libpng icon indicating copy to clipboard operation
libpng copied to clipboard
verified publisher icon glennrp

Heap buffer overflow (Read of size 1) in pngimage.c

Open thuanpv opened this issue 6 years ago • 4 comments

Hi,

I am running some experiments for AFLSmart and it has found a heap buffer overflow in the pngimage utility. I think the bug is not critical as it is in a test program, not in the library itself so I report it here.

There are two test cases (as attached) which can trigger (similar) bug(s) at two different locations

To reproduce:

  • Compile LibPNG with ASAN (I found the bug on LibPNG commit 8439534)
  • Run the following command ./pngimage test_*.png

ASAN says:

==31076==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000a71 at pc 0x00000052fd58 bp 0x7ffcb8b48230 sp 0x7ffcb8b48228 READ of size 1 at 0x602000000a71 thread T0 #0 0x52fd57 in compare_read /home/ubuntu/aflsmart-experiments/libpng/contrib/libtests/pngimage.c:1250:31 #1 0x52c46f in test_one_file /home/ubuntu/aflsmart-experiments/libpng/contrib/libtests/pngimage.c:1484:18 #2 0x52c46f in do_test /home/ubuntu/aflsmart-experiments/libpng/contrib/libtests/pngimage.c:1564 #3 0x52af2d in main /home/ubuntu/aflsmart-experiments/libpng/contrib/libtests/pngimage.c:1668:23 #4 0x7fb08c1a782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x41aec8 in _start (/home/ubuntu/aflsmart-experiments/libpng/pngimage+0x41aec8)

0x602000000a71 is located 0 bytes to the right of 1-byte region [0x602000000a70,0x602000000a71) allocated by thread T0 here: #0 0x4e9bff in malloc /home/ubuntu/llvm-7.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146 #1 0x5559f2 in png_malloc_base /home/ubuntu/aflsmart-experiments/libpng/pngmem.c:95:17 #2 0x5559f2 in png_malloc /home/ubuntu/aflsmart-experiments/libpng/pngmem.c:179

test_1 test_2

thuanpv avatar Apr 06 '19 07:04 thuanpv

hi, I compile libpng with these command:

export CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" CC=clang
./configure --host=arm
make

Run the following command

./pngimage test_*.png
test_1.png: error(libpng): original read: IHDR: CRC error
test_2.png: error(libpng): original read: IHDR: CRC error

but no found your bug. How did you compile and find this problem?

tangyaofang avatar Jun 06 '19 07:06 tangyaofang

Which version of libpng are you using? I test this problem in 1.6.37 version, but no found your bug.

tangyaofang avatar Jun 06 '19 07:06 tangyaofang

Hi tangyaofang,

I found it while fuzzing this commit 8439534. I disabled CRC check to ease the fuzzing process by running the following simple patch

sed -i 's/return ((int)(crc != png_ptr->crc));/return (0);/g' pngrutil.c

Can you please try to disable the CRC check and reproduce the issue?

If it works, you can easily repair the CRC and get the PNG file to trigger the bug in the normal build.

Best regards,

Thuan

thuanpv avatar Jun 13 '19 23:06 thuanpv

The line numbers are way off and the column number on the report doesn't add up either; it's the & of the first test.

It's difficult (well, impossible) to believe a bug report like this without analysis. Specifically:

  1. What is the value of 'x'
  2. What is the value of 'mask'
  3. What is the value of 'b'
  4. Was the read speculative?

Of course (4) is the biggy; we expect read-beyond-end-of-buffer in loops like this. They might fault but the result is discarded because the speculative read is never used.

jbowler avatar Aug 10 '24 21:08 jbowler