Bug 574372 (CVE-2013-7447)

Summary:	[Tracking] Memory allocation integer overflow in gdk_cairo_set_source_pixbuf (CVE-2013-7447)
Product:	Gentoo Security	Reporter:	Kristian Fiskerstrand (RETIRED) <k_f>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gnome, phmagic
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.openwall.com/lists/oss-security/2016/02/10/2
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	574374, 574376, 574378, 574380, 574382, 574384
Bug Blocks:

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-02-10 21:36:56 UTC

Hello MITRE, all,

Virgil Grigoras and Vlad Orlov discovered an integer overflow flaw in
gtk+2.0 in image handling:

https://github.com/mate-desktop/eom/issues/93

Bert Massop discovered the same issue in the gtk+3.0 codebase:

https://bugzilla.gnome.org/show_bug.cgi?id=703220

The fix replaces a direct height * cairo_stride multiplication with a call
to g_malloc_n() which knows how to multiply correctly:

https://git.gnome.org/browse/gtk+/commit?id=894b1ae76a32720f4bb3d39cf460402e3ce331d6

-  cairo_pixels = g_malloc (height * cairo_stride);
+  cairo_pixels = g_malloc_n (height, cairo_stride);

This same bug appears to be copy-and-pasted to at least:
eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0

https://codesearch.debian.net/results/height%20%5C*%20cairo_stride/page_0

I haven't been able to find CVEs assigned for any of these issues.

Thanks

Related links:

https://bugs.launchpad.net/ubuntu/+source/gtk+2.0/+bug/1540811
https://github.com/mate-desktop/eom/issues/93
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799275
https://bugzilla.gnome.org/show_bug.cgi?id=703220
https://git.gnome.org/browse/gtk+/commit?id=894b1ae76a32720f4bb3d39cf460402e3ce331d6
https://codesearch.debian.net/results/height%20%5C*%20cairo_stride/page_0

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2018-04-03 19:15:00 UTC

Dependent bugs closed.