|
Message-ID: <01ff01cb1c58$82d46b10$887d4130$@net> Date: Mon, 5 Jul 2010 08:41:17 -0700 From: "John Bowler" <jbowler@...ntiernet.net> To: <oss-security@...ts.openwall.com>, "'PNG/MNG implementation discussion list'" <png-mng-implement@...ts.sourceforge.net> Subject: RE: [png-mng-implement] CVE Request -- libpng v1.4.3 and v1.2.44 -- memory leak while processing PNG image with malformed sCAL chunks From: Marcus Meissner [mailto:meissner@...e.de] >> > > [b], memory-leak bug, involving images with malformed sCAL chunks, >> > > which could lead to an application crash. >> oss-sec, png-mng-implement ... do you have testimages or a reproducer for the sCAL issue? > >As found on: >http://code.google.com/p/chromium/issues/detail?id=45983 > >The sample crashing PNG is: >http://www.ee.oulu.fi/~aki/spark.png That doesn't show issue [b] - the sCAL leak. The original demonstration was provided by a program to generate the test image, because the test image is somewhat large (20MByte with the default settings). Unfortunately the original program didn't compile, but it's easy to fix (it used a piece of non-exported libpng data, but that data is just the string "sCAL".) I guess I can post the fixed version, but I'd prefer permission of the person to post it - Vegard Nossum. The "sample crashing PNG" was generated by radamsa using the 'surfy' fuzzer on the PNGSuite test images to generate broken images. I've subsequently run radamsa using all the fuzzers and more images without finding more problems, but the more input images that are used the more likely problems will be detected (since there are more patterns for radamsa to find and tweak.) Radamsa is a Scheme program that, unfortunately, requires its own specific Scheme compiler "owl-lisp" (i.e. it won't compile against Scheme48 and its libraries.) However, there's a self-contained binary distribution (it contains all the owl libraries required). More information is here: http://code.google.com/p/ouspg/wiki/Radamsa This includes how to download and compile the binary (the download is a decimal encoded Scheme/LISP heap). The source is somewhat bleeding-edge - I eventually found that I could build radamsa r260 with owl-lisp r83, but that was a long long time ago - June 21. I also found that I still had to use a binary of owl-lisp to bootstrap it, but by then I was pretty much convinced that it was probably safe ;-) John Bowler <jbowler@....org>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.