gdk-pixbuf: heap overflow and DoS affecting Firefox and other programs [x86_64] (CVE-2015-4491)
We found a heap overflow and a DoS in the gdk-pixbuf implementation triggered by the scaling of a malformed bmp. These issues are affecting x86_64 builds (we tested in a fully updated Ubuntu 14.04 and Debian Wheezy). For example, Ubuntu 14.04 ships with gdk-pixbuf 2.30 but newer versions are affected as well.
The issue happens when a program is trying to parse and scale a crafted
bmp using gdk-pixbuf (for instance, using get_scaled_pixbuf). It will
result at least in an DoS aborting the program with a SIGTRAP. It is
also possible to perform a heap overflow if you select the suitable
width and height in a malicious bmp according to the scaled width and
height. The cause of the heap overflow is this integer overflow located
here:
https://github.com/GNOME/gdk-pixbuf/blob/f79085cbec9997895e252dce994d18139d719e26/gdk-pixbuf/pixops/pixops.c\#L1275
and the insufficient checks performed in the gdk_pixbuf_new function.
Interestingly enough, in a recent version of gdk-pixbuf (2.31 or newer)
somebody replaced some old code that checks for a overflow with a
g_try_malloc_n that is supposed to check for overflow, but it doesn’t
in x86_64 (you can see the old and new code here:
https://github.com/GNOME/gdk-pixbuf/commit/deb78d971c4bcb9e3ccbb71e7925bc6baa707188\#diff-cde3af8b5b1c0789407148d53a75
ae22R448)
Unfortunately, at least Firefox and Chromium are using gdk-pixbuf primitives to implement file pickers, so they are affected. A minimal example of a vulnerable program is attached: it is just a call to gdk_pixbuf_new_from_file_at_size. Also two bmp POC are included: one to crash the minimal example and another POC to trigger a heap overflow in Firefox (it works with pixbuf 2.31 or newer). You should attach the uncompressed bmp or try to open it (using ctrl+O) (that’s the reason we are sending it compressed!). Remember that this vulnerability depends on a malloc call and can fail if your real/virtual memory is not large enough. In particular, the Firefox POC requires at least 12GB of memory available for allocation.
Reference:
(from redmine: issue id 4527, created on 2015-08-14, closed on 2015-10-02)
- Relations:
- child #4528 (closed)
- child #4529 (closed)
- child #4530 (closed)
- child #4531 (closed)
- Changesets:
- Revision 8eb537ab by Natanael Copa on 2015-08-14T11:22:26Z:
main/gdk-pixbuf: security upgrade to 2.31.5 (CVE-2015-4491)
ref #4527
- Revision 855144a2 by Natanael Copa on 2015-09-21T07:09:53Z:
main/gdk-pixbuf: security upgrade to 2.31.5 (CVE-2015-4491)
ref #4527
fixes #4531
- Revision fac73347 by Natanael Copa on 2015-09-21T07:10:39Z:
main/gdk-pixbuf: security upgrade to 2.31.5 (CVE-2015-4491)
ref #4527
fixes #4530
- Revision d72bd99a by Natanael Copa on 2015-09-21T07:13:55Z:
main/gdk-pixbuf: security upgrade to 2.31.5 (CVE-2015-4491)
ref #4527
fixes #4529
- Revision 24bd75c7 by Natanael Copa on 2015-09-21T07:14:35Z:
main/gdk-pixbuf: security upgrade to 2.31.5 (CVE-2015-4491)
ref #4527
fixes #4528