oss-sec mailing list archives

CVE Request: Use-after-free in optipng 0.6.4

From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Wed, 16 Sep 2015 08:11:03 -0300
We found a use-after-free causing an invalid/double free in optipng 0.6.4.
Upstream is working in fixing it but keep in mind that optipng 0.6.x is
officially unsupported. A CVE will be useful since such version is included
in distros like Debian and Ubuntu. Please find attached the test case to
trigger it. The valgrind report is here:

OptiPNG 0.6.4: Advanced PNG optimizer.
Copyright (C) 2001-2010 Cosmin Truta.

Processing: boom.png
Warning: pHYs: CRC error
Warning: gQMA: CRC error
1x2 pixels, 8 bits/pixel, 0 colors in palette
Error: Inconsistent data in libpng
==24844== Invalid read of size 4
==24844==    at 0x804DC68: opng_optimize (opngoptim.c:507)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==  Address 0x4281a08 is 0 bytes inside a block of size 8 free'd
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x407C073: png_free_default (pngmem.c:555)
==24844==    by 0x407C0C4: png_free (pngmem.c:539)
==24844==    by 0x406370D: png_free_data (png.c:594)
==24844==    by 0x4063A63: png_info_destroy (png.c:618)
==24844==    by 0x4071CF9: png_read_destroy (pngread.c:1208)
==24844==    by 0x4072153: png_destroy_read_struct (pngread.c:1147)
==24844==    by 0x804C593: opng_read_file (opngoptim.c:1145)
==24844==    by 0x804D77E: opng_optimize_impl (opngoptim.c:1580)
==24844==    by 0x804DD3B: opng_optimize (opngoptim.c:1890)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==
==24844== Invalid free() / delete / delete[] / realloc()
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x804DC8E: opng_optimize (opngoptim.c:507)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==  Address 0x4281a08 is 0 bytes inside a block of size 8 free'd
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x407C073: png_free_default (pngmem.c:555)
==24844==    by 0x407C0C4: png_free (pngmem.c:539)
==24844==    by 0x406370D: png_free_data (png.c:594)
==24844==    by 0x4063A63: png_info_destroy (png.c:618)
==24844==    by 0x4071CF9: png_read_destroy (pngread.c:1208)
==24844==    by 0x4072153: png_destroy_read_struct (pngread.c:1147)
==24844==    by 0x804C593: opng_read_file (opngoptim.c:1145)
==24844==    by 0x804D77E: opng_optimize_impl (opngoptim.c:1580)
==24844==    by 0x804DD3B: opng_optimize (opngoptim.c:1890)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==
==24844== Invalid free() / delete / delete[] / realloc()
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x804DC9B: opng_optimize (opngoptim.c:507)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==  Address 0x42816d8 is 0 bytes inside a block of size 768 free'd
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x407C073: png_free_default (pngmem.c:555)
==24844==    by 0x407C0C4: png_free (pngmem.c:539)
==24844==    by 0x4063282: png_zfree (png.c:204)
==24844==    by 0x4063788: png_free_data (png.c:569)
==24844==    by 0x4063A63: png_info_destroy (png.c:618)
==24844==    by 0x4071CF9: png_read_destroy (pngread.c:1208)
==24844==    by 0x4072153: png_destroy_read_struct (pngread.c:1147)
==24844==    by 0x804C593: opng_read_file (opngoptim.c:1145)
==24844==    by 0x804D77E: opng_optimize_impl (opngoptim.c:1580)
==24844==    by 0x804DD3B: opng_optimize (opngoptim.c:1890)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==
==24844== Invalid read of size 4
==24844==    at 0x804DCC8: opng_optimize (opngoptim.c:507)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==  Address 0x4281630 is 8 bytes inside a block of size 60 free'd
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x407C073: png_free_default (pngmem.c:555)
==24844==    by 0x407C0C4: png_free (pngmem.c:539)
==24844==    by 0x40639B4: png_free_data (png.c:537)
==24844==    by 0x4063A63: png_info_destroy (png.c:618)
==24844==    by 0x4071CF9: png_read_destroy (pngread.c:1208)
==24844==    by 0x4072153: png_destroy_read_struct (pngread.c:1147)
==24844==    by 0x804C593: opng_read_file (opngoptim.c:1145)
==24844==    by 0x804D77E: opng_optimize_impl (opngoptim.c:1580)
==24844==    by 0x804DD3B: opng_optimize (opngoptim.c:1890)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==
==24844== Invalid free() / delete / delete[] / realloc()
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x804DCEB: opng_optimize (opngoptim.c:507)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==  Address 0x4281628 is 0 bytes inside a block of size 60 free'd
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x407C073: png_free_default (pngmem.c:555)
==24844==    by 0x407C0C4: png_free (pngmem.c:539)
==24844==    by 0x40639B4: png_free_data (png.c:537)
==24844==    by 0x4063A63: png_info_destroy (png.c:618)
==24844==    by 0x4071CF9: png_read_destroy (pngread.c:1208)
==24844==    by 0x4072153: png_destroy_read_struct (pngread.c:1147)
==24844==    by 0x804C593: opng_read_file (opngoptim.c:1145)
==24844==    by 0x804D77E: opng_optimize_impl (opngoptim.c:1580)
==24844==    by 0x804DD3B: opng_optimize (opngoptim.c:1890)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==


Regards,
Gustavo.
Current thread:

CVE Request: Use-after-free in optipng 0.6.4 Gustavo Grieco (Sep 16)
- Re: CVE Request: Use-after-free in optipng 0.6.4 Mark Felder (Sep 17)
- Re: CVE Request: Use-after-free in optipng 0.6.4 Stefan Cornelius (Sep 19)