Closed Bug 154996 Opened 23 years ago Closed 23 years ago

PNG files with wrong width/height fields in IHDR crash the browser

Categories

(Core :: Graphics: ImageLib, defect)

x86
Windows 95
defect
Not set
major

Tracking

()

VERIFIED FIXED

People

(Reporter: glennrp+bmo, Assigned: tor)

References

()

Details

(Keywords: crash)

Attachments

(1 file, 1 obsolete file)

When a PNG image has smaller values of height and width in the IHDR chunk than are actually present in the IDAT chunk, an overflow can cause the browser to crash. See two recent talkback reports from me. It is possible that this vulnerability could be exploited. The vulnerability exists in all versions of libpng through 1.2.4beta2, including version 1.0.9 that is currently used by Mozilla. Libpng-1.2.4beta3 has been fixed to detect the wrong-sized width and height values, and a simple patch is available at http://libpng.sourceforge.net/crashers/index.html that can be applied to libpng versions 0.98 through 1.2.4beta2 to correct the problem. Netscape 6 would also be vulnerable. Glenn
Confirming bug, 2002-06-28-08 on Windows 98 SE. I crashed on 'crashnon.png' (Talkback: TB7842378X), but not on 'crashint.png'
Assignee: Matti → pavlov
Component: Browser-General → ImageLib
Keywords: crash
QA Contact: imajes-qa → tpreston
Neither example actually crashed the driver without the patch, but just hung it spewing "libpng warning: Ignoring bad adaptive filter type" errors. Just as bad, though.
Assignee: pavlov → tor
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 89696 [details] [diff] [review] as above plus MOZCHANGES entry rs=tor for author provided patch of an external library
Checked in on trunk.
What tor said. Several thousand error messages per image, 83 seconds to load (1.4 GHz Athlon XP, Slackware 8.0, glibc 2.2.3, XF86 4.1.0). Ugly. Greg
Attachment #89694 - Attachment is obsolete: true
I've added MNG variants of the files to the http://libpng.sf.net/crashers/index.html site. Unfortunately SourceForge sends them out with the wrong MIME type. If someone here has a site that sends MNG out properly you are welcome to mirror the site. The MNG variants are crashint.png and crashnon.png simply renamed with the MNG extension, and two more files where they are wrapped with MNG MHDR/MEND chunks. I don't see a crash on my platform because they are simply rendered as text, which doesn't really tell me anything. Glenn
Attachment #89696 - Flags: approval+
please checkin to the 1.0.1 branch. once there, remove the "mozilla1.0.1+" keyword and add the "fixed1.0.1" keyword.
Keywords: mozilla1.0.1+
Checked in on branch.
Fix in trunk/branch - closing.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Verified fixed win xp branch build 2002070908
The fix for this bug has motivated bug 160453 since now some files with small amounts of extra data are rejected. I have just released libpng-1.2.5beta1 which has a different fix that prevents the crashing but displays the image, with a warning or two, if one is actually present. Glenn
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: