[Secure-testing-team] Bug#668082: libpng12-0: libpng-1.2.44 crashes with electric fence memory debugger

Mikulas Patocka mikulas at artax.karlin.mff.cuni.cz
Sun Apr 8 18:01:47 UTC 2012 

Package: libpng12-0
Version: 1.2.44-1+squeeze4
Severity: grave
Tags: security
Justification: user security hole

Debian libpng crashes when loading corruted image, I placed the image here:
http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/debian-
libpng-1.2.44-crash.png

How to reproduce:
install links2 and electric-fence package
run:
LD_PRELOAD=/usr/lib/libefence.so EF_ALIGNMENT=0 links2 -g
http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/debian-
libpng-1.2.44-crash.png

You get a crash in inflate.

I tried it on upstream libpng, upstream versions up to 1.2.47 crash. 1.2.48 and
1.2.49 dont' crash.

A backtrace of the upstream crash:

Program terminated with signal 11, Segmentation fault.
#0  0x00007fd202b4338f in inflate (strm=0x7fd1fe3c7c40, flush=1)
    at inflate.c:649
649                 NEEDBITS(16);
(gdb) bt
#0  0x00007fd202b4338f in inflate (strm=0x7fd1fe3c7c40, flush=1)
    at inflate.c:649
#1  0x00007fd2029304de in png_push_read_zTXt (png_ptr=0x7fd1fe3c7b10,
    info_ptr=0x7fd1fe3cfe30) at pngpread.c:1405
#2  0x00007fd20292d7d0 in png_process_some_data (png_ptr=0x7fd1fe3c7b10,
    info_ptr=0x7fd1fe3cfe30) at pngpread.c:85
#3  0x00007fd20292d70a in png_process_data (png_ptr=0x7fd1fe3c7b10,
    info_ptr=0x7fd1fe3cfe30, buffer=0x7fd1fe976d03 "\211PNG\r\n\032\n",
    buffer_size=757) at pngpread.c:41

(gdb) frame 1
#1  0x00007fd2029304de in png_push_read_zTXt (png_ptr=0x7fd1fe3c7b10,
    info_ptr=0x7fd1fe3cfe30) at pngpread.c:1405
1405             ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH);
(gdb) print png_ptr->zstream
$1 = {next_in = 0x7fd1fe3d4000 "", avail_in = 4294967295, total_in = 0,
  next_out = 0x7fd1fe3c9000 "Copyright Willem van Schaik, Singapore 1995",
  avail_out = 8192, total_out = 0, msg = 0x0, state = 0x7fd1fe3cc410,
  zalloc = 0x7fd20290884d <png_zalloc>, zfree = 0x7fd20290891a <png_zfree>,
  opaque = 0x7fd1fe3c7b10, data_type = 64, adler = 1, reserved = 0}

The crash is caused by libpng filling too big value to "avail_in" field.

This bug is already fixed in libpng-1.2.48 (the buggy function
png_push_read_zTXt is removed), but Debian didn't backport the fix.



-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.3.0 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=cs_CZ, LC_CTYPE=cs_CZ (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpng12-0 depends on:
ii  libc6                   2.11.3-2         Embedded GNU C Library: Shared lib
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

libpng12-0 recommends no packages.

libpng12-0 suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file.png
Type: image/png
Size: 757 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120408/89bbd5ff/attachment.png>

More information about the Secure-testing-team mailing list