OptiPNG / Bugs / #54 null ptr deref + segfault w/ malformed png

#54 null ptr deref + segfault w/ malformed png

Milestone: v1.0 (example)

Status: closed-fixed

Owner: Ramona Truta

Labels: security (6)

Priority: 5

Updated: 2018-01-07

Created: 2015-10-11

Creator: geeknik

Private: No

OptiPNG version "Hg"
Using opnglib version @OPNGLIB_VERSION@
Using opngreduc
Using libpng version 1.4.12
Using zlib version 1.2.7-optipng
Using pnmio version 0.3
Using minitiff version 0.1
Using cexcept version 2.0.1-optipng

While fuzzing this build of optipng with American Fuzzy Lop, I discovered that this malformed png triggers a null ptr deref and subsequent segfault.

./optipng test00.jpg

Processing: test00.png
==19370== Invalid read of size 8
==19370==    at 0x44CD6D: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x44693D: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x424D39: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x411C03: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x402D8B: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x50D2EAC: (below main) (libc-start.c:244)
==19370==  Address 0x5446c50 is 0 bytes after a block of size 1,024 alloc'd
==19370==    at 0x4C26B3F: malloc (vg_replace_malloc.c:299)
==19370==    by 0x45D509: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x459189: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x449B7C: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x44693D: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x424D39: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x411C03: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x402D8B: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x50D2EAC: (below main) (libc-start.c:244)
==19370== 
==19370== Invalid write of size 8
==19370==    at 0x4C2CFF7: memset (vg_replace_strmem.c:1127)
==19370==    by 0x447CEC: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x44CD75: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x44693D: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x424D39: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x411C03: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x402D8B: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x50D2EAC: (below main) (libc-start.c:244)
==19370==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==19370== 
==19370== 
==19370== Process terminating with default action of signal 11 (SIGSEGV)
==19370==  Access not within mapped region at address 0x0
==19370==    at 0x4C2CFF7: memset (vg_replace_strmem.c:1127)
==19370==    by 0x447CEC: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x44CD75: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x44693D: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x424D39: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x411C03: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x402D8B: ??? (in /home/geeknik/png-tmp/optipng)
==19370==    by 0x50D2EAC: (below main) (libc-start.c:244)
==19370==  If you believe this happened as a result of a stack
==19370==  overflow in your program's main thread (unlikely but
==19370==  possible), you can try to increase the size of the
==19370==  main thread stack using the --main-stacksize= flag.
==19370==  The main thread stack size used in this run was 8388608.
Segmentation fault

Program received signal SIGSEGV, Segmentation fault.
__memset_sse2 () at ../sysdeps/x86_64/multiarch/../memset.S:339
339 ../sysdeps/x86_64/multiarch/../memset.S: No such file or directory.
(gdb) bt
*#0  memsetsse2 () at ../sysdeps/x86_64/multiarch/../memset.S:339
#1  0x0000000000447ced in ?? ()
#2  0x000000000044cd76 in ?? ()
#3  0x000000000044693e in ?? ()
#4  0x0000000000424d3a in ?? ()
#5  0x0000000000411c04 in ?? ()
#6  0x0000000000402d8c in ?? ()
#7  0x00007ffff77eeead in libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>**, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348)
    at libc-start.c:244
#8  0x000000000040c13d in ?? ()
#9  0x00007fffffffe348 in ?? ()
#10 0x000000000000001c in ?? ()
#11 0x0000000000000002 in ?? ()
#12 0x00007fffffffe5cc in ?? ()
#13 0x00007fffffffe5f6 in ?? ()
#14 0x0000000000000000 in ?? ()

1 Attachments

test00.png

Discussion

Ramona Truta - 2016-03-21

labels: --> security

status: open --> open-accepted

assigned_to: Ramona Truta
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ramona Truta - 2016-03-21

Thanks. I am marking this as security-sensitive. This is the same issue as in bugs 56 and 59, and I will make a new release, sometime this week, possibly later today.

If it is possible for me to have your real name, I would like to give you credit as a co-discoverer.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ramona Truta - 2016-04-05

private: Yes --> No
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Henri Salo - 2018-01-02
  
  Can we close this issue? Seems to be fixed already.
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cosmin Truta - 2018-01-07

status: open-accepted --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cosmin Truta - 2018-01-07

Was fixed in v0.7.6 (but forgot to close it).

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

null ptr deref + segfault w/ malformed png

Advanced PNG optimization program

Group

Searches

Help

#54 null ptr deref + segfault w/ malformed png

Discussion