Closed
Bug 1293911
Opened 8 years ago
Closed 8 years ago
libpng: call to malloc with negative in [@ png_read_buffer]
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: tsmith, Assigned: glennrp+bmo)
References
Details
(Keywords: csectype-oom, sec-low, testcase)
Attachments
(1 file, 2 obsolete files)
456 bytes,
image/png
|
Details |
This was found using valgrind and a 32bit build of libpng. Marking as sec-sensitive for now since I don't know exactly what is happening. Glenn or Tim what do you think? To reproduce: valgrind -q ./pngtest <test_case> Argument 'size' of function malloc has a fishy (possibly negative) value: -533712010 at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) by 0x8052F53: png_malloc_base (pngmem.c:95) by 0x806276F: png_read_buffer (pngrutil.c:310) by 0x8064291: png_handle_iCCP (pngrutil.c:1464) by 0x8053641: png_read_info (pngread.c:220) by 0x8049AF8: test_one_file (pngtest.c:1064) by 0x804B169: main (pngtest.c:1967)
Assignee | ||
Comment 1•8 years ago
|
||
Nightly says the image cannot be displayed, and this is in the log: [ImgDecoder #1]: W/PNGDecoder libpng warning: iCCP: profile 'icc': 0h: PCS illuminant is not D50 [ImgDecoder #1]: W/PNGDecoder libpng warning: iCCP: CRC error [ImgDecoder #1]: W/PNGDecoder libpng warning: iCCP: truncated [ImgDecoder #1]: W/PNGDecoder libpng warning: cHRM: CRC error [ImgDecoder #1]: W/PNGDecoder libpng warning: PLTE: ignored in grayscale PNG pngcheck says: glenn.rp> pngcheck -f -v test_case.png File: test_case.png (456 bytes) chunk IHDR at offset 0x0000c, length 13 32 x 32 image, 16-bit grayscale, non-interlaced chunk iCCP at offset 0x00025, length 276 profile name = icc, compression method = 0 (deflate) compressed profile = 271 bytes CRC error in chunk iCCP (computed f9c3f6d5, expected 36945b6f) chunk cHRM at offset 0x00145, length 32: invalid green point 0.3 42.543 White x = 0.3127 y = 0.329, Red x = 0.64 y = 0.33 Green x = 0.3 y = 42.543, Blue x = 0.15 y = 0.06 CRC error in chunk cHRM (computed 4af248d3, expected 9cba513c) chunk PLTE at offset 0x00171, length 15: PLTE not allowed in grayscale image : 0 palette entries chunk bKGD at offset 0x0018c, length 1: invalid length chunk pHYs at offset 0x00199, length 42: invalid length : EOF while reading CRC value ERRORS DETECTED in test_case.png
Assignee | ||
Comment 2•8 years ago
|
||
To be fixed in libpng-1.6.25beta01.
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → glennrp+bmo
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•8 years ago
|
||
Update pngmem.c and pngrutil.c to libpng-1.6.25beta01
Assignee | ||
Comment 4•8 years ago
|
||
I've pushed libpng-1.6.25beta01, with this patch, to the public libpng GIT repositories, with this explanation in the CHANGES file: Version 1.6.25beta01 [August 10, 2016] Return NULL from png_malloc_array() with a warning instead of calling png_error() on failure. Reject oversized iCCP profile immediately.
Assignee | ||
Comment 5•8 years ago
|
||
Comment on attachment 8779799 [details] [diff] [review] v00-1293911-part01-iCCP-chunk-handling-libpng The v00 patch failed to build, marking it obsolete.
Attachment #8779799 -
Attachment is obsolete: true
Assignee | ||
Comment 6•8 years ago
|
||
Update png.c and pngpriv.c to libpng-1.6.25beta01, with improved iCCP chunk handling.
Assignee | ||
Comment 7•8 years ago
|
||
Libpng-1.6.25beta01 has been released with improved iCCP chunk handling, that should fix this bug. You can either download libpng-1.6.25beta01 and try "pngtest" or you can apply the v01 patch and test with firefox. Or both.
Flags: needinfo?(twsmith)
Reporter | ||
Comment 8•8 years ago
|
||
Tested with v01-1293911-part01-iCCP-chunk-handling-libpng applied and the issue is no longer present. Thanks.
Flags: needinfo?(twsmith)
Assignee | ||
Comment 9•8 years ago
|
||
Should we land this or just wait for libpng-1.6.25? It'll be several weeks. The vulnerability has been exposed by the fix in libpng-1.6.25beta01, but I believe that an exploit would only be capable of exhausting memory.
Flags: needinfo?(jmuizelaar)
Assignee | ||
Comment 10•8 years ago
|
||
libpng-1.6.25 is due out on September 1, 2016, unless any problems are reported with libpng-1.6.25rc01.
Comment 11•8 years ago
|
||
Comment on attachment 8780509 [details] [diff] [review] v01-1293911-part01-iCCP-chunk-handling-libpng Review of attachment 8780509 [details] [diff] [review]: ----------------------------------------------------------------- I think this is ok to wait for. The handling of memory exhaustion works correctly right?
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(jmuizelaar)
Assignee | ||
Comment 12•8 years ago
|
||
Fixed by checkin of libpng-1.6.25, bug #1299590
Assignee | ||
Updated•8 years ago
|
Attachment #8780509 -
Attachment is obsolete: true
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•