Notified: May 07, 2007 Updated: May 16, 2007
A grayscale PNG image with a malformed (bad CRC) tRNS chunk will crash some libpng applications.
This vulnerability could be used to crash a browser when a user tries to view such a malformed PNG file. It is not known whether the vulnerability could be exploited otherwise.
The reason is that png_ptr->num_trans is set to 1 and then there is an error return after checking the CRC, so the trans array is never allocated. Since png_ptr->num_trans is nonzero, libpng tries to use the array later.
This bug was first introduced in libpng version 0.90, in 1996. All versions from libpng-0.90 through libpng-1.2.16 are vulnerable.
Here is the fix, thanks to Mats Palmgren:
--- pngrutil.c_1.2.16 2007-05-11 23:11:55.395466000 -0500
+++ pngrutil.c 2007-05-14 04:37:32.101297000 -0500
@@ -1314,7 +1314,10 @@
if (png_crc_finish(png_ptr, 0))
+ png_ptr->num_trans = 0;
png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
This patch can be applied to any vulnerable version of libpng.
Libpng version 1.0.25 and 1.2.17, which are being released concurrently
with this advisory, have been patched.
This vulnerability has been assigned the identifiers
CVE-2007-2445 and CERT VU#684664.
PNG Development Group
The vendor has not provided us with any further information regarding this vulnerability.
See http://www.mirrorservice.org/sites/download.sourceforge.net/pub/sourceforge/l/li/libpng/libpng-1.2.17-ADVISORY.txt for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us email.