libpng
libpng copied to clipboard
glennrp
A potential heap overflow issue
Hi, I find a potential heap overflow issue in contrib/libtests/pngimage.c, function compare_read.
The code version is commit https://github.com/glennrp/libpng/commit/301f7a14295a3bdfaf406dbb5004d0784dc137ea
The compile command is
CFLAGS="-O0 -g -fsanitize=address,leak,undefined" ./configure --disable-shared
The reproduce command
./pngimage input
Trace reported by ASAN: `==18068==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000cc00 at pc 0x000000416f54 bp 0x7fffffffd0d0 sp 0x7fffffffd0c0 #0 0x416f53 in compare_read contrib/libtests/pngimage.c:1240 #1 0x4249e6 in test_one_file contrib/libtests/pngimage.c:1484 #2 0x4249e6 in do_test contrib/libtests/pngimage.c:1564 #3 0x405da3 in main contrib/libtests/pngimage.c:1668 #4 0x7ffff589082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x407f48 in _start (/mnt/data/playground/libpng-libpng16-a/pngimage+0x407f48)
0x60200000cc00 is located 0 bytes to the right of 16-byte region [0x60200000cbf0,0x60200000cc00) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x50f877 in png_malloc_base /mnt/data/playground/libpng-libpng16-a/pngmem.c:95 #2 0x50f877 in png_malloc /mnt/data/playground/libpng-libpng16-a/pngmem.c:179
SUMMARY: AddressSanitizer: heap-buffer-overflow contrib/libtests/pngimage.c:1240 compare_read Shadow bytes around the buggy address: 0x0c047fff9930: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff9940: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff9950: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff9960: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff9970: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 =>0x0c047fff9980:[fa]fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff9990: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff99a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff99b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff99c0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff99d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==18068==ABORTING `
The reason for this overflow is that the buffer of orig and row might not have bpp length of data so that the index is out of bound in the later loop.
According to the gdb results, bpp is 2 and the length of the buffer is only 1.
The attachment is the input file. input.zip
I no found your bug. How did you compile and find this problem?
./pngimage input
input: error(libpng): original read: Not a PNG file
CFLAGS="-O0 -g -fsanitize=address,undefined" ./configure --disable-shared
id:000001,sig:06,src:000255+001320,op:splice,rep:4.zip
I think the input cracked when I upload to Github. This is the new one which can reproduce the crash on my server.
According to https://bugzilla.redhat.com/show_bug.cgi?id=2043393 this is CVE-2021-4214
