Pidgin denial of service with invalid gifs

Elliott Sales de Andrade qulogic at pidgin.im
Thu May 26 04:42:02 EDT 2011 

On Thu, May 26, 2011 at 4:08 AM, Mark Doliner <mark at kingant.net> wrote:

> I encountered a denial of service bug in Pidgin with the attached
> invalid gif.  When Pidgin tries to scale this image it continues
> consuming memory until the process dies/is killed.  It's pretty bad
> :-(
>
> The attached image comes from python imaging (aka PIL).  I resized a
> valid image to a smaller size and saved it as gif with optimize=True.
> Apparently this results in an invalid gif (seems like a bug in
> PIL--but whatever).
>
> It's pretty easy to write some sample code to demonstrate the problem:
> GdkPixbuf *pixbuf;
> GError *err = NULL;
> pixbuf = gdk_pixbuf_new_from_file("bad_image.gif", &err);
> /* At this point, err will be non NULL and err->message is
>  "Failed to load image 'bad_image.gif': GIF image loader cannot
> understand this image."
>  However, pixbuf WILL be set to a GdkPixbuf object (non-NULL). */
> gdk_pixbuf_scale_simple(pixbuf, 20, 20, GDK_INTERP_BILINEAR); /* This
> line triggers the problem */
>
>
Maybe I forgot to initialize something and my test code is too simple (I
basically just used the three lines you gave), but this crashes in
gdk_pixbuf_new_from_file for me. What version of gtk/gdk(-pixbuf) are you
using?


> This ALMOST seems like a serious bug in the gdk-pixbuf library.
> Except that the library IS setting err, so I don't even know if it's
> worth reporting it to them.  What do you guys think?
>
>
The docs indicate that "If NULL is returned, then error will be set.", which
means that a non-NULL pixbuf should not be returned in this case. I think it
warrants reporting.


> In any case, the lesson here is that we can't just look at the return
> value from these functions.  We must pass in err and always check
> whether it was set.  Specifically for these functions (there may be
> more):
> gdk_pixbuf_new_from_file
> gdk_pixbuf_loader_write
> gdk_pixbuf_loader_close
>
> This feels like a pretty serious problem to me and I think we should
> probably not disclose it publicly, not check in any fixes yet, set an
> embargo date, notify packagers and request a CVE.  The embargo date
> should probably be at least two weeks from now, so I don't think it's
> worth holding up 2.8.0 for.  I'll even volunteer to release 2.8.1 when
> the time comes.  Thoughts?
>
> It looks like that's going to require quite a few changes and I won't
> have time to do it tonight, but I wanted to send an email out as soon
> as possible.  If anyone else wants to make the fixes, go right ahead.
>
> --Mark
>

-- 
Elliott aka QuLogic
Pidgin developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110526/8938250a/attachment.html>

More information about the security mailing list