Pidgin denial of service with invalid gifs

Elliott Sales de Andrade qulogic at pidgin.im
Sun Jun 12 20:32:05 EDT 2011 

On Sun, Jun 12, 2011 at 2:06 PM, Mark Doliner <mark at kingant.net> wrote:

> On Thu, May 26, 2011 at 1:48 AM, Elliott Sales de Andrade
> <qulogic at pidgin.im> wrote:
> > On Thu, May 26, 2011 at 4:42 AM, Elliott Sales de Andrade
> > <qulogic at pidgin.im> wrote:
> >> On Thu, May 26, 2011 at 4:08 AM, Mark Doliner <mark at kingant.net> wrote:
> >>>
> >>> I encountered a denial of service bug in Pidgin with the attached
> >>> invalid gif.  When Pidgin tries to scale this image it continues
> >>> consuming memory until the process dies/is killed.  It's pretty bad
> >>> :-(
> >>>
> >>> The attached image comes from python imaging (aka PIL).  I resized a
> >>> valid image to a smaller size and saved it as gif with optimize=True.
> >>> Apparently this results in an invalid gif (seems like a bug in
> >>> PIL--but whatever).
> >>>
> >>> It's pretty easy to write some sample code to demonstrate the problem:
> >>> GdkPixbuf *pixbuf;
> >>> GError *err = NULL;
> >>> pixbuf = gdk_pixbuf_new_from_file("bad_image.gif", &err);
> >>> /* At this point, err will be non NULL and err->message is
> >>>  "Failed to load image 'bad_image.gif': GIF image loader cannot
> >>> understand this image."
> >>>  However, pixbuf WILL be set to a GdkPixbuf object (non-NULL). */
> >>> gdk_pixbuf_scale_simple(pixbuf, 20, 20, GDK_INTERP_BILINEAR); /* This
> >>> line triggers the problem */
> >>>
> >>
> >> Maybe I forgot to initialize something and my test code is too simple (I
> >> basically just used the three lines you gave), but this crashes in
> >> gdk_pixbuf_new_from_file for me. What version of gtk/gdk(-pixbuf) are
> you
> >> using?
> >>
> >
> > Never mind that. A gtk_init fixes it (even though it may be more than
> > necessary). I get a slightly different message: "Failed to load image
> > 'bad_image.gif': GIF image loader cannot understand this image." This is
> > with gdk-pixbuf2-2.22.0-1.fc14.x86_64.
>
> Just want to confirm... so after you added the call to gtk_init() were
> you able to reproduce the problem where the sample program consumed
> lots and lots of memory in an infinite loop?  Also I don't see any
> differences between your message and mine.  I'm using
> libgdk-pixbuf2.0-0-2.23.3-0ubuntu1.
>
>
Sorry, it was late and I may have been a bit confusing. I added a gtk_init()
so that the gdk loaders and other stuff was all set up.
gdk_pixbuf_new_from_file returns a non-NULL result, but with err->message
set to that same message. gdk_pixbuf_scale_simple then does something or
other that takes up about a gig of RAM.

-- 
Elliott aka QuLogic
Pidgin developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110612/85655f46/attachment.html>

More information about the security mailing list