From taviso at sdf.lonestar.org Sat Sep 22 03:58:45 2007 From: taviso at sdf.lonestar.org (Tavis Ormandy) Date: Sat, 22 Sep 2007 04:58:45 +0100 Subject: [Png-mng-security] pCAL reading past buffer end Message-ID: <20070922035845.GA13970@sdf.lonestar.org> Hey Glenn/Greg/Pngers, I think this loop condition from png_handle_pCAL() is in the wrong order, as if buf > endptr, it will still be dereferenced to check for '\0'. png_debug1(3, "Reading pCAL parameter %d\n", i); for (params[i] = buf; *buf != 0x00 && buf <= endptr; buf++) /* Empty loop to move past each parameter string */ ; Obviously this is pretty minor, but in the unlikely case that buf ends on a page boundary, this could cause a crash. Just switching it should solve the proble, ie buf <= endptr && *buf != 0x00. This bug was found with flayer, http://code.google.com/p/flayer/ Thanks, Tavis. -- ------------------------------------- taviso at sdf.lonestar.org | finger me for my pgp key. ------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 238 bytes Desc: not available URL: From glennrp at comcast.net Sat Sep 22 11:51:25 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Sat, 22 Sep 2007 07:51:25 -0400 Subject: [Png-mng-security] pCAL reading past buffer end In-Reply-To: <20070922035845.GA13970@sdf.lonestar.org> Message-ID: <3.0.6.32.20070922075125.01291d28@mail.comcast.net> At 04:58 AM 9/22/2007 +0100, Tavis Ormandy wrote: >Hey Glenn/Greg/Pngers, > >I think this loop condition from png_handle_pCAL() is in the wrong >order, as if buf > endptr, it will still be dereferenced to check for '\0'. > > png_debug1(3, "Reading pCAL parameter %d\n", i); > for (params[i] = buf; *buf != 0x00 && buf <= endptr; buf++) > /* Empty loop to move past each parameter string */ ; > >Obviously this is pretty minor, but in the unlikely case that buf ends on a >page boundary, this could cause a crash. Just switching it should solve the >proble, ie buf <= endptr && *buf != 0x00. > >This bug was found with flayer, http://code.google.com/p/flayer/ Thanks. I'll make the change in libpng-1.2.21rc1, due out on Monday September 25th. BTW gecko implementations (firefox, mozilla, etc.) are immune to this problem because pCAL processing is not enabled. Glenn From newt at pobox.com Sat Sep 22 16:29:20 2007 From: newt at pobox.com (Greg Roelofs) Date: Sat, 22 Sep 2007 09:29:20 -0700 Subject: [Png-mng-security] pCAL reading past buffer end In-Reply-To: <20070922035845.GA13970@sdf.lonestar.org> Message-ID: <200709221629.l8MGTKpI023674@bolt.sonic.net> Hey Tavis, > This bug was found with flayer, http://code.google.com/p/flayer/ Amusingly enough, we were just discussing it (and you) on Tuesday. Glenn came across a blog entry mentioning it in relationship to libpng, libtiff, etc. Thanks, Greg From taviso at sdf.lonestar.org Mon Sep 24 03:00:27 2007 From: taviso at sdf.lonestar.org (Tavis Ormandy) Date: Mon, 24 Sep 2007 04:00:27 +0100 Subject: [Png-mng-security] pCAL reading past buffer end In-Reply-To: <200709221629.l8MGTKpI023674@bolt.sonic.net> References: <20070922035845.GA13970@sdf.lonestar.org> <200709221629.l8MGTKpI023674@bolt.sonic.net> Message-ID: <20070924030027.GB5046@sdf.lonestar.org> On Sat, Sep 22, 2007 at 09:29:20AM -0700, Greg Roelofs wrote: > Hey Tavis, > > > This bug was found with flayer, http://code.google.com/p/flayer/ > > Amusingly enough, we were just discussing it (and you) on Tuesday. Glenn > came across a blog entry mentioning it in relationship to libpng, libtiff, > etc. > Ahh! libpng is a really great target for flayer, so I'm gradually working on exploring as much of the code with it as possible, its a pretty slow process, but much more useful than static analysis (where in the unlikely event that a legitimate bug is found, its buried in a sea of false positives). But libpng is such clean, well organised code that its very easy to work with. If anything else turns up, I'll let you know :) Thanks, Tavis. -- ------------------------------------- taviso at sdf.lonestar.org | finger me for my pgp key. ------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 238 bytes Desc: not available URL: From taviso at sdf.lonestar.org Tue Sep 25 23:24:24 2007 From: taviso at sdf.lonestar.org (Tavis Ormandy) Date: Wed, 26 Sep 2007 00:24:24 +0100 Subject: [Png-mng-security] zTXt incorrect buffer check Message-ID: <20070925232424.GA8125@sdf.lonestar.org> Hello again, flayer turned up another bug, the recent fix for this bug seems incorrect: https://sourceforge.net/tracker/?func=detail&atid=105624&aid=1753723&group_id=5624 /* TAVISO: assume the entire contents of the chunk is non-zero */ chunkdata[slength] = 0x00; for (text = chunkdata; *text; text++) /* empty loop */ ; /* TAVISO: text points to &chunkdata[slength], not chunkdata + slength - 1 */ /* zTXt must have some text after the chunkdataword */ if (text == chunkdata + slength - 1) { comp_type = PNG_TEXT_COMPRESSION_NONE; png_warning(png_ptr, "Zero length zTXt chunk"); } else { /* TAVISO: out of bounds read */ comp_type = *(++text); I suppose the correct check should have been text >= chunkdata + slength - 2? You can make an image with a zTXt chunk consisting entirely of non-zero bytes, then running it under valgrind reveals this bug. Thanks, Tavis. -- ------------------------------------- taviso at sdf.lonestar.org | finger me for my pgp key. ------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 238 bytes Desc: not available URL: From taviso at sdf.lonestar.org Wed Sep 26 00:44:10 2007 From: taviso at sdf.lonestar.org (Tavis Ormandy) Date: Wed, 26 Sep 2007 01:44:10 +0100 Subject: [Png-mng-security] zTXt incorrect buffer check In-Reply-To: <20070925232424.GA8125@sdf.lonestar.org> References: <20070925232424.GA8125@sdf.lonestar.org> Message-ID: <20070926004410.GB30349@sdf.lonestar.org> On Wed, Sep 26, 2007 at 12:24:24AM +0100, Tavis Ormandy wrote: > ... Just a note, pretty much exactly the same thing is possible in png_handle_sCAL Thanks, Tavis. -- ------------------------------------- taviso at sdf.lonestar.org | finger me for my pgp key. ------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 238 bytes Desc: not available URL: From glennrp at comcast.net Wed Sep 26 00:54:28 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Tue, 25 Sep 2007 20:54:28 -0400 Subject: [Png-mng-security] zTXt incorrect buffer check In-Reply-To: <20070925232424.GA8125@sdf.lonestar.org> Message-ID: <3.0.6.32.20070925205428.012a56b0@mail.comcast.net> At 12:24 AM 9/26/2007 +0100, Tavis Ormandy wrote: >Hello again, flayer turned up another bug >I suppose the correct check should have been text >= chunkdata + slength - 2? Thanks; I've made this change in libpng-1.2.21rc1. Since both bugs are pretty useless for attacking browsers I mentioned them in the change log. Glenn From glennrp at comcast.net Wed Sep 26 01:16:05 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Tue, 25 Sep 2007 21:16:05 -0400 Subject: [Png-mng-security] zTXt incorrect buffer check In-Reply-To: <20070926004410.GB30349@sdf.lonestar.org> References: <20070925232424.GA8125@sdf.lonestar.org> <20070925232424.GA8125@sdf.lonestar.org> Message-ID: <3.0.6.32.20070925211605.012a56b0@mail.comcast.net> At 01:44 AM 9/26/2007 +0100, Tavis Ormandy wrote: >On Wed, Sep 26, 2007 at 12:24:24AM +0100, Tavis Ormandy wrote: >> ... > >Just a note, pretty much exactly the same thing is possible in >png_handle_sCAL OK. Too late for libpng-1.2.21rc1 but I'll slip it into the 1.2.21 release, due out in a week. Glenn From glennrp at comcast.net Wed Sep 26 14:19:07 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Wed, 26 Sep 2007 10:19:07 -0400 Subject: [Png-mng-security] zTXt incorrect buffer check In-Reply-To: <20070926004410.GB30349@sdf.lonestar.org> References: <20070925232424.GA8125@sdf.lonestar.org> <20070925232424.GA8125@sdf.lonestar.org> Message-ID: <3.0.6.32.20070926101907.01294ad8@mail.comcast.net> At 01:44 AM 9/26/2007 +0100, Tavis Ormandy wrote: >On Wed, Sep 26, 2007 at 12:24:24AM +0100, Tavis Ormandy wrote: >> ... > >Just a note, pretty much exactly the same thing is possible in >png_handle_sCAL > >Thanks, Tavis. There seems to be the same situation in iTXt as well (iTXt might be ifdef'ed out of the version you are testing). It has three of those empty loops but only checks two of them for overflow. Glenn From glennrp at comcast.net Wed Sep 26 21:13:59 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Wed, 26 Sep 2007 17:13:59 -0400 Subject: [Png-mng-security] zTXt incorrect buffer check In-Reply-To: <3.0.6.32.20070926101907.01294ad8@mail.comcast.net> References: <20070926004410.GB30349@sdf.lonestar.org> <20070925232424.GA8125@sdf.lonestar.org> <20070925232424.GA8125@sdf.lonestar.org> Message-ID: <3.0.6.32.20070926171359.0129a2b0@mail.comcast.net> > >There seems to be the same situation in iTXt as well (iTXt might >be ifdef'ed out of the version you are testing). It has three of >those empty loops but only checks two of them for overflow. There are more unchecked empty loops in pngpread.c. I'll put up libpng-1.2.21rc2 tonight or tomorrow with fixes. Glenn From glennrp at comcast.net Thu Sep 27 03:42:32 2007 From: glennrp at comcast.net (Glenn Randers-Pehrson) Date: Wed, 26 Sep 2007 23:42:32 -0400 Subject: [Png-mng-security] zTXt incorrect buffer check In-Reply-To: <20070926004410.GB30349@sdf.lonestar.org> References: <20070925232424.GA8125@sdf.lonestar.org> <20070925232424.GA8125@sdf.lonestar.org> Message-ID: <3.0.6.32.20070926234232.012ac4a8@mail.comcast.net> Please check the fixes in libpng-1.2.21rc2 (in pngrutil.c and pngpread.c). They are all similar but slightly different, so there's a lot of room for off-by-one errors on my part. Glenn