search

FLIF-hub / FLIF

Free Lossless Image Format
Other
3.72k stars 229 forks source link

FLIF aborted when calling png_create_read_struct_2 in libpng12 #516

Open qianyu-guo opened 6 years ago

qianyu-guo commented 6 years ago

We found with our fuzzer that FLIF may crash when calling libpng12 png_create_read_struct_2 with some invalid png files (CRC error). From a gdb backtrace, it is like:

(gdb) run ./Output/crashes/FLIF_libpng12.png --overwrite /dev/null 
Starting program: /home/gqy/Desktop/FLIF-Fuzz/install/usr/local/bin/flif ./Output/crashes/FLIF_libpng12.png --overwrite /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning: expected ".png", ".pnm" or ".pam" file name extension for input file, trying anyway...
This does not look like a PNM file.
libpng error: PNG unsigned integer out of range.

Program received signal SIGABRT, Aborted.
0x00007ffff6318428 in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff6318428 in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff631a02a in __GI_abort () at abort.c:89
#2  0x00007ffff6c54a49 in png_create_read_struct_2 ()
   from /lib/x86_64-linux-gnu/libpng12.so.0
#3  0x00007fffffffd9f0 in ?? ()
#4  0x000061600000ed80 in ?? ()
#5  0x00007fffffffda3c in ?? ()
#6  0x00007fffffffd4b0 in ?? ()
#7  0x00000000004af25a in image_load_png(char const*, Image&, metadata_options&)
    ()
#8  0x00000000004aabde in Image::load(char const*, metadata_options&) ()
#9  0x000000000048bfdf in encode_load_input_images(int, char**, std::vector<Image, std::allocator<Image> >&, flif_options&) ()
#10 0x000000000049a095 in handle_encode(int, char**, std::vector<Image, std::allocator<Image> >&, flif_options&) ()
#11 0x000000000040793e in main ()

PoC file: flif_libpng12

$ ~/Desktop$ uname -a
Linux CSLS14U 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ ~/Desktop$ apt show libpng12-dev 
Package: libpng12-dev
Version: 1.2.54-1ubuntu1
Priority: optional
Section: libdevel
Source: libpng
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 621 kB
Provides: libpng-dev, libpng12-0-dev, libpng3-dev
Depends: libpng12-0 (= 1.2.54-1ubuntu1), zlib1g-dev
Conflicts: libpng-dev, libpng12-0-dev, libpng2 (<< 1.0.12-3), libpng2-dev
Replaces: libpng12-0-dev, libpng3-dev (<= 1.2.5)
...
fgeek commented 6 years ago

I can confirm this issue in aad2083c2508902f971b7a2aa2564eac2dbc6e3f