Incomplete fix of CVE-2019-6129

[5hadowblad3]

Hi, there is an incomplete fix of CVE-2019-6129 in the newest release version of libpng-1.6.39 even though it is reported to be fixed in this issue #269.

To reproduce, run

pngimage poc

Here is the report from ASAN:

==4026201==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 1264 byte(s) in 1 object(s) allocated from:
    #0 0x4c263f in malloc  /dependence/llvm11/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x51eb97 in png_malloc_base  /benchmark/libpng-1.6.39/build-a/../pngmem.c:95:17
    #2 0x51eb97 in png_malloc_warn  /benchmark/libpng-1.6.39/build-a/../pngmem.c:217:23
    #3 0x51ee00 in png_create_read_struct_2  /benchmark/libpng-1.6.39/build-a/../pngread.c:45:26
    #4 0x51ee00 in png_create_read_struct  /benchmark/libpng-1.6.39/build-a/../pngread.c:33:11

Direct leak of 360 byte(s) in 1 object(s) allocated from:
    #0 0x4c263f in malloc  /dependence/llvm11/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x4ff989 in png_create_info_struct  /benchmark/libpng-1.6.39/build-a/../png.c:368:15

Indirect leak of 768 byte(s) in 1 object(s) allocated from:
    #0 0x4c263f in malloc  /dependence/llvm11/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x51e4c3 in png_malloc_base  /benchmark/libpng-1.6.39/build-a/../pngmem.c:95:17
    #2 0x51e4c3 in png_malloc  /benchmark/libpng-1.6.39/build-a/../pngmem.c:179:10
    #3 0x51e4c3 in png_calloc  /benchmark/libpng-1.6.39/build-a/../pngmem.c:54:10
    #4 0x51f5d0 in png_read_info  /benchmark/libpng-1.6.39/build-a/../pngread.c:160:10

Indirect leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x4c263f in malloc  /dependence/llvm11/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x51e5ed in png_malloc_base  /benchmark/libpng-1.6.39/build-a/../pngmem.c:95:17
    #2 0x51e5ed in png_malloc  /benchmark/libpng-1.6.39/build-a/../pngmem.c:179:10
    #3 0x51f6b6 in png_read_info  /benchmark/libpng-1.6.39/build-a/../pngread.c:245:10

SUMMARY: AddressSanitizer: 2648 byte(s) leaked in 4 allocation(s).

(unzip first)
incomplete_fix_png_CVE-2019-6129.zip

[jbowler]

pngimage is not a released program; it's only used for testing with a defined list of files that are required to be well formed. Anyway the behavior is correct. The error message is clear enough (I added the emphasis):

incomplete_fix_png_CVE-2019-6129: error(user): original read: file truncated (101 bytes)

The program immediately exits with an error code of 99 on detecting the error:

jbowler@hippopopus ~/src/libpng/build-github $ ./pngimage --log ../libpng16-github/pngbar.png incom* ../libpng16-github/
pngnow.png
PASS: pngimage ../libpng16-github/pngbar.png
incomplete_fix_png_CVE-2019-6129: error(user): original read: file truncated (101 bytes)

This behavior is correct; freeing memory is not necessary, is pointless and is dangerous in this case (pngimage has been passed a corrupt file.)

[jbowler]

@ctruta no dispute on this one; the behavior is valid and correct. Please close.