GNOME gdk-pixbuf (aka GdkPixbuf) before 2.42.2 allows a denial of service (infinite loop) in lzw.c in the function write_indexes. if c->self_code equals 10, self->code_table[10].extends will assign the value 11 to c. The next execution in the loop will assign self->code_table[11].extends to c, which will give the value of 10. This will make the loop run infinitely. This bug can, for example, be triggered by calling this function with a GIF image with LZW compression that is crafted in a special way. References: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/blob/master/NEWS https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
Created gdk-pixbuf2 tracking bugs for this issue: Affects: fedora-all [bug 1927239]
Patch: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81 The issue was introduced in version 2.40.0: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/b88f1ce91a610a4e491a4ad6352183791e78afac
Created mingw-gdk-pixbuf tracking bugs for this issue: Affects: fedora-all [bug 1928673]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-29385