libpng icon indicating copy to clipboard operation
libpng copied to clipboard

Published 20 hours ago verified publisher icon glennrp

Memory leaks in png_malloc_base Function in libpng 1.6.43-1.6.46

Open kittener opened this issue 1 week ago • 3 comments

I found the vulnerability while testing my new fuzz tool.

Description

While running pngimage tests with AddressSanitizer (ASan), memory leaks were detected in read_png() during calls to png_create_read_struct() and png_create_info_struct(). The leaked memory is allocated in png_malloc_base() but never freed.

Steps to Reproduce

  1. Compile the application.
  2. Run the application using the following command: pngimage poc.png

Image

  1. Observe that the application crashes indicating a Memory leaks error.

Expected Behavior

The application should manage memory correctly without trying to access memory after it has been freed.

Actual Behavior

The application crashes, showing a heap use-after-free error. Here's the output from AddressSanitizer:

Direct leak of 1240 byte(s) in 1 object(s) allocated from:
    #0 0x7f8c1e429c47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55f7c9f68bdf in png_malloc_base ../pngmem.c:97
    #2 0x55f7c9f68e6a in png_malloc_warn ../pngmem.c:215
    #3 0x55f7c9f52d3a in png_create_png_struct ../png.c:327
    #4 0x55f7c9f69151 in png_create_read_struct_2 ../pngread.c:44
    #5 0x55f7c9f690fa in png_create_read_struct ../pngread.c:32
    #6 0x55f7c9f4d737 in read_png ../contrib/libtests/pngimage.c:883
    #7 0x55f7c9f4d889 in update_display ../contrib/libtests/pngimage.c:933
    #8 0x55f7c9f50c95 in test_one_file ../contrib/libtests/pngimage.c:1426
    #9 0x55f7c9f51211 in do_test ../contrib/libtests/pngimage.c:1577
    #10 0x55f7c9f51d8e in main ../contrib/libtests/pngimage.c:1681
    #11 0x7f8c1e03f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Direct leak of 352 byte(s) in 1 object(s) allocated from:
    #0 0x7f8c1e429c47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55f7c9f68bdf in png_malloc_base ../pngmem.c:97
    #2 0x55f7c9f53084 in png_create_info_struct ../png.c:376
    #3 0x55f7c9f4d7a1 in read_png ../contrib/libtests/pngimage.c:891
    #4 0x55f7c9f4d889 in update_display ../contrib/libtests/pngimage.c:933
    #5 0x55f7c9f50c95 in test_one_file ../contrib/libtests/pngimage.c:1426
    #6 0x55f7c9f51211 in do_test ../contrib/libtests/pngimage.c:1577
    #7 0x55f7c9f51d8e in main ../contrib/libtests/pngimage.c:1681
    #8 0x7f8c1e03f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Indirect leak of 768 byte(s) in 1 object(s) allocated from:
    #0 0x7f8c1e429c47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55f7c9f68bdf in png_malloc_base ../pngmem.c:97
    #2 0x55f7c9f68db7 in png_malloc ../pngmem.c:177
    #3 0x55f7c9f68b3e in png_calloc ../pngmem.c:53
    #4 0x55f7c9fafda1 in png_set_PLTE ../pngset.c:794
    #5 0x55f7c9f9bc1e in png_handle_PLTE ../pngrutil.c:1069
    #6 0x55f7c9fa6a53 in png_handle_chunk ../pngrutil.c:3213
    #7 0x55f7c9f696df in png_read_info ../pngread.c:163
    #8 0x55f7c9f6c489 in png_read_png ../pngread.c:874
    #9 0x55f7c9f4d853 in read_png ../contrib/libtests/pngimage.c:904
    #10 0x55f7c9f4d889 in update_display ../contrib/libtests/pngimage.c:933
    #11 0x55f7c9f50c95 in test_one_file ../contrib/libtests/pngimage.c:1426
    #12 0x55f7c9f51211 in do_test ../contrib/libtests/pngimage.c:1577
    #13 0x55f7c9f51d8e in main ../contrib/libtests/pngimage.c:1681
    #14 0x7f8c1e03f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Indirect leak of 26 byte(s) in 1 object(s) allocated from:
    #0 0x7f8c1e429c47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55f7c9f68bdf in png_malloc_base ../pngmem.c:97
    #2 0x55f7c9f98db6 in png_read_buffer ../pngrutil.c:392
    #3 0x55f7c9fa410c in png_handle_tEXt ../pngrutil.c:2419
    #4 0x55f7c9fa6a53 in png_handle_chunk ../pngrutil.c:3213
    #5 0x55f7c9f696df in png_read_info ../pngread.c:163
    #6 0x55f7c9f6c489 in png_read_png ../pngread.c:874
    #7 0x55f7c9f4d853 in read_png ../contrib/libtests/pngimage.c:904
    #8 0x55f7c9f4d889 in update_display ../contrib/libtests/pngimage.c:933
    #9 0x55f7c9f50c95 in test_one_file ../contrib/libtests/pngimage.c:1426
    #10 0x55f7c9f51211 in do_test ../contrib/libtests/pngimage.c:1577
    #11 0x55f7c9f51d8e in main ../contrib/libtests/pngimage.c:1681
    #12 0x7f8c1e03f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: 2386 byte(s) leaked in 4 allocation(s).

by, kaiyu Xie

kittener avatar Feb 13 '25 02:02 kittener