PNG Reference Library: libpng crashers |
MAY 2004: There is a bugtraq report that code in pngerror.c exhibits a vulnerability to DoS, caused by use of memcpy() to read beyond the end of a string. Here is a test case:
|
These images have IHDR chunks that claim the width and height are each 1, but the IDAT chunks actually contain 4096x4096 pixels. They will crash applications that use progressive reading and are built with libpng-1.2.3 and earlier. This gzipped tar file, crashers.tar.gz, contains crashnon.png, which is noninterlaced, and crashint.png, which is interlaced. They were also formatted as MNG files by changing the file extension to .mng (crashnon.mng and crashint.mng), and by wrapping them with MHDR/MEND chunks (mpngnon.mng and mpngint.mng).
The vulnerability was discovered by "Max" CAUTION: Don't click these unless you are prepared for your
browser to crash:
Here is a libpng patch that removes the vulnerability. It can be
applied to any libpng version from 0.98 to 1.2.4beta2. Version 1.2.4beta3
and later have been patched.
|
I'm not sure what's the matter with this one, but it is the subject of a Mozilla bug report.
|