Vigil@nce: libpng, denial of service of png_format_buffer
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to display a malformed PNG
image, in order to stop applications linked to libpng.
– Severity: 1/4
– Creation date: 28/06/2011
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The libpng library is used to process PNG (Portable Network
Graphics) images.
The png_chunk_error() and png_chunk_warning() functions create
error messages to indicate that an image is invalid. These
functions call the png_format_buffer() function. This function
contains the following code:
png_memcpy(buffer+iout, error_message, PNG_MAX_ERROR_TEXT(64));
This function thus always concatenate 64 bytes into the buffer.
However, if the message length is only 10 bytes, 64 bytes are
copied, so the processor accesses to 54 bytes located after the
message character string. If these bytes are located in a
different memory page, a segmentation error occurs.
An attacker can therefore invite the victim to display a malformed
PNG image, in order to stop applications linked to libpng.
This vulnerability is a regression of VIGILANCE-VUL-4148
(https://vigilance.fr/tree/1/4148).
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libpng-denial-of-service-of-png-format-buffer-10782