#57 optipng <= 0.7.5 heap buffer overflow pngxrbmp.c bmp_rle4_fread

[Henri Salo]

Optipng is affected by a read/write out of bounds when processing malformed image files. This issue could be abused on server side applications that use optipng as external program for image processing. This issue was found with using american fuzzy lop.

Malicious input file: http://bugs.fi/media/afl/optipng/2/optipng-002.png
SHA1: 39723feaef1cd6182e93a2c3d02e19b447faaa41
Gdb backtrace: http://bugs.fi/media/afl/optipng/2/backtrace.txt
ASAN processing log: http://bugs.fi/media/afl/optipng/2/asan.txt
Valgrind: http://bugs.fi/media/afl/optipng/2/valgrind.txt

Optipng is used as external program in e.g. these software:

https://github.com/heyday/silverstripe-optimisedimage
https://github.com/jkphl/iconizr.git
https://github.com/christophlehmann/assetprocessor
https://github.com/psliwa/image-optimizer

Timeline:

2015-12-12: Reported to vendor via email (no reply yet)
2016-01-03: Emailed again to vendor and asked how to proceed
2016-01-03: Requested CVE identifier
2016-01-03: Created private item to issue tracker

Planning to announce this publicly this month (2016-01) if agreed with vendor.

[Ramona Truta]

Confirmed.

[Ramona Truta]

Thanks for the report. Here is the fix:

diff --git a/src/pngxtern/pngxrbmp.c b/src/pngxtern/pngxrbmp.c
index 00000000..ffffffff 100644
--- a/src/pngxtern/pngxrbmp.c
+++ b/src/pngxtern/pngxrbmp.c
@@ -152,10 +152,12 @@ bmp_rle4_fread(png_bytep ptr, size_t offset, size_t len, FILE *stream)
    size_t result;
    int ch;

+   if (len == 0)
+      return 0;
    ptr += offset / 2;
    if (offset & 1)  /* use half-byte operations at odd offset */
    {
-      for (result = 0; result < len; result += 2)
+      for (result = 0; result < len - 1; result += 2)
       {
          ch = getc(stream);
          if (ch == EOF)

This should be applied in addition to what I already posted at https://sourceforge.net/p/optipng/bugs/56/

[Ramona Truta]

Fixed in version 0.7.6.