446582 - Memory leak with PNG iCCP chunk when color_management is enabled

Status: RESOLVED FIXED

(Core :: Graphics: ImageLib, defect)

Description

[Glenn Randers-Pehrson]

A vulnerability has been reported to the libpng developers, whereby a PNG file with a malformed iCCP chunk can leak a large amount of memory (libpng detects the bad chunk but fails to free the data buffer).  It is fixed in libpng-1.2.30rc03.  A number of other ancillary PNG chunks are also vulnerable, but those are ignored by mozilla.  This vulnerability only exists in mozilla when color management is enabled.  It can be fixed in mozilla either by installing libpng-1.2.30 when it comes out in about a week from now, or by applying a small patch that only addresses the vulnerability in the iCCP chunk.

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Glenn, I assume you'll be changing bug 418900 to reflect the release of 1.2.30 when it's out? If so, might as well make bug one depend on that one :)

Comment 2

[Glenn Randers-Pehrson]

Yes, I will, but that bug #418900 is stuck due to a vague report that it does not process some APNGs properly.  I can't proceed without some more details.  So I think we will probably also need the small specific bugfix here, even though it would be a lot nicer to keep the APNG fork in sync with regular libpng.

Comment 3

[Glenn Randers-Pehrson]

Attachment: Update trunk png/png_handle_iCCP to version 1.2.30

This patch was extracted from libpng-1.2.30rc04.

Comment 4

[Glenn Randers-Pehrson]

Libpng-1.2.31 has been released and contains the fix for this bug.  See bug #418900.

Comment 5

[Glenn Randers-Pehrson]

Comment on attachment 330822 [details] [diff] [review]
Update trunk png/png_handle_iCCP to version 1.2.30

This patch is rendered obsolete by check-in of libpng-1.2.31 from bug #418900

Comment 6

[Glenn Randers-Pehrson]

Resolved WORKSFORME now that libpng-1.2.31 is checked in.

Comment 7

[Glenn Randers-Pehrson]

Resolved FIXED (by checkin of bug#418900), not WORKSFORME.