|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
libpng Information for VU#684664
| Date Notified | 05/07/2007 |
| Date Modified | 08/22/2007 09:04:35 PM |
| Status Summary | Vulnerable |
Vendor StatementA grayscale PNG image with a malformed (bad CRC) tRNS chunk will crash some libpng applications.
This vulnerability could be used to crash a browser when a user tries to view such a malformed PNG file. It is not known whether the vulnerability could be exploited otherwise.
The reason is that png_ptr->num_trans is set to 1 and then there is an error return after checking the CRC, so the trans[] array is never allocated. Since png_ptr->num_trans is nonzero, libpng tries to use the array later.
This bug was first introduced in libpng version 0.90, in 1996. All versions from libpng-0.90 through libpng-1.2.16 are vulnerable.
Here is the fix, thanks to Mats Palmgren:
--- pngrutil.c_1.2.16 2007-05-11 23:11:55.395466000 -0500
+++ pngrutil.c 2007-05-14 04:37:32.101297000 -0500
@@ -1314,7 +1314,10 @@
}
if (png_crc_finish(png_ptr, 0))
+ {
+ png_ptr->num_trans = 0;
return;
+ }
png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
&(png_ptr->trans_values));
This patch can be applied to any vulnerable version of libpng.
Libpng version 1.0.25 and 1.2.17, which are being released concurrently
with this advisory, have been patched.
This vulnerability has been assigned the identifiers
CVE-2007-2445 and CERT VU#684664.
Glenn Randers-Pehrson
PNG Development GroupUS-CERT AddendumSee http://www.mirrorservice.org/sites/download.sourceforge.net/pub/sourceforge/l/li/libpng/libpng-1.2.17-ADVISORY.txt for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
