heap-buffer-overflow contrib/libtests/pngimage.c:1249 in compare_read

[SmllXzBZ]

Product version: libpng last version until March 13, 2021 Environment: Ubuntu 18.04.1 Reprocedure:

./configure --fsanitize=address --disabled-shared
make -j4

AddressSanitizer Debug result:

$ ./pngimage poc.png 
poc.png: warning(libpng): original read: pLTE: CRC error
poc.png: warning(libpng): original read: sBIT: duplicate
poc.png: warning(libpng): original read: sBIT: duplicate
poc.png: warning(libpng): ignored transforms(0x8783): pLTE: CRC error
poc.png: warning(libpng): ignored transforms(0x8783): sBIT: duplicate
poc.png: warning(libpng): ignored transforms(0x8783): sBIT: duplicate
poc.png: warning(libpng): active transforms(PACKING): pLTE: CRC error
poc.png: warning(libpng): active transforms(PACKING): sBIT: duplicate
poc.png: warning(libpng): active transforms(PACKING): sBIT: duplicate
poc.png: warning(libpng): active transforms(PACKSWAP): pLTE: CRC error
poc.png: warning(libpng): active transforms(PACKSWAP): sBIT: duplicate
poc.png: warning(libpng): active transforms(PACKSWAP): sBIT: duplicate
poc.png: warning(libpng): active transforms(EXPAND): pLTE: CRC error
poc.png: warning(libpng): active transforms(EXPAND): sBIT: duplicate
poc.png: warning(libpng): active transforms(EXPAND): sBIT: duplicate
poc.png: warning(libpng): active transforms(INVERT_MONO): pLTE: CRC error
poc.png: warning(libpng): active transforms(INVERT_MONO): sBIT: duplicate
poc.png: warning(libpng): active transforms(INVERT_MONO): sBIT: duplicate
poc.png: warning(libpng): active transforms(SHIFT): pLTE: CRC error
poc.png: warning(libpng): active transforms(SHIFT): sBIT: duplicate
poc.png: warning(libpng): active transforms(SHIFT): sBIT: duplicate
=================================================================
==41801==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002420 at pc 0x5634177b7fb5 bp 0x7fffcb432870 sp 0x7fffcb432860
READ of size 1 at 0x602000002420 thread T0
    #0 0x5634177b7fb4 in compare_read contrib/libtests/pngimage.c:1249
    #1 0x5634177badb0 in test_one_file contrib/libtests/pngimage.c:1493
    #2 0x5634177badb0 in do_test contrib/libtests/pngimage.c:1573
    #3 0x5634177b09a7 in main contrib/libtests/pngimage.c:1677
    #4 0x7f1ded9dabf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #5 0x5634177b19a9 in _start (/home/ostrich/testbases/libpng/pngimage+0xe9a9)

0x602000002420 is located 0 bytes to the right of 16-byte region [0x602000002410,0x602000002420)
allocated by thread T0 here:
    #0 0x7f1dee443b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x5634178044a7 in png_malloc_base /home/ostrich/build/libpng/pngmem.c:95
    #2 0x5634178044a7 in png_malloc /home/ostrich/build/libpng/pngmem.c:179

SUMMARY: AddressSanitizer: heap-buffer-overflow contrib/libtests/pngimage.c:1249 in compare_read
Shadow bytes around the buggy address:
  0x0c047fff8430: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8440: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8450: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8460: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8470: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c047fff8480: fa fa 00 00[fa]fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8490: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff84a0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff84b0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff84c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff84d0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==41801==ABORTING

POC file:

[benkasminbullock]

I've tried your image with various PNG readers and could not replicate the errors. The image seems to have three sBIT chunks:

