You have been subscribed to a public bug by Kees Cook (kees):
It's possible to crash any application with memory allocation error, or
potentially corrupt heap because width/height parameters isn't properly
verified.
TEST FILE:
#define width 1
#define height -1
static char bits[] = {
HOW TO REPRODUCE:
Open directory containing this file with nautilus. Nautilus should crash on
file thumbnailing.
Try to attach this file using Firefox. Firefox gtk-file-chooser dialog breaks
firefox when it trying to show picture preview.
Affected source: gdk-pixbuf/io-xbm.c
230 bytes_per_line = (ww+7)/8 + padding;
231
232 size = bytes_per_line * hh; // Overflow
233 bits = g_malloc (size);
Potential heap corruption:
326 ptr = data;
327 for (y = 0; y < h; y++) {
328 bits = 0;
329 for (x = 0; x < w; x++) {
ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: libgdk-pixbuf2.0-0 2.22.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.35-22.35-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
Architecture: amd64
Date: Thu Nov 25 00:27:06 2010
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100406.1)
ProcEnviron:
LANG=ru_RU.utf8
SHELL=/bin/bash
SourcePackage: gdk-pixbuf
** Affects: gdk-pixbuf (Ubuntu)
Importance: Low
Status: Confirmed
** Tags: amd64 apport-bug maverick
--
Integer overflow in XBM file loader
https://bugs.launchpad.net/bugs/681150
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
