[Png-mng-security] Potential denial of service attack in lcms-1.17

John Bowler jbowler at acm.org
Tue Nov 25 00:16:34 UTC 2008


By code examination if lcms-1.17 is passed an otherwise valid set of
chromaticities with the white point 'y' value of 0 it will generate NaN and
inf values internally.  On some systems where floating point exceptions are
enabled this might cause a crash.

A practical test case can be made by using TweakPNG to change a value cHRM
chunk (e.g. one with the sRGB chromaticities) in a PNG file so that the
white y is zero.

My test case does not fail because FP exceptions are not enabled - instead I
get results with NaN or inf the in the XYZ end points lcms-1.17 generates.

Fix is to test for white y of zero and fail in the relevant APIs (return
false.)

This may affect Firefox (at least) if lcms processing of PNG cHRM chunks is
enabled.

John Bowler <jbowler at acm.org>




More information about the png-mng-security-archive mailing list