#199 Integer overflow in png_set_unknown_chunks in libpng/pngset.c v1.5.13
Through applying testing to the libpng 1.5.13,
I found that libpng has four integer overflow bugs in
png_set_unknown_chunks in libpng/pngset.c
in png_set_unknown_chunks
The bug is in line 1037. If the function parameter num_unknowns or info_ptr->unknown_chunks_num is very large,
then info_ptr->unknown_chunks_num + num_unknowns) * png_sizeof(png_unknown_chunk)) is larger than UINT_MAX. It becomes smaller due to integer overflow. Thus np = png_malloc_warn in line 1036 will get a smaller memory than expected.
Then png_memcpy in line 1047 may access invalid memory address, which causes segmentation fault,or unexpected results.
1036 np = (png_unknown_chunkp)png_malloc_warn(png_ptr,
1037 (png_size_t)(info_ptr->unknown_chunks_num + num_unknowns) *
1038 png_sizeof(png_unknown_chunk));
1039
1040 if (np == NULL)
1041 {
1042 png_warning(png_ptr,
1043 "Out of memory while processing unknown chunk");
1044 return;
1045 }
1046
1047 png_memcpy(np, info_ptr->unknown_chunks,
1048 (png_size_t)info_ptr->unknown_chunks_num *
1049 png_sizeof(png_unknown_chunk));
Fixed in libpng-1.5.14beta08. Thanks. Note that libpng calls this function internally only with num_unknowns==1.
The png_set_sPLT() and png_set_text_2() functions have a similar bug, which is fixed in libpng-1.5.14rc03. Likewise, those are also only called internally with the parameter ("nentries" or "num_text") == 1.
Fixed in libpng-1.6.0