oss-sec mailing list archives
RE: [png-mng-implement] [oss-security] CVE Request -- libpng v1.4.3 and v1.2.44 -- memory leak while processing PNG image with malformed sCAL chunks
From: "John Bowler" <jbowler () frontiernet net>
Date: Mon, 5 Jul 2010 08:41:17 -0700
From: Marcus Meissner [mailto:meissner () suse de]
[b], memory-leak bug, involving images with malformed sCAL chunks, which could lead to an application crash.oss-sec, png-mng-implement ... do you have testimages or a reproducer for the sCAL issue?As found on: http://code.google.com/p/chromium/issues/detail?id=45983 The sample crashing PNG is: http://www.ee.oulu.fi/~aki/spark.png
That doesn't show issue [b] - the sCAL leak. The original demonstration was provided by a program to generate the test image, because the test image is somewhat large (20MByte with the default settings). Unfortunately the original program didn't compile, but it's easy to fix (it used a piece of non-exported libpng data, but that data is just the string "sCAL".) I guess I can post the fixed version, but I'd prefer permission of the person to post it - Vegard Nossum. The "sample crashing PNG" was generated by radamsa using the 'surfy' fuzzer on the PNGSuite test images to generate broken images. I've subsequently run radamsa using all the fuzzers and more images without finding more problems, but the more input images that are used the more likely problems will be detected (since there are more patterns for radamsa to find and tweak.) Radamsa is a Scheme program that, unfortunately, requires its own specific Scheme compiler "owl-lisp" (i.e. it won't compile against Scheme48 and its libraries.) However, there's a self-contained binary distribution (it contains all the owl libraries required). More information is here: http://code.google.com/p/ouspg/wiki/Radamsa This includes how to download and compile the binary (the download is a decimal encoded Scheme/LISP heap). The source is somewhat bleeding-edge - I eventually found that I could build radamsa r260 with owl-lisp r83, but that was a long long time ago - June 21. I also found that I still had to use a binary of owl-lisp to bootstrap it, but by then I was pretty much convinced that it was probably safe ;-) John Bowler <jbowler () acm org>
Current thread:
- Re: CVE Request -- libpng v1.4.3 and v1.2.44 -- memory leak while processing PNG image with malformed sCAL chunks Marcus Meissner (Jul 05)
- RE: [png-mng-implement] [oss-security] CVE Request -- libpng v1.4.3 and v1.2.44 -- memory leak while processing PNG image with malformed sCAL chunks John Bowler (Jul 05)
- Re: [png-mng-implement] [oss-security] CVE Request -- libpng v1.4.3 and v1.2.44 -- memory leak while processing PNG image with malformed sCAL chunks Glenn Randers-Pehrson (Jul 05)