Vigil@nce - libpng: denial of service via sCAL
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to display a malicious PNG
image, in order to generate a denial of service in applications
linked to libpng.
Severity: 1/4
Creation date: 08/07/2011
IMPACTED PRODUCTS
- Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The libpng library is used by several applications to decode or
display PNG images.
The sCAL ("Physical Scale") field of a PNG image defines its
relative scale. Its format is:
– one byte: unit (meter)
– the X axis multiplier, stored as text (for example "2.5")
– a null byte
– the Y axis multiplier, stored as text (for example "2.5")
However, if the sCAL field is empty, or if the null byte is
missing, the png_handle_sCAL() function tries to read at an
invalid memory address.
An attacker can therefore invite the victim to display a malicious
PNG image, in order to generate a denial of service in
applications linked to libpng.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libpng-denial-of-service-via-sCAL-10820