[Png-mng-security] Memory Leaks in libpng

Greg Roelofs newt at pobox.com
Sun Jul 20 01:20:32 UTC 2008


Kurt Christensen <hoodel at hoodel.com> wrote:

> Greg,

> I have found several places where memory could leak in the libpng src. 
> These all stem from pngrutil.c. I didn't know how to report this. 
> Hopefully you can help.

The png-mng-implement mailing list is usually the best place to report
libpng issues, unless it's a security issue.  This is kind of a borderline
case; in principle, a hostile web site could load itself up with lots of
these images, causing a denial of service in visiting browsers, but there
are many other ways to do the same thing with entirely valid images, such
as loading up the web page with a huge number of very large images.  So
I'd be inclined not to treat this as a security issue.  However, insofar
as others may disagree, I've bcc'd the libpng security list rather than
cc'd the png-mng-implement list.

> Kurt

> In png_handle_iCCP examine
> -------------------------------
>    chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
>    slength = (png_size_t)length;
>    png_crc_read(png_ptr, (png_bytep)chunkdata, slength);

>    if (png_crc_finish(png_ptr, skip))
>    {
>       png_free(png_ptr, chunkdata);
>       return;
>    }
> ---------------------------------------
> If png_crc_read or png_crc_finish encounter a premature end of file, 
> png_error is called with no return, and hence png_free never gets called.
> Similar constructs exist in the following routines, each potentially 
> leaking if the image file is corrupt.
>   png_handle_sPLT
>   png_handle_pCAL
>   png_handle_sCAL
>   png_handle_tEXt
>   png_handle_zTXt
>   png_handle_iTXt
>   png_handle_unknown


Thanks,
-- 
Greg Roelofs          newt at pobox.com           http://pobox.com/~newt/
Newtware, PNG Group, AlphaWorld Map, Yahoo! Search, ...



More information about the png-mng-security-archive mailing list