[Png-mng-security] Cannot defend against overly lengthy PNG chunks
Glenn Randers-Pehrson
glennrp at comcast.net
Thu Mar 13 03:06:20 UTC 2008
There is a report on the libpng bug tracker at SourceForge
that an accidentally overly large length value in the IHDR chunk
will DoS a progressive PNG decoder.
It's easy to fix pngpread.c:
if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4))
{
if (png_ptr->push_length + 4 > png_ptr->buffer_size)
{
/* NEW */ if (png_ptr->push_length != 13)
/ *NEW* / png_error(png_ptr, "Invalid IHDR length");
png_push_save_buffer(png_ptr);
return;
}
png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length);
}
Other chunks with known lengths could be protected similarly. However
some chunks (iCCP, sPLT, IDAT, all of the text chunks, and any unknown
chunks) can have arbitrary lengths, so I don't know how to defend against
this problem with those chunks.
There would be value in only protecting IHDR, because the sort of accident
described in the bug report would affect all chunk length values, and
checking IHDR would be sufficient to prevent a DoS. That would not
protect against a malicious PNG with a huge length value for the iCCP
chunk, though.
Glenn
More information about the png-mng-security-archive
mailing list