Closed
Bug 1293911
Opened 8 years ago
Closed 8 years ago
libpng: call to malloc with negative in [@ png_read_buffer]
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: tsmith, Assigned: glennrp+bmo)
References
Details
(Keywords: csectype-oom, sec-low, testcase)
Attachments
(1 file, 2 obsolete files)
|
456 bytes,
image/png
|
Details |
test_case.png
This was found using valgrind and a 32bit build of libpng. Marking as sec-sensitive for now since I don't know exactly what is happening. Glenn or Tim what do you think? To reproduce: valgrind -q ./pngtest <test_case> Argument 'size' of function malloc has a fishy (possibly negative) value: -533712010 at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) by 0x8052F53: png_malloc_base (pngmem.c:95) by 0x806276F: png_read_buffer (pngrutil.c:310) by 0x8064291: png_handle_iCCP (pngrutil.c:1464) by 0x8053641: png_read_info (pngread.c:220) by 0x8049AF8: test_one_file (pngtest.c:1064) by 0x804B169: main (pngtest.c:1967)
|
Assignee | |
Comment 1•8 years ago
|
||
Nightly says the image cannot be displayed, and this is in the log:
[ImgDecoder #1]: W/PNGDecoder libpng warning: iCCP: profile 'icc': 0h: PCS illuminant is not D50
[ImgDecoder #1]: W/PNGDecoder libpng warning: iCCP: CRC error
[ImgDecoder #1]: W/PNGDecoder libpng warning: iCCP: truncated
[ImgDecoder #1]: W/PNGDecoder libpng warning: cHRM: CRC error
[ImgDecoder #1]: W/PNGDecoder libpng warning: PLTE: ignored in grayscale PNG
pngcheck says:
glenn.rp> pngcheck -f -v test_case.png
File: test_case.png (456 bytes)
chunk IHDR at offset 0x0000c, length 13
32 x 32 image, 16-bit grayscale, non-interlaced
chunk iCCP at offset 0x00025, length 276
profile name = icc, compression method = 0 (deflate)
compressed profile = 271 bytes
CRC error in chunk iCCP (computed f9c3f6d5, expected 36945b6f)
chunk cHRM at offset 0x00145, length 32: invalid green point 0.3 42.543
White x = 0.3127 y = 0.329, Red x = 0.64 y = 0.33
Green x = 0.3 y = 42.543, Blue x = 0.15 y = 0.06
CRC error in chunk cHRM (computed 4af248d3, expected 9cba513c)
chunk PLTE at offset 0x00171, length 15: PLTE not allowed in grayscale image
: 0 palette entries
chunk bKGD at offset 0x0018c, length 1: invalid length
chunk pHYs at offset 0x00199, length 42: invalid length
: EOF while reading CRC value
ERRORS DETECTED in test_case.png|
|
Assignee | |
Comment 2•8 years ago
|
||
To be fixed in libpng-1.6.25beta01.
|
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → glennrp+bmo
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•8 years ago
|
||
Update pngmem.c and pngrutil.c to libpng-1.6.25beta01
|
|
Assignee | |
Comment 4•8 years ago
|
||
I've pushed libpng-1.6.25beta01, with this patch, to the public libpng GIT repositories,
with this explanation in the CHANGES file:
Version 1.6.25beta01 [August 10, 2016]
Return NULL from png_malloc_array() with a warning instead of calling
png_error() on failure.
Reject oversized iCCP profile immediately.|
|
Assignee | |
Comment 5•8 years ago
|
||
Comment on attachment 8779799 [details] [diff] [review] v00-1293911-part01-iCCP-chunk-handling-libpng The v00 patch failed to build, marking it obsolete.
Attachment #8779799 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 6•8 years ago
|
||
Update png.c and pngpriv.c to libpng-1.6.25beta01, with improved iCCP chunk handling.
|
|
Assignee | |
Comment 7•8 years ago
|
||
Libpng-1.6.25beta01 has been released with improved iCCP chunk handling, that should fix this bug. You can either download libpng-1.6.25beta01 and try "pngtest" or you can apply the v01 patch and test with firefox. Or both.
Flags: needinfo?(twsmith)
|
Reporter | |
Comment 8•8 years ago
|
||
Tested with v01-1293911-part01-iCCP-chunk-handling-libpng applied and the issue is no longer present. Thanks.
Flags: needinfo?(twsmith)
|
|
Assignee | |
Comment 9•8 years ago
|
||
Should we land this or just wait for libpng-1.6.25? It'll be several weeks. The vulnerability has been exposed by the fix in libpng-1.6.25beta01, but I believe that an exploit would only be capable of exhausting memory.
Flags: needinfo?(jmuizelaar)
|
|
Assignee | |
Comment 10•8 years ago
|
||
libpng-1.6.25 is due out on September 1, 2016, unless any problems are reported with libpng-1.6.25rc01.
|
||
Comment 11•8 years ago
|
||
Comment on attachment 8780509 [details] [diff] [review] v01-1293911-part01-iCCP-chunk-handling-libpng Review of attachment 8780509 [details] [diff] [review]: ----------------------------------------------------------------- I think this is ok to wait for. The handling of memory exhaustion works correctly right?
|
|
Assignee | |
Updated•8 years ago
|
Flags: needinfo?(jmuizelaar)
|
|
Assignee | |
Comment 12•8 years ago
|
||
Fixed by checkin of libpng-1.6.25, bug #1299590
|
|
Assignee | |
Updated•8 years ago
|
Attachment #8780509 -
Attachment is obsolete: true
|
||
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
|
|
||
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•