Libpng bugs to potentially graveyard?

[AbhishekShah212]

Thank you for this challenging and useful dataset! After reviewing some of the libpng bugs manually, I currently believe

AAH004 appears to be untriggerable by the current harness. First, the harness validates that height*width < 100000000. In the best case, height=1, width=100000000. Equivalently, 2^26 < width < 2^27. Second, even with the largest transformed_pixel_depth of 64 set around here and checked here, the pixel_depth is divided by 8 at the bug site. Hence, 2^26 * 2^3 cannot overflow 2^32 as required by the Magma bug condition. Note that because the harness also bounds memory allocations here, there will also be a nullptr supplied here that I believe will early terminate the program as well.

AAH005 appears to be untriggerable by the current harness for similar reasons. The PNG_ROWBYTES macro performs a similar divide-by-8 operation at the bug site here. Additionally, the bug site is also guarded by the height*width < 100000000 check. Interestingly enough, AAH001 does not suffer from this issue because it is called before the height*width < 100000000 check activates.

I am happy to provide POCs for demonstrability of both.

Given this information, should these bugs be moved to the graveyard or should the harnesses be fixed? What do you think?