From glennrp at comcast.net Mon Jul 16 13:34:00 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Mon, 16 Jul 2007 09:34:00 -0400 Subject: [Png-mng-security] Out-of-bounds read in iTXt, zTXt, iCCP, and sPLT handling Message-ID: <3.0.6.32.20070716093400.01979538@mail.comcast.net> A bug with out-of-bounds reading in zTXt was reported on the libpng bug tracker and is being discussed on png-mng-implement at lists.sf.net. I believe the same bug may exist in iTXt, iCCP, and sPLT handling. Firefox and other gecko applications do not try to decode any of these ancillary chunks and therefore would not be vulnerable. I do not know if this can lead to anything more than a DoS vulnerability. Analyses are welcome here or (if non-sensitive) on png-mng-implement. I would like to resolve this before releasing libpng-1.2.19. Glenn From glennrp at comcast.net Wed Jul 18 11:36:40 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Wed, 18 Jul 2007 07:36:40 -0400 Subject: [Png-mng-security] Out-of-bounds read in iTXt, zTXt, iCCP, and sPLT handling In-Reply-To: <3.0.6.32.20070716093400.01979538@mail.comcast.net> Message-ID: <3.0.6.32.20070718073640.0197fea8@mail.comcast.net> I made a set of sample files. They are in a tarball at http://www.simplesystems.org/libpng/short-chunks/ I don't observe any "interesting" behavior when I read them with pngcrush, pngtest, and ImageMagick. In some cases there should probably be libpng warnings but there aren't. Glenn