[gdk-pixbuf] pixops: Fix oversight for CVE-2015-4491

From: Benjamin Otte <otte src gnome org>
To: commits-list gnome org
Cc:
Subject: [gdk-pixbuf] pixops: Fix oversight for CVE-2015-4491
Date: Mon, 17 Aug 2015 18:47:27 +0000 (UTC)
commit 8dba67cb4f38d62a47757741ad41e3f245b4a32a
Author: Benjamin Otte <otte redhat com>
Date:   Mon Aug 17 18:52:47 2015 +0200

    pixops: Fix oversight for CVE-2015-4491
    
    The n_x variable could be made large enough to overflow, too.
    
    Also included are various testcases for this vulnerability:
    - The original exploit (adapted for the testsuite)
    - Causing overflow by making both X and Y variables large
    - Causing overflow using only the X variable
    - Causing overflow using only the Y variable
    
    https://bugzilla.gnome.org/show_bug.cgi?id=752297

 gdk-pixbuf/pixops/pixops.c    |    6 ++-
 tests/Makefile.am             |    7 +++
 tests/cve-2015-4491.bmp       |  Bin 0 -> 82 bytes
 tests/cve-2015-4491.c         |   87 +++++++++++++++++++++++++++++++++++++++++
 tests/resources.gresource.xml |    1 +
 5 files changed, 100 insertions(+), 1 deletions(-)
---
diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
index ce51745..7f2cbff 100644
--- a/gdk-pixbuf/pixops/pixops.c
+++ b/gdk-pixbuf/pixops/pixops.c
@@ -1275,7 +1275,11 @@ make_filter_table (PixopsFilter *filter)
   gsize n_weights;
   int *weights;
 
-  n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
+  n_weights = SUBSAMPLE * SUBSAMPLE * n_x;
+  if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x)
+    return NULL; /* overflow, bail */
+
+  n_weights *= n_y;
   if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
     return NULL; /* overflow, bail */
 
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 058ad68..42db6e2 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -24,6 +24,7 @@ noinst_PROGRAMS +=                    \
 
 test_programs =                        \
        animation                       \
+       cve-2015-4491                   \
        pixbuf-icon-serialize           \
        pixbuf-randomly-modified        \
        pixbuf-threads                  \
@@ -54,6 +55,12 @@ dist_installed_test_data =           \
        bug725582-testrotate.png        \
        $(wildcard $(srcdir)/test-images/*)
 
+cve_2015_4491_SOURCES =                        \
+       cve-2015-4491.c                 \
+       resources.h                     \
+       resources.c                     \
+       $(NULL)
+
 pixbuf_icc_SOURCES =                   \
        pixbuf-icc.c                    \
        test-common.c                   \
diff --git a/tests/cve-2015-4491.bmp b/tests/cve-2015-4491.bmp
new file mode 100644
index 0000000..5d3c105
Binary files /dev/null and b/tests/cve-2015-4491.bmp differ
diff --git a/tests/cve-2015-4491.c b/tests/cve-2015-4491.c
new file mode 100644
index 0000000..34ba94f
--- /dev/null
+++ b/tests/cve-2015-4491.c
@@ -0,0 +1,87 @@
+/* GdkPixbuf library - test compositing
+ *
+ * Copyright (C) 2015 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author: Benjamin Otte
+ */
+
+#include <gdk-pixbuf.h>
+
+static void
+test_original (void)
+{
+  GdkPixbuf* buf;
+  int size = 32;
+  GError* err = NULL;
+
+  buf = gdk_pixbuf_new_from_resource_at_scale ("/test/resource/cve-2015-4491.bmp", size, size, FALSE, &err);
+
+  g_assert_no_error (err);
+
+  g_object_unref (buf);
+}
+
+static void
+test_scale_overflow (void)
+{
+  GdkPixbuf *src, *dest;
+
+  src = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, 1 << 12, 1 << 12);
+  dest = gdk_pixbuf_scale_simple (src, 1, 1, GDK_INTERP_BILINEAR);
+
+  g_object_unref (dest);
+  g_object_unref (src);
+
+}
+
+static void
+test_scalex_overflow (void)
+{
+  GdkPixbuf *src, *dest;
+
+  src = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, (((guint) G_MAXINT) + 1) >> 7, 1);
+  dest = gdk_pixbuf_scale_simple (src, 1, 1, GDK_INTERP_BILINEAR);
+
+  g_object_unref (dest);
+  g_object_unref (src);
+
+}
+
+static void
+test_scaley_overflow (void)
+{
+  GdkPixbuf *src, *dest;
+
+  src = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, 1, (((guint) G_MAXINT) + 1) >> 7);
+  dest = gdk_pixbuf_scale_simple (src, 1, 1, GDK_INTERP_BILINEAR);
+
+  g_object_unref (dest);
+  g_object_unref (src);
+
+}
+
+int
+main (int argc, char *argv[])
+{
+  g_test_init (&argc, &argv, NULL);
+
+  g_test_add_func ("/pixbuf/cve-2015-4491/original", test_original);
+  g_test_add_func ("/pixbuf/cve-2015-4491/scale-overflow", test_scale_overflow);
+  g_test_add_func ("/pixbuf/cve-2015-4491/scale-x-overflow", test_scalex_overflow);
+  g_test_add_func ("/pixbuf/cve-2015-4491/scale-y-overflow", test_scaley_overflow);
+
+  return g_test_run ();
+}
diff --git a/tests/resources.gresource.xml b/tests/resources.gresource.xml
index 3114289..94c7b0a 100644
--- a/tests/resources.gresource.xml
+++ b/tests/resources.gresource.xml
@@ -3,6 +3,7 @@
   <gresource prefix="/test/resource">
     <file>icc-profile.png</file>
     <file preprocess="to-pixdata" alias="icc-profile.pixdata">icc-profile.png</file>
+    <file>cve-2015-4491.bmp</file>
   </gresource>
 </gresources>
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]