Optipng is affected by a read/write out of bounds when processing malformed image files. This issue could be abused on server side applications that use optipng as external program for image processing. This issue was found with using american fuzzy lop.
Malicious input file: http://bugs.fi/media/afl/optipng/1/optipng-001.png
SHA1: 7387fbf79554068af982b038614ba94ed1cd55e8
Gdb backtrace: http://bugs.fi/media/afl/optipng/1/backtrace.txt
ASAN processing log: http://bugs.fi/media/afl/optipng/1/asan.txt
Optipng is used as external program in e.g. these software:
https://github.com/heyday/silverstripe-optimisedimage
https://github.com/jkphl/iconizr.git
https://github.com/christophlehmann/assetprocessor
https://github.com/psliwa/image-optimizer
Timeline:
2015-12-12: Reported to vendor via email (no reply yet)
2016-01-03: Emailed again to vendor and asked how to proceed
2016-01-03: Requested CVE identifier
2016-01-03: Created private item to issue tracker
Planning to announce this publicly this month (2016-01) if agreed with vendor.
Confirmed.
Thank you very much, Henri, for your report. Here is the fix:
This is planned to go straight into the upcoming OptiPNG version 0.7.6.
When do you plan to release 0.7.6 version?
I just posted one more fix at https://sourceforge.net/p/optipng/bugs/57/
Both of the images that you reported are now handled correctly with these two fixes, although I am still not entirely sure that I have covered all the cases.
I have applied patches against current hg version and continued fuzzing. No crashes found yet after 24h of fuzzing. I will report back if I find something or by 2016-03-05.
Here is an updated fix. It addresses both this issue and the one reported in https://sourceforge.net/p/optipng/bugs/59/
I do not have access to issue 59. After applying patches from 56 and 57 I still notice crash with e.g. http://bugs.fi/media/afl/optipng/1/optipng-002.png
What is the status of this case?
The author of issue 59 has opened the CVE-2016-2191. It's a different test case, but addressing the same problem, and resolved by the same fix.
I retried the test case you posted at http://bugs.fi/media/afl/optipng/2/optipng-002.png and it works for me, both on Mac and Linux.
If all goes well, I should be able to make a new release sometime this week.
For the record, I have one more fix:
Fixed in version 0.7.6.
Thank you for your efforts and have a nice week :) If you want feel free to make issues #56 and #57 public.
I removed the "private" flag. Thanks again for the report and feedback.