oss-sec mailing list archives
CVE Request: Use-after-free in optipng 0.6.4
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Wed, 16 Sep 2015 08:11:03 -0300
We found a use-after-free causing an invalid/double free in optipng 0.6.4. Upstream is working in fixing it but keep in mind that optipng 0.6.x is officially unsupported. A CVE will be useful since such version is included in distros like Debian and Ubuntu. Please find attached the test case to trigger it. The valgrind report is here: OptiPNG 0.6.4: Advanced PNG optimizer. Copyright (C) 2001-2010 Cosmin Truta. Processing: boom.png Warning: pHYs: CRC error Warning: gQMA: CRC error 1x2 pixels, 8 bits/pixel, 0 colors in palette Error: Inconsistent data in libpng ==24844== Invalid read of size 4 ==24844== at 0x804DC68: opng_optimize (opngoptim.c:507) ==24844== by 0x804A02A: main (optipng.c:719) ==24844== Address 0x4281a08 is 0 bytes inside a block of size 8 free'd ==24844== at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==24844== by 0x407C073: png_free_default (pngmem.c:555) ==24844== by 0x407C0C4: png_free (pngmem.c:539) ==24844== by 0x406370D: png_free_data (png.c:594) ==24844== by 0x4063A63: png_info_destroy (png.c:618) ==24844== by 0x4071CF9: png_read_destroy (pngread.c:1208) ==24844== by 0x4072153: png_destroy_read_struct (pngread.c:1147) ==24844== by 0x804C593: opng_read_file (opngoptim.c:1145) ==24844== by 0x804D77E: opng_optimize_impl (opngoptim.c:1580) ==24844== by 0x804DD3B: opng_optimize (opngoptim.c:1890) ==24844== by 0x804A02A: main (optipng.c:719) ==24844== ==24844== Invalid free() / delete / delete[] / realloc() ==24844== at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==24844== by 0x804DC8E: opng_optimize (opngoptim.c:507) ==24844== by 0x804A02A: main (optipng.c:719) ==24844== Address 0x4281a08 is 0 bytes inside a block of size 8 free'd ==24844== at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==24844== by 0x407C073: png_free_default (pngmem.c:555) ==24844== by 0x407C0C4: png_free (pngmem.c:539) ==24844== by 0x406370D: png_free_data (png.c:594) ==24844== by 0x4063A63: png_info_destroy (png.c:618) ==24844== by 0x4071CF9: png_read_destroy (pngread.c:1208) ==24844== by 0x4072153: png_destroy_read_struct (pngread.c:1147) ==24844== by 0x804C593: opng_read_file (opngoptim.c:1145) ==24844== by 0x804D77E: opng_optimize_impl (opngoptim.c:1580) ==24844== by 0x804DD3B: opng_optimize (opngoptim.c:1890) ==24844== by 0x804A02A: main (optipng.c:719) ==24844== ==24844== Invalid free() / delete / delete[] / realloc() ==24844== at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==24844== by 0x804DC9B: opng_optimize (opngoptim.c:507) ==24844== by 0x804A02A: main (optipng.c:719) ==24844== Address 0x42816d8 is 0 bytes inside a block of size 768 free'd ==24844== at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==24844== by 0x407C073: png_free_default (pngmem.c:555) ==24844== by 0x407C0C4: png_free (pngmem.c:539) ==24844== by 0x4063282: png_zfree (png.c:204) ==24844== by 0x4063788: png_free_data (png.c:569) ==24844== by 0x4063A63: png_info_destroy (png.c:618) ==24844== by 0x4071CF9: png_read_destroy (pngread.c:1208) ==24844== by 0x4072153: png_destroy_read_struct (pngread.c:1147) ==24844== by 0x804C593: opng_read_file (opngoptim.c:1145) ==24844== by 0x804D77E: opng_optimize_impl (opngoptim.c:1580) ==24844== by 0x804DD3B: opng_optimize (opngoptim.c:1890) ==24844== by 0x804A02A: main (optipng.c:719) ==24844== ==24844== Invalid read of size 4 ==24844== at 0x804DCC8: opng_optimize (opngoptim.c:507) ==24844== by 0x804A02A: main (optipng.c:719) ==24844== Address 0x4281630 is 8 bytes inside a block of size 60 free'd ==24844== at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==24844== by 0x407C073: png_free_default (pngmem.c:555) ==24844== by 0x407C0C4: png_free (pngmem.c:539) ==24844== by 0x40639B4: png_free_data (png.c:537) ==24844== by 0x4063A63: png_info_destroy (png.c:618) ==24844== by 0x4071CF9: png_read_destroy (pngread.c:1208) ==24844== by 0x4072153: png_destroy_read_struct (pngread.c:1147) ==24844== by 0x804C593: opng_read_file (opngoptim.c:1145) ==24844== by 0x804D77E: opng_optimize_impl (opngoptim.c:1580) ==24844== by 0x804DD3B: opng_optimize (opngoptim.c:1890) ==24844== by 0x804A02A: main (optipng.c:719) ==24844== ==24844== Invalid free() / delete / delete[] / realloc() ==24844== at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==24844== by 0x804DCEB: opng_optimize (opngoptim.c:507) ==24844== by 0x804A02A: main (optipng.c:719) ==24844== Address 0x4281628 is 0 bytes inside a block of size 60 free'd ==24844== at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==24844== by 0x407C073: png_free_default (pngmem.c:555) ==24844== by 0x407C0C4: png_free (pngmem.c:539) ==24844== by 0x40639B4: png_free_data (png.c:537) ==24844== by 0x4063A63: png_info_destroy (png.c:618) ==24844== by 0x4071CF9: png_read_destroy (pngread.c:1208) ==24844== by 0x4072153: png_destroy_read_struct (pngread.c:1147) ==24844== by 0x804C593: opng_read_file (opngoptim.c:1145) ==24844== by 0x804D77E: opng_optimize_impl (opngoptim.c:1580) ==24844== by 0x804DD3B: opng_optimize (opngoptim.c:1890) ==24844== by 0x804A02A: main (optipng.c:719) ==24844== Regards, Gustavo.
Current thread:
- CVE Request: Use-after-free in optipng 0.6.4 Gustavo Grieco (Sep 16)
- Re: CVE Request: Use-after-free in optipng 0.6.4 Mark Felder (Sep 17)
- Re: CVE Request: Use-after-free in optipng 0.6.4 Stefan Cornelius (Sep 19)