search menu icon-carat-right cmu-wordmark

CERT Coordination Center

libpng malformed cHRM divide-by-zero vulnerability

Vulnerability Note VU#477046

Original Release Date: 2011-09-22 | Last Revised: 2011-09-23


libpng crashes when processing malformed cHRM chunks.


When libpng encounters a cHRM chunk that is malformed it will perform a divide-by-zero causing libpng to crash. This bug was introduced in libpng version 1.5.4 and has been fixed in libpng version 1.5.5.


By tricking a user into opening a specifically crafted PNG file within an application that uses libpng, an attacker may be able to cause a denial of service crash.

The PNG Development Group has stated that: Such malformed PNG files are not necessarily malevolent (ones have been observed on the Internet that were created by accident) but they will cause a crash anyway.


Apply an Update

This vulnerability is addressed in the following libpng versions: libpng-1.5.5

The PNG Development Group recommends upgrading to libpng-1.5.5. However, if you must continue to use libpng-1.5.4, you can apply the following patch to libpng-1.5.4:

--- a/libpng/pngrutil.c
+++ b/libpng/pngrutil.c
@@ -1037,12 +1037,15 @@ png_handle_cHRM(png_structp png_ptr, png_infop
info_ptr, png_uint_32 length)
png_uint_32 w = y_red + y_green + y_blue;

- png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
- 32768)/w);
- png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
- * 32768)/w);
- png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
- 32768)/w);
+ if (w != 0)
+ {
+ png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
+ 32768)/w);
+ png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
+ * 32768)/w);
+ png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
+ 32768)/w);
+ }

Vendor Information

According to The PNG Development Group: Those that use a "system" libpng that happens to be libpng-1.5.4 are vulnerable to a divide-by-zero crash. Mozilla products that use the embedded libpng are not vulnerable.


libpng Affected

Updated:  September 22, 2011



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector



Thanks to Glenn Randers-Pehrson of the PNG Development Group for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE, 2011-3328
Severity Metric: 0.06
Date Public: 2011-09-22
Date First Published: 2011-09-22
Date Last Updated: 2011-09-23 11:27 UTC
Document Revision: 16

Sponsored by CISA.