pngdetail hangs at lodepng_strlen()

[seungwoos]

Hi,

I found that pngdetail of commit 9652b36 hangs with the attached PNG file (hang01.png).

Here’s the stacktrace observed by GDB when the program hangs:

#0  lodepng_chunk_type_equals () at lodepng.cpp:2479
#1  lodepng_chunk_find_const () at lodepng.cpp:2551
#2  0x000055555567f44f in Data::loadInspect () at pngdetail.cpp:188
#3  0x000055555566fd7d in showHeaderInfo () at pngdetail.cpp:1072
#4  0x000055555567e1db in showInfos ()  at pngdetail.cpp:1282
#5  0x0000555555558ae4 in main ()  at pngdetail.cpp:1407

I suspect that the execution is stuck in an infinite loop.

This hang was observed on Ubuntu 18.04.3 with kernel 4.15.0-72-generic x86_64. I found this using AFL fuzzer. hang01.png was originated from the PNG samples of AFL-2.52b.

Hope this help.

[zvezdochiot]

@kimddeum say:

Hope this help.

You can set all flags to false before: https://github.com/lvandeve/lodepng/blob/9652b36175737fbec20c3cfbfcaaa4b4807ea26f/pngdetail.cpp#L1407 and include them one at a time to clarify the problem.

[lvandeve]

Thanks for reporting this! Should be fixed with commit https://github.com/lvandeve/lodepng/commit/2febfe0d105822575328759dd950c8a24b0ad6b3