[Png-mng-security] security bug in png_handle_tRNS
Glenn Randers-Pehrson
glennrp at comcast.net
Sat May 5 08:55:59 UTC 2007
Please keep this close-held until libpng-1.2.17 has been released.
A security bug has been reported to mozilla.
It seems that a grayscale image with a malformed (bad CRC) tRNS chunk
will crash libpng and mozilla. In my experience it also brought down
my Windows display manager.
The reason is that png_ptr->num_trans is set to 1 and then there is
an error return after checking the CRC, so the trans[] array is never
allocated. Since png_ptr->num_trans is nonzero, libpng tries to use
the array later. Here is the fix, thanks to Mats Palmgren:
At line 1316 of pngrutil.c, change
if (png_crc_finish(png_ptr, 0))
return;
to
if (png_crc_finish(png_ptr, 0))
{
png_ptr->num_trans = 0;
return;
}
Libpng-1.2.17rc1 does not contain this fix.
Glenn
More information about the png-mng-security-archive
mailing list