[Png-mng-security] Cannot defend against overly lengthy PNG chunks

Glenn Randers-Pehrson glennrp at comcast.net
Thu Mar 13 14:02:26 UTC 2008


At 09:31 PM 3/12/2008 -0700, John Bowler wrote:
>From: Glenn Randers-Pehrson
>>>There is a report on the libpng bug tracker at SourceForge
>>>that an accidentally overly large length value in the IHDR chunk
>>>will DoS a progressive PNG decoder.
>>
>>I suppose we could discuss this openly in png-mng-implement, because
>>the vulnerability isn't really any worse than other known vulnerabilities
>>such as writing an IHDR chunk with width and height == 32k or so, which
>>will bring down some browsers such as Firefox.
>>
>>What do you think?
>
>I such discussion is fine.  It's a general problem if libpng doesn't deal
>gracefully with very large chunks lengths, valid or not, but I don't see
>that the possibility of a DoS attack by exploiting this should be a major
>issue.  If it is a much more difficult to prevent attack would be a
>carefully constructed very well compressed zTXT, or similar.

OK, see the announcement of libpng-1.2.26beta02 on png-mng-implement.

Glenn



More information about the png-mng-security-archive mailing list