#186 Corrupted png file causes a program crash

libpng_code
closed-fixed
5
2011-09-27
2011-09-08
No

Version 1.5.4

"pngrutil.c"

If one is using a corrupted png file the application (in this case Qt application) using the libpng libraries crashes, since there isn't valid checking in the pngrutil.c file. The program crashes because there is no checking if the 'w' is zero in png_handle_cHRM. This patch fixes the bug:

--- a/src/3rdparty/libpng/pngrutil.c
+++ b/src/3rdparty/libpng/pngrutil.c
@@ -1037,12 +1037,15 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
*/
png_uint_32 w = y_red + y_green + y_blue;

- png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
- 32768)/w);
- png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
- * 32768)/w);
- png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
- 32768)/w);
+ if (w != 0)
+ {
+ png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
+ 32768)/w);
+ png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
+ * 32768)/w);
+ png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
+ 32768)/w);
+ }
}
}
#endif

Attached is the corrupted png file that can also be used to verify this issue.

Discussion

  • Qt Commercial Support

    Corrupted png file

     
  • Glenn Randers-Pehrson

    This bug has been fixed in libpng-1.5.5beta07. Please give it a try.

     
  • Glenn Randers-Pehrson

    • assigned_to: nobody --> glennrp
    • status: open --> open-accepted
     
  • Glenn Randers-Pehrson

    Fixed in libpng-1.5.5, and reported as CERT VU#477046, CVE-2011-3328.

     
  • Glenn Randers-Pehrson

    • status: open-accepted --> open-fixed
     
  • Glenn Randers-Pehrson

    • status: open-fixed --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks