From jbowler at acm.org Tue Nov 25 00:16:34 2008 From: jbowler at acm.org (John Bowler) Date: Mon, 24 Nov 2008 16:16:34 -0800 Subject: [Png-mng-security] Potential denial of service attack in lcms-1.17 Message-ID: <004601c94e93$141a3270$3c4e9750$@org> By code examination if lcms-1.17 is passed an otherwise valid set of chromaticities with the white point 'y' value of 0 it will generate NaN and inf values internally. On some systems where floating point exceptions are enabled this might cause a crash. A practical test case can be made by using TweakPNG to change a value cHRM chunk (e.g. one with the sRGB chromaticities) in a PNG file so that the white y is zero. My test case does not fail because FP exceptions are not enabled - instead I get results with NaN or inf the in the XYZ end points lcms-1.17 generates. Fix is to test for white y of zero and fail in the relevant APIs (return false.) This may affect Firefox (at least) if lcms processing of PNG cHRM chunks is enabled. John Bowler From glennrp at comcast.net Tue Nov 25 01:11:58 2008 From: glennrp at comcast.net (glennrp at comcast.net) Date: Tue, 25 Nov 2008 01:11:58 +0000 Subject: [Png-mng-security] Potential denial of service attack in lcms-1.17 Message-ID: <112520080111.14307.492B50DE00040FC9000037E322070009539F9D02020A0409@comcast.net> -------------- Original message ---------------------- From: "John Bowler" > By code examination if lcms-1.17... > Fix is to test for white y of zero and fail in the relevant APIs (return > false.) Should the fix go in lcms? We can (will) fix libpng as well. I can take care of fixing mozilla's copy of lcms. I got no answer to our prior bug report to the lcms mailing list nor to a private email to the lcms author. Would you send me an apropriately tweaked small PNG file? Glenn From glennrp at comcast.net Tue Nov 25 05:01:36 2008 From: glennrp at comcast.net (glennrp at comcast.net) Date: Tue, 25 Nov 2008 05:01:36 +0000 Subject: [Png-mng-security] Potential denial of service attack in lcms-1.17 Message-ID: <112520080501.24971.492B86B0000309050000618B22007374789F9D02020A0409@comcast.net> -------------- Original message ---------------------- From: "John Bowler" > By code examination if lcms-1.17 is passed an otherwise valid set of > chromaticities with the white point 'y' value of 0 it will generate NaN and > inf values internally. On some systems where floating point exceptions are > enabled this might cause a crash. Just-released libpng-1.4.0beta40 rejects cHRM input with white_y <= 0. Are you sure we should not also test white_x? Glenn From jbowler at acm.org Tue Nov 25 05:19:12 2008 From: jbowler at acm.org (John Bowler) Date: Mon, 24 Nov 2008 21:19:12 -0800 Subject: [Png-mng-security] Potential denial of service attack in lcms-1.17 In-Reply-To: <112520080501.24971.492B86B0000309050000618B22007374789F9D02020A0409@comcast.net> References: <112520080501.24971.492B86B0000309050000618B22007374789F9D02020A0409@comcast.net> Message-ID: <005601c94ebd$5b7109d0$12531d70$@org> From: glennrp at comcast.net [mailto:glennrp at comcast.net] >Just-released libpng-1.4.0beta40 rejects cHRM input with white_y <= 0. >Are you sure we should not also test white_x? For the benefit of anyone not on png-mng-implement, here is the basic arithmetic that requires the white_y test but not the corresponding test on white_x: white_Y = 1.0 (given) white_y = white_Y/(white_X + white_Y + white_Z) = 1.0/(white_X + 1.0 + white_Z) Therefore white_y cannot be 0 (white_X and white_Z are assumed to be finite.) white_x = white_X/(white_X + white_Y + white_Z) = white_X/(white_X + 1.0 + white_Z) white_x therefore can be zero if white_X is zero. white_X is not itself constrained to be non-zero (even though zero is a very suspicious value.) John Bowler From glennrp at comcast.net Tue Nov 25 15:11:55 2008 From: glennrp at comcast.net (glennrp at comcast.net) Date: Tue, 25 Nov 2008 15:11:55 +0000 Subject: [Png-mng-security] Potential denial of service attack in lcms-1.17 Message-ID: <112520081511.13204.492C15BB000E6A7C0000339422058891169F9D02020A0409@comcast.net> John, if you will provide a patch I'll be happy to reformat it according to mozilla requirements and run it through their process. Also I'll port the libpng-1.4.x patch back into 1.0.x/1.2.x if you are satisfied with it. Glenn