Pidgin denial of service with invalid gifs

Elliott Sales de Andrade qulogic at pidgin.im
Thu May 26 04:48:03 EDT 2011 

On Thu, May 26, 2011 at 4:42 AM, Elliott Sales de Andrade <qulogic at pidgin.im
> wrote:

> On Thu, May 26, 2011 at 4:08 AM, Mark Doliner <mark at kingant.net> wrote:
>
>> I encountered a denial of service bug in Pidgin with the attached
>> invalid gif.  When Pidgin tries to scale this image it continues
>> consuming memory until the process dies/is killed.  It's pretty bad
>> :-(
>>
>> The attached image comes from python imaging (aka PIL).  I resized a
>> valid image to a smaller size and saved it as gif with optimize=True.
>> Apparently this results in an invalid gif (seems like a bug in
>> PIL--but whatever).
>>
>> It's pretty easy to write some sample code to demonstrate the problem:
>> GdkPixbuf *pixbuf;
>> GError *err = NULL;
>> pixbuf = gdk_pixbuf_new_from_file("bad_image.gif", &err);
>> /* At this point, err will be non NULL and err->message is
>>  "Failed to load image 'bad_image.gif': GIF image loader cannot
>> understand this image."
>>  However, pixbuf WILL be set to a GdkPixbuf object (non-NULL). */
>> gdk_pixbuf_scale_simple(pixbuf, 20, 20, GDK_INTERP_BILINEAR); /* This
>> line triggers the problem */
>>
>>
> Maybe I forgot to initialize something and my test code is too simple (I
> basically just used the three lines you gave), but this crashes in
> gdk_pixbuf_new_from_file for me. What version of gtk/gdk(-pixbuf) are you
> using?
>
>

Never mind that. A gtk_init fixes it (even though it may be more than
necessary). I get a slightly different message: "Failed to load image
'bad_image.gif': GIF image loader cannot understand this image." This is
with gdk-pixbuf2-2.22.0-1.fc14.x86_64.


> This ALMOST seems like a serious bug in the gdk-pixbuf library.
>> Except that the library IS setting err, so I don't even know if it's
>> worth reporting it to them.  What do you guys think?
>>
>>
> The docs indicate that "If NULL is returned, then error will be set.",
> which means that a non-NULL pixbuf should not be returned in this case. I
> think it warrants reporting.
>
>
>> In any case, the lesson here is that we can't just look at the return
>> value from these functions.  We must pass in err and always check
>> whether it was set.  Specifically for these functions (there may be
>> more):
>> gdk_pixbuf_new_from_file
>> gdk_pixbuf_loader_write
>> gdk_pixbuf_loader_close
>>
>> This feels like a pretty serious problem to me and I think we should
>> probably not disclose it publicly, not check in any fixes yet, set an
>> embargo date, notify packagers and request a CVE.  The embargo date
>> should probably be at least two weeks from now, so I don't think it's
>> worth holding up 2.8.0 for.  I'll even volunteer to release 2.8.1 when
>> the time comes.  Thoughts?
>>
>> It looks like that's going to require quite a few changes and I won't
>> have time to do it tonight, but I wanted to send an email out as soon
>> as possible.  If anyone else wants to make the fixes, go right ahead.
>>
>> --Mark
>>
>
> --
> Elliott aka QuLogic
> Pidgin developer
>

-- 
Elliott aka QuLogic
Pidgin developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110526/30465c35/attachment.html>

More information about the security mailing list