-
Notifications
You must be signed in to change notification settings - Fork 633
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-buffer-overflow in pngwrite.c:856:4 in png_write_png #491
Comments
Here are the PoC program and PoC input: You can reproduce this issue by running:
|
Try using png_init_io |
No prob without the transform. |
No problem without either. I think I'll do this once more. Here's the simplified test case:
That's correct apart from the bogus transform but no problem. |
@ctruta: for your benefit, I feel the OP knows all this, the APIs png_(read|write)_png take transforms from the same set but "read" transforms transform the input PNG into the desired state while "write" transforms make statements about the input. In this case the write transform is called with data that doesn't require any transforms (it's already in the format specified by the IHDR) however the programmer has requested transforms:
The supplied test case is 16bit gray with some spurious data at the end (i.e. apart from the extra data it is valid). Some of the transforms are valid and some are no-op. All the requested "read only" transforms should be no-ops, but it's still a programmer error specifying them. "packswap" is fine; it just borks the image, but I think its one of Willem's test images and the high and low bytes are equal (so no effect). BGR should be ignored (requested output is 16-bit gray). STRIP_FILLER_AFTER is, however, a big problem: it states that the input data has "Gf" format, two samples per pixel. Consequently png_write_png reads twice as much data from each row as is available. @PromptFuzz even states this. In fact the argument to png_write_png is an array of 256 pointers to 512 bytes of memory and png_write_png reads 512 bytes beyond the end of each. It doesn't do that at the memcpy; it happens earlier in the transforms. So this is clearly a programmer error. The argument is that this might be done by a remote attacker is ridiculous; that's an app bug, not a libpng bug. The app needs to pass a consistent set of arguments to png_write_png. |
Summary
A heap-buffer-overflow found in
png_write_png
, it could cause 200 bytes out-of-bound read on heap!If the transform flags of
png_write_png
could be controlled by remote attackers, it could cause information leak or further exploition.POC
POC Input
Crash input
Version
Found on version of 2023/06/07. Reproducible on the master branch.
Compile commands
Build the libpng
Compile the poc program
Reproduce Step
ASAN INFO
The text was updated successfully, but these errors were encountered: