On Sun, 8 Apr 2012, Adam D. Barratt wrote:
> On Sun, 2012-04-08 at 20:01 +0200, Mikulas Patocka wrote:
> > install links2 and electric-fence package
> > run:
> > LD_PRELOAD=/usr/lib/libefence.so EF_ALIGNMENT=0 links2 -g
> > http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/debian-
> > libpng-1.2.44-crash.png
> >
> > You get a crash in inflate.
>
> Have you actually verified that the crash has any security impact, or is
> this just conjecture?
It passes (unsigned)-1 into png_ptr->zstream.avail_in --- so it reads data
beyond end --- so it can cause crash or reading unauthorized data. I think
it can't cause a write out of allocated memory.
The function png_push_read_zTXt checks that
text < key + png_ptr->current_text_size, then it increments text twice,
and then it sets
png_ptr->zstream.avail_in = (uInt)(png_ptr->current_text_size - (text -
key));
--- so it sets avail_in to (uInt)-1.
> > I tried it on upstream libpng, upstream versions up to 1.2.47 crash. 1.2.48
> > and
> > 1.2.49 dont' crash.
> [...]
> > This bug is already fixed in libpng-1.2.48 (the buggy function
> > png_push_read_zTXt is removed), but Debian didn't backport the fix.
>
> Removal of functions from shared libraries isn't really something that's
> going to get backported.
That function isn't exported anyway, so you can remove it.
If you don't want to go with upstream changes, then fix it. The patch
below fixes the crash.
> Regards,
>
> Adam
Mikulas
---
pngpread.c | 7 +++++++
1 file changed, 7 insertions(+)
Index: libpng-1.2.47/pngpread.c
===================================================================
--- libpng-1.2.47.orig/pngpread.c 2012-04-08 20:44:37.000000000 +0200
+++ libpng-1.2.47/pngpread.c 2012-04-08 20:47:17.000000000 +0200
@@ -1380,6 +1380,13 @@ png_push_read_zTXt(png_structp png_ptr,
text++;
+ if (text >= key + png_ptr->current_text_size)
+ {
+ png_ptr->current_text = NULL;
+ png_free(png_ptr, key);
+ return;
+ }
+
if (*text != PNG_TEXT_COMPRESSION_zTXt) /* Check compression byte */
{
png_ptr->current_text = NULL;
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