$ hexdump -C 112775823-937b4b80-9070-11eb-87b1-0d1ec31eb37b.png 
00000000  89 50 4e 47 0d 0a 1a 0a  00 00 00 0d 49 48 44 52  |.PNG........IHDR|
00000010  00 00 00 20 00 00 00 20  04 00 00 00 00 93 e1 c8  |... ... ........|
00000020  29 00 00 00 12 70 4c 54  45 ff ff ff ff ff ff ff  |)....pLTE.......|
00000030  ff ff 00 00 00 ff 00 00  ff ff 00 7e b4 1a 6f 00  |...........~..o.|
00000040  00 00 01 73 42 49 54 04  ef bc 17 b2 00 00 00 01  |...sBIT.........|
00000050  73 42 49 54 00 e8 d1 d3  ab 00 00 00 09 73 42 49  |sBIT.........sBI|
00000060  54 00 00 0b 12 00 00 0b  12 01 86 57 26 31 00 00  |T..........W&1..|
00000070  00 9f 49 44 41 54 28 cf  7d d1 c1 11 c3 20 0c 44  |..IDAT(.}.... .D|
00000080  d1 4c 4a 48 05 c9 df 0e  b4 54 60 54 41 fa 2f 26  |.LJH.....T`TA./&|
00000090  07 b0 6c 38 84 13 f3 66  a5 41 e2 f1 e6 f5 fc 70  |..l8...f.A.....p|
000000a0  9d c7 79 51 c8 0b b4 1e  95 b0 c3 ce 84 98 10 80  |..yQ............|
000000b0  d2 f6 0a 2d 5b ff 07 84  bc 02 28 bd 02 d6 06 c8  |...-[.....(.....|
000000c0  b7 87 01 cc 84 66 c2 27  44 e0 25 31 de 71 dc 4a  |.....f.'D.%1.q.J|
000000d0  0c f0 05 39 46 e2 6c 12  05 9e 1b a9 7d c8 b6 1d  |...9F.l.....}...|
000000e0  2a 08 75 68 1d aa 47 cb  50 76 6a 16 b5 cc cc 8c  |*.uh..G.Pvj.....|
000000f0  a8 1e 39 80 4a 6c 60 0f  38 d8 4a 6e e0 cc 96 be  |..9.Jl`.8.Jn....|
00000100  3e 4a 63 42 ed c0 0e d7  2c d8 d6 68 b1 ee 14 e0  |>JcB....,..h....|
00000110  07 ec 70 50 42 d5 f2 e2  03 00 00 00 00 49 45 4e  |..pPB........IEN|
00000120  44 ae 42 60 82                                    |D.B`.|
00000125

but nothing I have gives an error message from libpng.

[zodf0055980]

@benkasminbullock I think this problem is the same as https://github.com/glennrp/libpng/issues/302.

I build it with ASAN can also reproduce this problem. build :

CFLAGS="-fsanitize=address" ./configure

And I get same ASAN report.

=================================================================
==1814==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002420 at pc 0x55850191a5f3 bp 0x7ffe7421f1b0 sp 0x7ffe7421f1a0
READ of size 1 at 0x602000002420 thread T0
    #0 0x55850191a5f2 in compare_read (/home/yuan/libpng/.libs/pngimage+0x85f2)
    #1 0x55850191b637 in test_one_file (/home/yuan/libpng/.libs/pngimage+0x9637)
    #2 0x55850191b8c7 in do_test (/home/yuan/libpng/.libs/pngimage+0x98c7)
    #3 0x55850191c414 in main (/home/yuan/libpng/.libs/pngimage+0xa414)
    #4 0x7fdb086c8bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #5 0x558501915fb9 in _start (/home/yuan/libpng/.libs/pngimage+0x3fb9)

0x602000002420 is located 0 bytes to the right of 16-byte region [0x602000002410,0x602000002420)
allocated by thread T0 here:
    #0 0x7fdb08e27b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x7fdb08abf00d in png_malloc_base (/home/yuan/libpng/.libs/libpng16.so.16+0x2700d)
    #2 0x7fdb08abf1dc in png_malloc (/home/yuan/libpng/.libs/libpng16.so.16+0x271dc)
    #3 0x7fdb08ac9f8a in png_read_png (/home/yuan/libpng/.libs/libpng16.so.16+0x31f8a)
    #4 0x558501917e41 in read_png (/home/yuan/libpng/.libs/pngimage+0x5e41)
    #5 0x55850191b626 in test_one_file (/home/yuan/libpng/.libs/pngimage+0x9626)
    #6 0x55850191b8c7 in do_test (/home/yuan/libpng/.libs/pngimage+0x98c7)
    #7 0x55850191c414 in main (/home/yuan/libpng/.libs/pngimage+0xa414)
    #8 0x7fdb086c8bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/yuan/libpng/.libs/pngimage+0x85f2) in compare_read
Shadow bytes around the buggy address:
  0x0c047fff8430: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8440: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8450: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8460: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8470: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c047fff8480: fa fa 00 00[fa]fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8490: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff84a0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff84b0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff84c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff84d0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1814==ABORTING

I also try to check without Asan. It malloc size 16 to each row_pointers array. https://github.com/glennrp/libpng/blob/a37d4836519517bdce6cb9d956092321eca3e73b/pngread.c#L1236-L1238 In pngimage, it tries to get it pointer here https://github.com/glennrp/libpng/blob/a37d4836519517bdce6cb9d956092321eca3e73b/contrib/libtests/pngimage.c#L1239 But in this case,x will from 0 to 31 https://github.com/glennrp/libpng/blob/a37d4836519517bdce6cb9d956092321eca3e73b/contrib/libtests/pngimage.c#L1243 and each bpp are 1, so it will overflow in *raw. https://github.com/glennrp/libpng/blob/a37d4836519517bdce6cb9d956092321eca3e73b/contrib/libtests/pngimage.c#L1249

[mzs555557]

what the version of libpng:)?