[Png-mng-security] security bug in png_handle_tRNS
Greg Roelofs
newt at pobox.com
Wed May 16 21:49:53 UTC 2007
> Glenn Randers-Pehrson <glennrp at comcast.net> writes:
>> Here is a draft advisory. It's pretty much the same as my original
>> announcement except that the fix is presented as a patch. Tom, I think
>> "grayscale" is correct.
> Well, I can crash firefox with a palette image and not with a grayscale
> one ...
Huh, I missed that comment. Tom's correct--both test images are definitely
palette PNGs, and I believe I verified that both of them crash XV in the
expected way:
File: libpng-bad-tRNS-chunk-grp-bug374810.png (26695 bytes)
chunk IHDR at offset 0x0000c, length 13
200 x 200 image, 4-bit palette, non-interlaced
chunk PLTE at offset 0x00025, length 48: 16 palette entries
chunk tRNS at offset 0x00061, length 1: 1 transparency entry
CRC error in chunk tRNS (computed 40e6d866, expected 40e6d80f)
ERRORS DETECTED in libpng-bad-tRNS-chunk-grp-bug374810.png
File: libpng-bad-tRNS-chunk-tgl.png (958 bytes)
chunk IHDR at offset 0x0000c, length 13
216 x 1 image, 8-bit palette, non-interlaced
chunk PLTE at offset 0x00025, length 648: 216 palette entries
chunk tRNS at offset 0x002b9, length 1: 1 transparency entry
CRC error in chunk tRNS (computed 40e6d866, expected 40e6d865)
ERRORS DETECTED in libpng-bad-tRNS-chunk-tgl.png
Greg
More information about the png-mng-security-archive
mailing list