#300 Segmentation fault caused by npd in pngimage, png_setup_paeth_row, pngwutil.c:2496

[Harvey Huang]

Hi, there.

There is a segmentation fault in the latest stable release of 1.6.38 caused by null pointer dereference in png_setup_paeth_row, pngwutil.c:2496.

To reproduce, run

./pngimage POC

Here is the trace reported by ASAN:

==4043214==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffffd78b1b20 (pc 0x0000005a8cf7 bp 0x61a000003081 sp 0x7ffd80295b40 T0)
==4043214==The signal is caused by a READ memory access.
    #0 0x5a8cf7 in png_setup_paeth_row  /benchmark/libpng-1.6.38/build-a/../pngwutil.c:2496:14
    #1 0x5a8cf7 in png_write_find_filter  /benchmark/libpng-1.6.38/build-a/../pngwutil.c:2725:13
    #2 0x58266f in png_write_row  /benchmark/libpng-1.6.38/build-a/../pngwrite.c:909:4
    #3 0x584c9a in png_write_image  /benchmark/libpng-1.6.38/build-a/../pngwrite.c:636:10
    #4 0x584c9a in png_write_png  /benchmark/libpng-1.6.38/build-a/../pngwrite.c:1465:4
    #5 0x4fd99a in write_png  /benchmark/libpng-1.6.38/build-a/../contrib/libtests/pngimage.c:1368:4
    #6 0x4f9cdc in test_one_file  /benchmark/libpng-1.6.38/build-a/../contrib/libtests/pngimage.c:1443:4
    #7 0x4f9cdc in do_test  /benchmark/libpng-1.6.38/build-a/../contrib/libtests/pngimage.c:1573:7
    #8 0x4f87fa in main  /benchmark/libpng-1.6.38/build-a/../contrib/libtests/pngimage.c:1677:23
    #9 0x7f8bd6838082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x41d51d in _start ( /benchmark/libpng-1.6.38/build-a/pngimage+0x41d51d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV  /benchmark/libpng-1.6.38/build-a/../pngwutil.c:2496:14 in png_setup_paeth_row
==4043214==ABORTING
Aborted

[Cosmin Truta]

I cannot reproduce the crash, neither on x86_64 (Ubuntu 20.04), nor on aarch64 (Apple). I tried clang and gcc, and I compiled it at -O2 and -O3 with -fsanitize=address,undefined.

Another point of confusion is that, in libpng 1.6.38, that kind of crash at pngwutil.c:2496 is hardly possible. If you used optimized compilation, that might be the reason why the line number is incorrect.

Could you please be more specific about your build commands or scripts or everything else that's relevant in your build environment?

[Harvey Huang]

Hi, I think the issue may relate to compiler I used since I try to fuzz the program. Even though I modify a bit, it can be triggered using the original AFL++'s compiler.

I am working on ubuntu 20.04.

Here is the compiling command:

CC=compiler CFLAGS="-fsanitize=address -g " ../configure --disable-shared

I attach the compiler and the pngimage binary that can reproduce the crash at the end of this reply.

[Cosmin Truta]

I still cannot reproduce your error. BTW, the compiler that you attached fails because it cannot find afl-compiler-rt.o. However, I installed the compiler myself, from the Ubuntu PPA.

Here are the commands that I tried:

sudo apt-get install afl++-clang
CC=afl-clang-fast CFLAGS="-fsanitize=address -g" ../configure --disable-shared
make
./pngimage pngimage_npd_png_setup_paeth_row2496.png

Nothing crashed or failed in any way. Could it be that Ubuntu's AFL compiler version is too old, and I need to build it from the AFLplusplus source at GitHub? Here is the compiler version:

$ afl-clang-fast --version
afl-clang-fast++2.59d by <lszekeres@google.com>
clang version 9.0.1-12 
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-9/bin

[Harvey Huang]

I attach the missing file.

Here is my clang version.

afl-cc++4.05c by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD
clang version 11.0.0
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin

I think the official AFL in PPA is correct and the problem is caused by the AFLplusplus. You can try the source code at Github with following version, 4.05a, d1e1bbc713b22d620956.

I also contact the developer of AFL++ and they confirm the probelm in this issue.