heap-buffer-overflow in png_set_text_2

[cuanduo]

in my research in FLIF, a craft file can cause a heap overflow in libpng. I wonder wheather it is the bug with FLIF or libpng. flif --overwrite -d $poc out.png poc.zip

asan output

root@ubuntu:/home/tim/fuzz/FLIF# /home/tim/FLIF/src/flif --overwrite -d /home/tim/poc out.png
Warning: expected file name extension ".flif" for input file, trying anyway...
Invalid tree. Aborting tree decoding.
File probably truncated in the middle of MANIAC tree representation. Interpolating.
File ended prematurely or decoding was interrupted.
=================================================================
==9757==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000001727 at pc 0x7fe78347966e bp 0x7ffd0507fb90 sp 0x7ffd0507f338
READ of size 1192 at 0x61a000001727 thread T0
    #0 0x7fe78347966d  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)
    #1 0x7fe782e1f448 in png_set_text_2 /home/tim/libpng/pngset.c:898
    #2 0x7fe782e1f02e in png_set_text /home/tim/libpng/pngset.c:766
    #3 0x561dfa0cb0bf in image_save_png image/image-png.cpp:424
    #4 0x561dfa0d2cda in Image::save(char const*) const image/image.cpp:70
    #5 0x561dfa08923b in handle_decode /home/tim/FLIF/src/flif.cpp:418
    #6 0x561dfa08923b in main /home/tim/FLIF/src/flif.cpp:766
    #7 0x7fe783058b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x561dfa0c4459 in _start (/home/tim/FLIF/src/flif+0x68459)

0x61a000001727 is located 0 bytes to the right of 1191-byte region [0x61a000001280,0x61a000001727)
allocated by thread T0 here:
    #0 0x7fe783506f40 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef40)
    #1 0x561dfa180797 in lodepng_realloc ../extern/lodepng.cpp:70
    #2 0x561dfa180797 in ucvector_reserve(ucvector*, unsigned long) [clone .isra.3] [clone .lto_priv.255] ../extern/lodepng.cpp:218

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d) 
Shadow bytes around the buggy address:
  0x0c347fff8290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff82a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff82b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff82e0: 00 00 00 00[07]fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9757==ABORTING
root@ubuntu:/home/tim/fuzz/FLIF# 

[cuanduo]

i think flif in image/image-png.cpp:409 png_bytep profile is not set correctly.

405 #if ((PNG_LIBPNG_VER_MAJOR << 8) | PNG_LIBPNG_VER_MINOR << 0) < \
406     ((1 << 8) | (5 << 0))
407       png_charp profile;
408 #else  // >= libpng 1.5.0
409       png_bytep profile;
410 #endif
411    if (image.get_metadata("iCCP", (unsigned char **) (&profile), &length)) {
412     png_set_iCCP(png_ptr, info_ptr,  (png_charp) "icc", 0, profile, length);
413     free(profile);
414    }
415    if (image.get_metadata("eXmp", (unsigned char **) (&profile), &length)) {
416 #ifdef PNG_iTXt_SUPPORTED
417     png_text txt;
418     txt.key = (png_charp) "XML:com.adobe.xmp";
419     txt.compression = PNG_ITXT_COMPRESSION_zTXt;
420     txt.text_length = 0;
421     txt.text = (png_charp) profile;
422     txt.lang = NULL;
423     txt.lang_key = NULL;
424     png_set_text(png_ptr, info_ptr, &txt, 1);

[dd8]

png_set_text() expects txt.text to be NUL terminated - it calls strlen(txt.text) to work out the length of text, but the buffer returned by image.get_metadata() which calls lodepng_inflate() isn't guaranteed to be NUL terminated, which causes a buffer over-read.