| Summary: |
CVE-2016-6352 gdk-pixbuf: Out-of-bounds write in OneLine32() function |
| Product: |
[Other] Security Response
|
Reporter: |
Andrej Nemec <anemec> |
| Component: |
vulnerability | Assignee: |
Red Hat Product Security <security-response-team> |
| Status: |
CLOSED
WONTFIX
|
QA Contact: |
|
| Severity: |
medium
|
Docs Contact: |
|
| Priority: |
medium
|
|
|
| Version: |
unspecified | CC: |
alonbl, bmcclain, cfergeau, dblechte, dkholia, gklein, lsurette, mgoldboi, michal.skrivanek, otte, rbalakri, security-response-team, sherold, srevivo, ykaul, ylavi
|
| Target Milestone: |
--- | Keywords: |
Security |
| Target Release: |
--- | |
|
| Hardware: |
All | |
|
| OS: |
Linux | |
|
| Whiteboard: |
|
|
Fixed In Version:
|
|
Doc Type:
|
If docs needed, set a value
|
|---|
|
Doc Text:
|
|
Story Points:
|
---
|
|---|
|
Clone Of:
|
|
Environment:
|
|
|---|
|
Last Closed:
|
2016-07-04 05:38:15 UTC
|
Type:
|
---
|
|---|
|
Regression:
|
---
|
Mount Type:
|
---
|
|---|
|
Documentation:
|
---
|
CRM:
|
|
|---|
|
Verified Versions:
|
|
Category:
|
---
|
|---|
|
oVirt Team:
|
---
|
RHEL 7.3 requirements from Atomic Host:
|
|
|---|
|
Cloudforms Team:
|
---
|
Target Upstream Version:
|
|
|---|
|
Embargoed:
|
|
| |
|---|
| Bug Depends On: |
|
|
|
| Bug Blocks: |
1349752
|
|
|
A write out-of-bounds parsing an ico file was found in gdk-pixbuf 2.30.7. A maliciously crafted file can cause the application to crash. Vulnerable code: static void OneLine32 (struct ico_progressive_state *context) { gint X; guchar *Pixels; X = 0; if (context->Header.Negative == 0) Pixels = (context->pixbuf->pixels + context->pixbuf->rowstride * (context->Header.height - context->Lines - 1)); else Pixels = (context->pixbuf->pixels + context->pixbuf->rowstride * context->Lines); while (X < context->Header.width) { Pixels[X * 4 + 0] = context->LineBuf[X * 4 + 2]; Pixels[X * 4 + 1] = context->LineBuf[X * 4 + 1]; Pixels[X * 4 + 2] = context->LineBuf[X * 4 + 0]; Pixels[X * 4 + 3] = context->LineBuf[X * 4 + 3]; X++; } }