[Png-mng-security] vulnerability in png_decompress_chunk()
glennrp at comcast.net
glennrp at comcast.net
Fri Feb 5 13:21:27 UTC 2010
----- Original Message -----
From: "John Bowler" <jbowler at frontiernet.net>
> This does mean that you will be changing the png_struct or png_info
> structure in 1.4 (as in the current 1.4.1beta06 - adding a member to
> a structure visible in the ABI; at extra 4 bytes at the end of
> png_struct). IRC that happened several times in 1.2.
Still waiting for a definitive answer to whether it's OK to
do this any more without a minor version bump (i.e., 1.4.0 to
1.5.0 and libpng14.so to libpng15.so).
For 1.4.1beta07 I am planning to implement essentially what's in
beta06, but with the opportunity for the downstream libpng
builder to impose default limits on the maximum size and
number of compressed chunks via #define and for the application
writer to override the limits via "png_set_*()" functions. The
defaults set in our distribution will be 0 meaning unlimited.
That includes the get|set functions and a new png_struct member
to hold the malloc limit (1.4.0 already has one for the chunk
counter).
For 1.2.43 I am planning to implement the same but without
the get|set functions and without a new member in png_struct.
The memory limit will be a constant that can be defined by
the downstream libpng builder, default 0, meaning unlimited.
I don't see a way of imposing a limit on the number of
compressed chunks because that requires a counter in the
png_struct.
Libpng-1.4.1 and 1.2.43 (and 1.0.53) will use the fast
two-pass png_decompress_chunk() that measures the
chunk before allocating memory for it.
I have posted patches for Firefox/Mozilla to the
bugzilla.mozilla.org bug #497056 along these lines,
to replace the png_decompress_chunk() function with
the two-pass function in the embedded library and a
fixed 4-MB maximum on the size of decompressed iCCP
chunks. If Firefox (or other gecko-based application)
is built with the system libpng older than 1.4.1, then
it uses a replacement malloc_fn() to impose the 4MB
limit on the decompressed iCCP chunk size
and increased the size of zbuf_size for iCCP chunk
decompression to 32k, That's not an ideal solution
but I don't have any other ideas.
In libpng-1.4.0, 0x7fffffff means an unlimited
number of chunks allowed, but "0" seems simpler
to implement and to explain. It doesn't really make
any practical difference so I think it's OK to make
this change in 1.4.1.
Glenn
More information about the png-mng-security-archive
mailing list