Menu
▾
▴
1 Attachments
#300 Segmentation fault caused by npd in pngimage, png_setup_paeth_row, pngwutil.c:2496
Hi, there.
There is a segmentation fault in the latest stable release of 1.6.38 caused by null pointer dereference in png_setup_paeth_row, pngwutil.c:2496.
To reproduce, run
./pngimage POC
Here is the trace reported by ASAN:
==4043214==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffffd78b1b20 (pc 0x0000005a8cf7 bp 0x61a000003081 sp 0x7ffd80295b40 T0)
==4043214==The signal is caused by a READ memory access.
#0 0x5a8cf7 in png_setup_paeth_row /benchmark/libpng-1.6.38/build-a/../pngwutil.c:2496:14
#1 0x5a8cf7 in png_write_find_filter /benchmark/libpng-1.6.38/build-a/../pngwutil.c:2725:13
#2 0x58266f in png_write_row /benchmark/libpng-1.6.38/build-a/../pngwrite.c:909:4
#3 0x584c9a in png_write_image /benchmark/libpng-1.6.38/build-a/../pngwrite.c:636:10
#4 0x584c9a in png_write_png /benchmark/libpng-1.6.38/build-a/../pngwrite.c:1465:4
#5 0x4fd99a in write_png /benchmark/libpng-1.6.38/build-a/../contrib/libtests/pngimage.c:1368:4
#6 0x4f9cdc in test_one_file /benchmark/libpng-1.6.38/build-a/../contrib/libtests/pngimage.c:1443:4
#7 0x4f9cdc in do_test /benchmark/libpng-1.6.38/build-a/../contrib/libtests/pngimage.c:1573:7
#8 0x4f87fa in main /benchmark/libpng-1.6.38/build-a/../contrib/libtests/pngimage.c:1677:23
#9 0x7f8bd6838082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#10 0x41d51d in _start ( /benchmark/libpng-1.6.38/build-a/pngimage+0x41d51d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /benchmark/libpng-1.6.38/build-a/../pngwutil.c:2496:14 in png_setup_paeth_row
==4043214==ABORTING
Aborted
I cannot reproduce the crash, neither on x86_64 (Ubuntu 20.04), nor on aarch64 (Apple). I tried clang and gcc, and I compiled it at -O2 and -O3 with
-fsanitize=address,undefined.Another point of confusion is that, in libpng 1.6.38, that kind of crash at
pngwutil.c:2496is hardly possible. If you used optimized compilation, that might be the reason why the line number is incorrect.Could you please be more specific about your build commands or scripts or everything else that's relevant in your build environment?
Hi, I think the issue may relate to compiler I used since I try to fuzz the program. Even though I modify a bit, it can be triggered using the original AFL++'s compiler.
I am working on ubuntu 20.04.
Here is the compiling command:
I attach the compiler and the pngimage binary that can reproduce the crash at the end of this reply.
Last edit: Harvey Huang 2022-11-18
I still cannot reproduce your error. BTW, the compiler that you attached fails because it cannot find
afl-compiler-rt.o. However, I installed the compiler myself, from the Ubuntu PPA.Here are the commands that I tried:
Nothing crashed or failed in any way. Could it be that Ubuntu's AFL compiler version is too old, and I need to build it from the AFLplusplus source at GitHub? Here is the compiler version:
I attach the missing file.
Here is my clang version.
I think the official AFL in PPA is correct and the problem is caused by the AFLplusplus. You can try the source code at Github with following version, 4.05a, d1e1bbc713b22d620956.
I also contact the developer of AFL++ and they confirm the probelm in this issue.
Last edit: Harvey Huang 2023-01-10
Could libpng maintainers or the reporter please state if they believe libpng introduces this issue?
From the conversation, it appears to be a non-issue.
fwiw, I created a clean Ubuntu 20.04 vm and was not able to reproduce the PoC fault:
If the reporter or project state that this is not a vulnerability in libpng, I will ask Red Hat to revoke their assignment of CVE-2022-3857 for this issue https://bugzilla.redhat.com/show_bug.cgi?id=2142600
Note that the maintainers do not mention this CVE on http://www.libpng.org/pub/png/libpng.html unlike other libpng CVEs.
libpng is vendored into many downstreams (like Firefox and Chromium) and causes alarm bells to ring :,)
Last edit: Mark Esler 2024-08-19