[Png-mng-security] security bug in png_handle_tRNS

Tom Lane tgl at sss.pgh.pa.us
Sun May 13 01:01:33 UTC 2007


I wrote:
> BTW, could I trouble someone for a small test image that exhibits this bug?

Nevermind, I made my own (attached if you need it).  A couple of
observations:

* The original bug report seems incorrect, as it specifies a grayscale
image; AFAICT the failure happens only with palette images.  I don't
see anyplace that touches png_ptr->trans for grayscale, except for a
couple of 

   if (png_ptr->free_me & PNG_FREE_TRNS)
      png_free(png_ptr, png_ptr->trans);

which aren't going to be exercised anyway because the free-bit won't get
set.  (Hence the risk seems only to be a null-pointer dereference, not
an invalid free().)

* I could not get the crash to happen with pngtopnm --- I guess that
program does not call for any of the transforms that reference
transparency ... or else the copy I'm using is not compiled to make null
pointer derefs crash?

Anyway it crashes Firefox nicely.

			regards, tom lane

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/octet-stream
Size: 958 bytes
Desc: bad-trns.png
URL: <http://lists.osuosl.org/pipermail/png-mng-security-archive/attachments/20070512/42de8d1f/attachment.obj>


More information about the png-mng-security-archive mailing list