A write out-of-bounds parsing an ico file was found in gdk-pixbuf 2.30.7. A maliciously crafted file can cause the application to crash. Vulnerable code: static void OneLine32 (struct ico_progressive_state *context) { gint X; guchar *Pixels; X = 0; if (context->Header.Negative == 0) Pixels = (context->pixbuf->pixels + context->pixbuf->rowstride * (context->Header.height - context->Lines - 1)); else Pixels = (context->pixbuf->pixels + context->pixbuf->rowstride * context->Lines); while (X < context->Header.width) { Pixels[X * 4 + 0] = context->LineBuf[X * 4 + 2]; Pixels[X * 4 + 1] = context->LineBuf[X * 4 + 1]; Pixels[X * 4 + 2] = context->LineBuf[X * 4 + 0]; Pixels[X * 4 + 3] = context->LineBuf[X * 4 + 3]; X++; } }
Acknowledgments: Name: Franco Constantini
Public via: http://seclists.org/oss-sec/2016/q3/61
CVE assignment: http://seclists.org/oss-sec/2016/q3/162
Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=769170
Upstream patch: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=88af50a864195da1a4f7bda5f02539704fbda599