search menu icon-carat-right cmu-wordmark

CERT Coordination Center

libpng malformed cHRM divide-by-zero vulnerability

Vulnerability Note VU#477046

Original Release Date: 2011-09-22 | Last Revised: 2011-09-23


libpng crashes when processing malformed cHRM chunks.


When libpng encounters a cHRM chunk that is malformed it will perform a divide-by-zero causing libpng to crash. This bug was introduced in libpng version 1.5.4 and has been fixed in libpng version 1.5.5.


By tricking a user into opening a specifically crafted PNG file within an application that uses libpng, an attacker may be able to cause a denial of service crash.

The PNG Development Group has stated that: Such malformed PNG files are not necessarily malevolent (ones have been observed on the Internet that were created by accident) but they will cause a crash anyway.


Apply an Update

This vulnerability is addressed in the following libpng versions: libpng-1.5.5

The PNG Development Group recommends upgrading to libpng-1.5.5. However, if you must continue to use libpng-1.5.4, you can apply the following patch to libpng-1.5.4:

--- a/libpng/pngrutil.c
+++ b/libpng/pngrutil.c
@@ -1037,12 +1037,15 @@ png_handle_cHRM(png_structp png_ptr, png_infop
info_ptr, png_uint_32 length)
png_uint_32 w = y_red + y_green + y_blue;

- png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
- 32768)/w);
- png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
- * 32768)/w);
- png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
- 32768)/w);
+ if (w != 0)
+ {
+ png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
+ 32768)/w);
+ png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
+ * 32768)/w);
+ png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
+ 32768)/w);
+ }

Vendor Information

According to The PNG Development Group: Those that use a "system" libpng that happens to be libpng-1.5.4 are vulnerable to a divide-by-zero crash. Mozilla products that use the embedded libpng are not vulnerable.

Affected   Unknown   Unaffected


Updated:  September 22, 2011



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A



Thanks to Glenn Randers-Pehrson of the PNG Development Group for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE, 2011-3328
Severity Metric: 0.06
Date Public: 2011-09-22
Date First Published: 2011-09-22
Date Last Updated: 2011-09-23 11:27 UTC
Document Revision: 15

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.