Heap buffer overflow (Read of size 1) in pngimage.c

[thuanpv]

Hi,

I am running some experiments for AFLSmart and it has found a heap buffer overflow in the pngimage utility. I think the bug is not critical as it is in a test program, not in the library itself so I report it here.

There are two test cases (as attached) which can trigger (similar) bug(s) at two different locations

To reproduce:

• Compile LibPNG with ASAN (I found the bug on LibPNG commit 8439534)
• Run the following command
  ./pngimage test_*.png

ASAN says:

==31076==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000a71 at pc 0x00000052fd58 bp 0x7ffcb8b48230 sp 0x7ffcb8b48228
READ of size 1 at 0x602000000a71 thread T0
#0 0x52fd57 in compare_read /home/ubuntu/aflsmart-experiments/libpng/contrib/libtests/pngimage.c:1250:31
#1 0x52c46f in test_one_file /home/ubuntu/aflsmart-experiments/libpng/contrib/libtests/pngimage.c:1484:18
#2 0x52c46f in do_test /home/ubuntu/aflsmart-experiments/libpng/contrib/libtests/pngimage.c:1564
#3 0x52af2d in main /home/ubuntu/aflsmart-experiments/libpng/contrib/libtests/pngimage.c:1668:23
#4 0x7fb08c1a782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x41aec8 in _start (/home/ubuntu/aflsmart-experiments/libpng/pngimage+0x41aec8)

0x602000000a71 is located 0 bytes to the right of 1-byte region [0x602000000a70,0x602000000a71)
allocated by thread T0 here:
#0 0x4e9bff in malloc /home/ubuntu/llvm-7.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146
#1 0x5559f2 in png_malloc_base /home/ubuntu/aflsmart-experiments/libpng/pngmem.c:95:17
#2 0x5559f2 in png_malloc /home/ubuntu/aflsmart-experiments/libpng/pngmem.c:179

[tangyaofang]

hi, I compile libpng with these command:

export CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" CC=clang
./configure --host=arm
make

Run the following command

./pngimage test_*.png
test_1.png: error(libpng): original read: IHDR: CRC error
test_2.png: error(libpng): original read: IHDR: CRC error

but no found your bug.
How did you compile and find this problem?

[tangyaofang]

Which version of libpng are you using?
I test this problem in 1.6.37 version, but no found your bug.

[thuanpv]

Hi tangyaofang,

I found it while fuzzing this commit 8439534. I disabled CRC check to ease the fuzzing process by running the following simple patch

sed -i 's/return ((int)(crc != png_ptr->crc));/return (0);/g' pngrutil.c

Can you please try to disable the CRC check and reproduce the issue?

If it works, you can easily repair the CRC and get the PNG file to trigger the bug in the normal build.

Best regards,

Thuan

[jbowler]

The line numbers are way off and the column number on the report doesn't add up either; it's the & of the first test.

It's difficult (well, impossible) to believe a bug report like this without analysis. Specifically:

1. What is the value of 'x'
2. What is the value of 'mask'
3. What is the value of 'b'
4. Was the read speculative?

Of course (4) is the biggy; we expect read-beyond-end-of-buffer in loops like this. They might fault but the result is discarded because the speculative read is never used.