PNG Reference Library: libpng crashers

MAY 2004: There is a bugtraq report that code in pngerror.c exhibits a vulnerability to DoS, caused by use of memcpy() to read beyond the end of a string.

Here is a test case:

• [err_buff.png] | [ err_buff.html]

These images have IHDR chunks that claim the width and height are each 1, but the IDAT chunks actually contain 4096x4096 pixels. They will crash applications that use progressive reading and are built with libpng-1.2.3 and earlier.

This gzipped tar file, crashers.tar.gz, contains crashnon.png, which is noninterlaced, and crashint.png, which is interlaced. They were also formatted as MNG files by changing the file extension to .mng (crashnon.mng and crashint.mng), and by wrapping them with MHDR/MEND chunks (mpngnon.mng and mpngint.mng).

The vulnerability was discovered by "Max" and reported at http://online.securityfocus.com/bid/5059
(test image: http://fearwall.hypermart.net/crash.png).

CAUTION: Don't click these unless you are prepared for your browser to crash:

• [crashnon.png] | [ crashnon.html]
• [crashint.png] | [ crashint.html]
• [crashnon.mng] | [ pngnon.html]
• [crashint.mng] | [ pngint.html]
• [mpngnon.mng] | [ mngnon.html]
• [mpngint.mng] | [ mngint.html]

Here is a libpng patch that removes the vulnerability. It can be applied to any libpng version from 0.98 to 1.2.4beta2. Version 1.2.4beta3 and later have been patched.

*** ../libpng-1.2.4beta2/pngpread.c	Thu Jun 20 07:54:24 2002
--- pngpread.c	Wed Jun 26 17:34:22 2002
***************
*** 746,751 ****
--- 746,758 ----
        }
        if (!(png_ptr->zstream.avail_out))
        {
+          if ((
+ #if defined(PNG_READ_INTERLACING_SUPPORTED)
+              png_ptr->interlaced && png_ptr->pass > 6) ||
+              (!png_ptr->interlaced &&
+ #endif
+              png_ptr->row_number == png_ptr->num_rows-1))
+            png_error(png_ptr, "Too much data in IDAT chunks");
           png_push_process_row(png_ptr);
           png_ptr->zstream.avail_out = (uInt)png_ptr->irowbytes;
           png_ptr->zstream.next_out = png_ptr->row_buf;

I'm not sure what's the matter with this one, but it is the subject of a Mozilla bug report.

• [sleestack.png] | [ sleestack.html]