libpng icon indicating copy to clipboard operation
libpng copied to clipboard

Published 20 hours ago verified publisher icon glennrp

Memory leaks in png_malloc_base Function in libpng 1.6.43-1.6.46

Open kittener opened this issue 1 week ago • 0 comments

I found the vulnerability while testing my new fuzz tool.

Description

When running pngimage with AddressSanitizer (ASan), the program leaks memory in various locations, eventually leading to high memory usage and causing the program to become unresponsive (hang). This suggests that certain allocations are not freed before exiting the program.

Steps to Reproduce

  1. Compile the application.
  2. Run the application using the following command: pngimage poc.png

Image

  1. Observe that the application crashes indicating a Memory leaks error.

Expected Behavior

The application should manage memory correctly without trying to access memory after it has been freed.

Actual Behavior

The application crashes, showing a heap use-after-free error. Here's the output from AddressSanitizer:

Direct leak of 352 byte(s) in 1 object(s) allocated from:
    #0 0x7f5c3813cc47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55a82f8fcbdf in png_malloc_base ../pngmem.c:97
    #2 0x55a82f8e7084 in png_create_info_struct ../png.c:376
    #3 0x55a82f8e17a1 in read_png ../contrib/libtests/pngimage.c:891
    #4 0x55a82f8e1889 in update_display ../contrib/libtests/pngimage.c:933
    #5 0x55a82f8e4c95 in test_one_file ../contrib/libtests/pngimage.c:1426
    #6 0x55a82f8e5211 in do_test ../contrib/libtests/pngimage.c:1577
    #7 0x55a82f8e5d8e in main ../contrib/libtests/pngimage.c:1681
    #8 0x7f5c37d520b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Indirect leak of 7160 byte(s) in 1 object(s) allocated from:
    #0 0x7f5c3813cc47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55a82f8fcbdf in png_malloc_base ../pngmem.c:97
    #2 0x55a82f8fce6a in png_malloc_warn ../pngmem.c:215
    #3 0x55a82f8e6276 in png_zalloc ../png.c:119
    #4 0x7f5c38075bf9 in inflateInit2_ (/lib/x86_64-linux-gnu/libz.so.1+0x9bf9)
    #5 0x55a82f9315a7 in png_handle_iCCP ../pngrutil.c:1389
    #6 0x55a82f93aa53 in png_handle_chunk ../pngrutil.c:3213
    #7 0x55a82f8fd6df in png_read_info ../pngread.c:163
    #8 0x55a82f900489 in png_read_png ../pngread.c:874
    #9 0x55a82f8e1853 in read_png ../contrib/libtests/pngimage.c:904
    #10 0x55a82f8e1889 in update_display ../contrib/libtests/pngimage.c:933
    #11 0x55a82f8e4c95 in test_one_file ../contrib/libtests/pngimage.c:1426
    #12 0x55a82f8e5211 in do_test ../contrib/libtests/pngimage.c:1577
    #13 0x55a82f8e5d8e in main ../contrib/libtests/pngimage.c:1681
    #14 0x7f5c37d520b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Indirect leak of 1240 byte(s) in 1 object(s) allocated from:
    #0 0x7f5c3813cc47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55a82f8fcbdf in png_malloc_base ../pngmem.c:97
    #2 0x55a82f8fce6a in png_malloc_warn ../pngmem.c:215
    #3 0x55a82f8e6d3a in png_create_png_struct ../png.c:327
    #4 0x55a82f8fd151 in png_create_read_struct_2 ../pngread.c:44
    #5 0x55a82f8fd0fa in png_create_read_struct ../pngread.c:32
    #6 0x55a82f8e1737 in read_png ../contrib/libtests/pngimage.c:883
    #7 0x55a82f8e1889 in update_display ../contrib/libtests/pngimage.c:933
    #8 0x55a82f8e4c95 in test_one_file ../contrib/libtests/pngimage.c:1426
    #9 0x55a82f8e5211 in do_test ../contrib/libtests/pngimage.c:1577
    #10 0x55a82f8e5d8e in main ../contrib/libtests/pngimage.c:1681
    #11 0x7f5c37d520b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Indirect leak of 1024 byte(s) in 1 object(s) allocated from:
    #0 0x7f5c3813cc47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55a82f8fcbdf in png_malloc_base ../pngmem.c:97
    #2 0x55a82f8fce6a in png_malloc_warn ../pngmem.c:215
    #3 0x55a82f8e6276 in png_zalloc ../png.c:119
    #4 0x7f5c38076628 in inflate (/lib/x86_64-linux-gnu/libz.so.1+0xa628)

Indirect leak of 768 byte(s) in 1 object(s) allocated from:
    #0 0x7f5c3813cc47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55a82f8fcbdf in png_malloc_base ../pngmem.c:97
    #2 0x55a82f8fcdb7 in png_malloc ../pngmem.c:177
    #3 0x55a82f8fcb3e in png_calloc ../pngmem.c:53
    #4 0x55a82f943da1 in png_set_PLTE ../pngset.c:794
    #5 0x55a82f92fc1e in png_handle_PLTE ../pngrutil.c:1069
    #6 0x55a82f93aa53 in png_handle_chunk ../pngrutil.c:3213
    #7 0x55a82f8fd6df in png_read_info ../pngread.c:163
    #8 0x55a82f900489 in png_read_png ../pngread.c:874
    #9 0x55a82f8e1853 in read_png ../contrib/libtests/pngimage.c:904
    #10 0x55a82f8e1889 in update_display ../contrib/libtests/pngimage.c:933
    #11 0x55a82f8e4c95 in test_one_file ../contrib/libtests/pngimage.c:1426
    #12 0x55a82f8e5211 in do_test ../contrib/libtests/pngimage.c:1577
    #13 0x55a82f8e5d8e in main ../contrib/libtests/pngimage.c:1681
    #14 0x7f5c37d520b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: 10544 byte(s) leaked in 5 allocation(s).

by, kaiyu Xie

kittener avatar Feb 13 '25 03:02 kittener