Pidgin denial of service with invalid gifs

Mark Doliner mark at kingant.net
Thu May 26 04:08:50 EDT 2011 

I encountered a denial of service bug in Pidgin with the attached
invalid gif.  When Pidgin tries to scale this image it continues
consuming memory until the process dies/is killed.  It's pretty bad
:-(

The attached image comes from python imaging (aka PIL).  I resized a
valid image to a smaller size and saved it as gif with optimize=True.
Apparently this results in an invalid gif (seems like a bug in
PIL--but whatever).

It's pretty easy to write some sample code to demonstrate the problem:
GdkPixbuf *pixbuf;
GError *err = NULL;
pixbuf = gdk_pixbuf_new_from_file("bad_image.gif", &err);
/* At this point, err will be non NULL and err->message is
  "Failed to load image 'bad_image.gif': GIF image loader cannot
understand this image."
  However, pixbuf WILL be set to a GdkPixbuf object (non-NULL). */
gdk_pixbuf_scale_simple(pixbuf, 20, 20, GDK_INTERP_BILINEAR); /* This
line triggers the problem */

This ALMOST seems like a serious bug in the gdk-pixbuf library.
Except that the library IS setting err, so I don't even know if it's
worth reporting it to them.  What do you guys think?

In any case, the lesson here is that we can't just look at the return
value from these functions.  We must pass in err and always check
whether it was set.  Specifically for these functions (there may be
more):
gdk_pixbuf_new_from_file
gdk_pixbuf_loader_write
gdk_pixbuf_loader_close

This feels like a pretty serious problem to me and I think we should
probably not disclose it publicly, not check in any fixes yet, set an
embargo date, notify packagers and request a CVE.  The embargo date
should probably be at least two weeks from now, so I don't think it's
worth holding up 2.8.0 for.  I'll even volunteer to release 2.8.1 when
the time comes.  Thoughts?

It looks like that's going to require quite a few changes and I won't
have time to do it tonight, but I wanted to send an email out as soon
as possible.  If anyone else wants to make the fixes, go right ahead.

--Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bad_image.gif
Type: image/gif
Size: 3773 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110526/7ec3f29f/attachment.gif>

More information about the security mailing list