[gdk-pixbuf] XPM: Fix undefined behaviour

[Emmanuele Bassi <ebassi src gnome org>]

commit c22494b40fc80c49bc5480538f9a4bffe3a84b33
Author: Tobias Stoeckmann <tobias stoeckmann org>
Date:   Sat Jun 6 23:08:27 2020 +0200

    XPM: Fix undefined behaviour
    
    Pixel data in XPM files consists of color characters.
    
    XPM allows up to 31 characters per pixel (cpp). If the file defines
    a width larger than G_MAXINT / cpp, the calculated memory required
    to parse a single line (wbytes) leads to a signed integer overflow.
    
    On common systems, a signed integer overflow works as expected on
    a bit level. Properly crafted files can overflow the variable
    wbytes in a way that it is positive again, which leads to a
    "successful" parsing of the XPM file. The pixel values itself are
    not assigned by gdk-pixbuf code, therefore leaking raw memory
    returned by malloc.
    
    This might leak sensitive information through pixel values,
    depending on the actual application.
    
    Proof of Concept:
    
    /* XPM */
    static char * poc_xpm[] = {
    "138547333 1 1 31",
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        c None",
    "---------------------------"};

 gdk-pixbuf/io-xpm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
---
diff --git a/gdk-pixbuf/io-xpm.c b/gdk-pixbuf/io-xpm.c
index 0756a43d8..9b0a9ab01 100644
--- a/gdk-pixbuf/io-xpm.c
+++ b/gdk-pixbuf/io-xpm.c
@@ -507,7 +507,7 @@ pixbuf_create_from_xpm (const gchar * (*get_buf) (enum buf_op op, gpointer handl
                                      _("Invalid XPM header"));
                return NULL;
        }
-       if (cpp <= 0 || cpp >= 32) {
+       if (cpp <= 0 || cpp >= 32 || w >= G_MAXINT / cpp) {
                 g_set_error_literal (error,
                                      GDK_PIXBUF_ERROR,
                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,