#199 Integer overflow in png_set_unknown_chunks in libpng/pngset.c v1.5.13

libpng_code
closed-fixed
5
2013-02-14
2013-01-08
chendong
No

Through applying testing to the libpng 1.5.13,
I found that libpng has four integer overflow bugs in
png_set_unknown_chunks in libpng/pngset.c

in png_set_unknown_chunks
The bug is in line 1037. If the function parameter num_unknowns or info_ptr->unknown_chunks_num is very large,
then info_ptr->unknown_chunks_num + num_unknowns) * png_sizeof(png_unknown_chunk)) is larger than UINT_MAX. It becomes smaller due to integer overflow. Thus np = png_malloc_warn in line 1036 will get a smaller memory than expected.
Then png_memcpy in line 1047 may access invalid memory address, which causes segmentation fault,or unexpected results.

1036 np = (png_unknown_chunkp)png_malloc_warn(png_ptr,
1037 (png_size_t)(info_ptr->unknown_chunks_num + num_unknowns)
1038 png_sizeof(png_unknown_chunk));
1039
1040 if (np == NULL)
1041 {
1042 png_warning(png_ptr,
1043 "Out of memory while processing unknown chunk");
1044 return;
1045 }
1046
1047 png_memcpy(np, info_ptr->unknown_chunks,
1048 (png_size_t)info_ptr->unknown_chunks_num

1049 png_sizeof(png_unknown_chunk));

Discussion

    • assigned_to: Glenn Randers-Pehrson
     
  • Fixed in libpng-1.5.14beta08. Thanks. Note that libpng calls this function internally only with num_unknowns==1.

     
    • status: open --> open-accepted
     
  • The png_set_sPLT() and png_set_text_2() functions have a similar bug, which is fixed in libpng-1.5.14rc03. Likewise, those are also only called internally with the parameter ("nentries" or "num_text") == 1.

     
  • Fixed in libpng-1.6.0

     
    • status: open-accepted --> closed-fixed