[Png-mng-security] security bug in png_handle_tRNS

Glenn Randers-Pehrson glennrp at comcast.net
Sat May 5 08:55:59 UTC 2007


Please keep this close-held until libpng-1.2.17 has been released.

A security bug has been reported to mozilla.

It seems that a grayscale image with a malformed (bad CRC) tRNS chunk
will crash libpng and mozilla.  In my experience it also brought down
my Windows display manager.

The reason is that png_ptr->num_trans is set to 1 and then there is
an error return after checking the CRC, so the trans[] array is never
allocated.  Since png_ptr->num_trans is nonzero, libpng tries to use
the array later.  Here is the fix, thanks to Mats Palmgren:

At line 1316 of pngrutil.c, change

   if (png_crc_finish(png_ptr, 0))
      return;

to

   if (png_crc_finish(png_ptr, 0))
   {
      png_ptr->num_trans = 0;
      return;
   }

Libpng-1.2.17rc1 does not contain this fix.

Glenn



More information about the png-mng-security-archive mailing list