Package: libpng16-16
Severity: important
Dear Maintainer,
Hi,
there is an endless loop in libpng 1.6-1.6.26 as provided by testing, which
could be abused for Denial of Service Attack,
as far as i can see, it is caused by the following bad error handling of the
inflate. For most errors with the zlib stream the function png_read_IDAT_data()
will
return to the caller, but if the ADLER32 checksum is corrupt, it will stay in
an infinite loop.
In libpng1.6-1.6.26/pngrutil.c:4079
/* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
* process. If the LZ stream is truncated the sequential reader will
* terminally damage the stream, above, by reading the chunk header of the
* following chunk (it then exits with png_error).
*
* TODO: deal more elegantly with truncated IDAT lists.
*/
ret = PNG_INFLATE(png_ptr, Z_NO_FLUSH);
/* Take the unconsumed output back. */
if (output != NULL)
avail_out += png_ptr->zstream.avail_out;
else /* avail_out counts the extra bytes */
avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
png_ptr->zstream.avail_out = 0;
In case that the output is NULL (inflate failed), we increase the available
output again.
if (output != NULL)
{
if(!strncmp(png_ptr->zstream.msg,"incorrect data check",20))
{
png_chunk_benign_error(png_ptr, "ADLER32 checksum mismatch");
continue;
If the inflate failed because of a checksum error, we continue with the loop
} while (avail_out > 0);
Which will not finish, since the avail_out is always increased to the origial
value again.
The issue is fixed upstream with commit
https://github.com/glennrp/libpng/commit/d65a92b951079d315e17e20ba9e7b8423d19397e
as well as the version in unstable libpng16-16 (1.6.28-1).
Regards,
Eric
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)