed
> so that didn't add any extra code at least). Secondly it doesn't do
> much more than unpacking the pixels. How to interpret what comes out
> is
> left as an exercise for the user, and requires a bit of knowledge
> about
> the GIF formats and it's quirks. So that plugin isn't built by
> default.
> ImageMagick on the other hand did much more to be of help, and
> required
> far less code to use. So shifting the responsibility to ImageMagick
> seems reasonable, I think.

No, it really isn't:
https://www.cvedetails.com/vulnerability-list/vendor_id-1749/Imagemagick.html

We want to have less CVEs, not more.

> I tested them both on all the GIF images included in the gdk-pixbuf
> test suit. Both plugins mostly work, but to varying degree. The one
> based on giflib segfaults with 1_partyanimsm2.gif (because the
> allocation containing the pixels which giflib provides is less than
> the
> images width x height, I haven't yet looked deeper into it). The
> ImageMagick based plugin on the other doesn't crash at least, and all
> the invalid images are correctly classified as invalid. The image
> 1_partyanimsm2.gif still shows as garbage except the first frame. The
> image aero.gif has the frame delay set to zero for every frame but
> the
> first. I'm not sure how that should be interpreted, so I simply
> exchanged zero values for a small delay (0.02 seconds). I will read
> up
> on the GIF format and hopefully get things working better.
> 
> It's available here if you want to try it out:
> http://snisurset.net/code/abydos/

Having looked at giflib, and knowing the author, the current plan still
is to have something based on libnsgif in the future.

> > > > - we disable every loader by default except the ones that the
> > > > core
> > > > desktop needs
> > > > - image viewers that rely on gdk-pixbuf ship their additional
> > > > loaders
> > > > in the app's Flatpak[1].  
> > > 
> > > I don't care much for Flatpak in particular. But generalised and
> > > rephrased as, leave it to the distributors to decide, I agree
> > > that
> > > this is absolutely the best approach.  
> > 
> > Without Flatpak, you're just removing image format support from
> > image
> > viewers, as many packaging guidelines in distributions forbid the
> > bundling of libraries. They'd want to ship a single copy of the
> > gdk-
> > pixbuf loaders, and the applications wouldn't have any protection
> > from
> > files that the loaders would trip over.
> 
> I'm not arguing against that. I just think it's an issue best left
> entirely to distributors (including the choice between bundling and
> dependencies).
> 
> How and where to implement sandboxing is an interesting question
> still.

_______________________________________________
gtk-devel-list mailing list
gtk-devel-list@gnome.org
https://mail.gnome.org/mailman/listinfo/gtk-devel-list

Reply via email to