Closed
Bug 154996
Opened 23 years ago
Closed 23 years ago
PNG files with wrong width/height fields in IHDR crash the browser
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: glennrp+bmo, Assigned: tor)
References
()
Details
(Keywords: crash)
Attachments
(1 file, 1 obsolete file)
1.29 KB,
patch
|
jud
:
approval+
|
Details | Diff | Splinter Review |
When a PNG image has smaller values of height and width in the IHDR chunk than
are actually present in the IDAT chunk, an overflow can cause the browser to
crash. See two recent talkback reports from me. It is possible that this
vulnerability could be exploited. The vulnerability exists in all versions
of libpng through 1.2.4beta2, including version 1.0.9 that is currently used
by Mozilla.
Libpng-1.2.4beta3 has been fixed to detect the wrong-sized width and height
values, and a simple patch is available at
http://libpng.sourceforge.net/crashers/index.html
that can be applied to libpng versions 0.98 through 1.2.4beta2
to correct the problem.
Netscape 6 would also be vulnerable.
Glenn
Comment 2•23 years ago
|
||
Confirming bug, 2002-06-28-08 on Windows 98 SE.
I crashed on 'crashnon.png' (Talkback: TB7842378X), but not on 'crashint.png'
Assignee: Matti → pavlov
Component: Browser-General → ImageLib
Keywords: crash
QA Contact: imajes-qa → tpreston
Neither example actually crashed the driver without the patch, but just
hung it spewing "libpng warning: Ignoring bad adaptive filter type" errors.
Just as bad, though.
Assignee: pavlov → tor
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 89696 [details] [diff] [review]
as above plus MOZCHANGES entry
rs=tor for author provided patch of an external library
Comment 7•23 years ago
|
||
What tor said. Several thousand error messages per image, 83 seconds to load
(1.4 GHz Athlon XP, Slackware 8.0, glibc 2.2.3, XF86 4.1.0). Ugly.
Greg
Attachment #89694 -
Attachment is obsolete: true
Reporter | ||
Comment 8•23 years ago
|
||
I've added MNG variants of the files to the
http://libpng.sf.net/crashers/index.html
site. Unfortunately SourceForge sends them out with
the wrong MIME type. If someone here has a site
that sends MNG out properly you are welcome to mirror
the site.
The MNG variants are crashint.png and crashnon.png simply
renamed with the MNG extension, and two more files where
they are wrapped with MNG MHDR/MEND chunks.
I don't see a crash on my platform because they are simply
rendered as text, which doesn't really tell me anything.
Glenn
Updated•23 years ago
|
Attachment #89696 -
Flags: approval+
Comment 9•23 years ago
|
||
please checkin to the 1.0.1 branch. once there, remove the "mozilla1.0.1+"
keyword and add the "fixed1.0.1" keyword.
Keywords: mozilla1.0.1+
Assignee | ||
Comment 11•23 years ago
|
||
Fix in trunk/branch - closing.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 12•23 years ago
|
||
Verified fixed win xp branch build 2002070908
Keywords: fixed1.0.1 → verified1.0.1
Reporter | ||
Comment 13•22 years ago
|
||
The fix for this bug has motivated bug 160453 since now some files with small
amounts of extra data are rejected. I have just released libpng-1.2.5beta1
which has a different fix that prevents the crashing but displays the image,
with a warning or two, if one is actually present.
Glenn
Reporter | ||
Updated•19 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•