SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#477046

libpng malformed cHRM divide-by-zero vulnerability

Overview

libpng crashes when processing malformed cHRM chunks.

I. Description

When libpng encounters a cHRM chunk that is malformed it will perform a divide-by-zero causing libpng to crash. This bug was introduced in libpng version 1.5.4 and has been fixed in libpng version 1.5.5.

II. Impact

By tricking a user into opening a specifically crafted PNG file within an application that uses libpng, an attacker may be able to cause a denial of service crash.

The PNG Development Group has stated that: Such malformed PNG files are not necessarily malevolent (ones have been observed on the Internet that were created by accident) but they will cause a crash anyway.

III. Solution

Apply an Update

This vulnerability is addressed in the following libpng versions: libpng-1.5.5

The PNG Development Group recommends upgrading to libpng-1.5.5. However, if you must continue to use libpng-1.5.4, you can apply the following patch to libpng-1.5.4:

--- a/libpng/pngrutil.c
+++ b/libpng/pngrutil.c
@@ -1037,12 +1037,15 @@ png_handle_cHRM(png_structp png_ptr, png_infop
info_ptr, png_uint_32 length)
*/
png_uint_32 w = y_red + y_green + y_blue;

- png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
- 32768)/w);
- png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
- * 32768)/w);
- png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
- 32768)/w);
+ if (w != 0)
+ {
+ png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
+ 32768)/w);
+ png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
+ * 32768)/w);
+ png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
+ 32768)/w);
+ }
}
}
#endif

Vendor Information


According to The PNG Development Group: Those that use a "system" libpng that happens to be libpng-1.5.4 are vulnerable to a divide-by-zero crash. Mozilla products that use the embedded libpng are not vulnerable.
VendorStatusDate NotifiedDate Updated
libpngAffected2011-09-22

References


http://libpng.sf.net/index.html
ftp://ftp.simplesystems.org/pub/png/src
https://sourceforge.net/tracker/index.php?func=detail&aid=3406145&group_id=5624&atid=105624

Credit

Thanks to Glenn Randers-Pehrson of the PNG Development Group for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:2011-09-22
Date First Published:2011-09-22
Date Last Updated:2011-09-23
CERT Advisory: 
CVE-ID(s):CVE 2011-3328
NVD-ID(s):CVE 2011-3328
US-CERT Technical Alerts: 
Severity Metric:0.06
Document Revision:15

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2011 by US-CERT, a government organization
Disclaimers and copyright information
Get a PDF Reader