[Bug 1960326] Re: libpng: memory leak in png_handle_eXIf() in case of CRC error

Even Rouault 1960326 at bugs.launchpad.net
Tue May 3 15:23:35 UTC 2022 

Turning that as a security issue, as this could cause a denial of
service in a situation where a long living process would get exposed to
broken images

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpng1.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1960326

Title:
  libpng: memory leak in png_handle_eXIf() in case of CRC error

Status in libpng1.6 package in Ubuntu:
  New

Bug description:
  Package:
  ii  libpng16-16:amd64                             1.6.37-2                                   amd64        PNG library - runtime (version 1.6)

  $ lsb_release -a
  LSB Version:	core-11.1.0ubuntu2-noarch:security-11.1.0ubuntu2-noarch
  Distributor ID:	Ubuntu
  Description:	Ubuntu 20.04.3 LTS
  Release:	20.04
  Codename:	focal

  On the attached file, coming from https://bugs.chromium.org/p/oss-
  fuzz/issues/detail?id=44486, a memory leak can be triggered with any
  software using libpng. Initially found with GDAL's utilities, but can
  also be reproduced with pnginfo:

  valgrind --leak-check=full pnginfo clusterfuzz-testcase-minimized-gdal_filesystem_fuzzer-5278568668594176
  ==3631607== Memcheck, a memory error detector
  ==3631607== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
  ==3631607== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
  ==3631607== Command: pnginfo clusterfuzz-testcase-minimized-gdal_filesystem_fuzzer-5278568668594176
  ==3631607== 
  clusterfuzz-testcase-minimized-gdal_filesystem_fuzzer-5278568668594176...
  libpng warning: eXIf: CRC error
  libpng error: Read Error
  Could not set PNG jump value
  ==3631607== 
  ==3631607== HEAP SUMMARY:
  ==3631607==     in use at exit: 2,107,548 bytes in 5 blocks
  ==3631607==   total heap usage: 7 allocs, 2 frees, 2,112,668 bytes allocated
  ==3631607== 
  ==3631607== 4 bytes in 1 blocks are definitely lost in loss record 1 of 5
  ==3631607==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==3631607==    by 0x4886397: png_malloc_warn (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.37.0)
  ==3631607==    by 0x4895CD0: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.37.0)
  ==3631607==    by 0x488A15D: png_read_info (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.37.0)
  ==3631607==    by 0x10947C: ??? (in /usr/bin/pnginfo)
  ==3631607==    by 0x109175: ??? (in /usr/bin/pnginfo)
  ==3631607==    by 0x48D90B2: (below main) (libc-start.c:308)

  The issue is present in libpng 1.6.37, but no longer in the master branch of https://github.com/glennrp/libpng. Through bisection I found that the commit that fixes the leak is:
  https://github.com/glennrp/libpng/commit/eb6767273a4eb5d6f4ad528370d7262cf7aa220c

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpng1.6/+bug/1960326/+subscriptions

More information about the foundations-bugs mailing list