Open PromptFuzz opened 1 year ago
I suggest you submit a small program and the input file that will repro this. As reported the bug is incredible.
@jbowler Hi, I have provided the PoC program and PoC input at: timeout_poc.tar.gz
You can reproduce this issue by running:
poc.out timeout-f74021412fba530904cddd63e3033f1527d52d76
@jbowler Hi, I have provided the PoC program and PoC input at: [timeout_poc.tar.gz]
You need to remove that file, it is reported by Chrome as containing a virus. I've separately reported this to github.com
Please do not post compiled programs here. They are not useful in bug reports. What I'm asking for is a simple example which compiles, links, runs and demonstrates the problem. A program of this size is likely to be inappropriate even if you provide the source code.
But apart from that your code is wrong; your read function does no error handling so when it reaches the end of the file (which it does because the enormous IDAT at the end is truncated) it just keeps on reading.
@ctruta: application bug (bad read function)
Summary
A infinite loop bug found in
png_read_png
. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted PNG file.POC
POC input
timeout-f74021412fba530904cddd63e3033f1527d52d76
Version
Found on version of 2023/06/07. Reproducible on the master branch.
Compile commands
Compile the poc program
Reproduce Step
Additional Information
When the variable
i = 0xff
(image_height = 0x100) in the loop from lines 751-755, thepng_read_row(png_ptr, *rp, NULL);
will hang.The program finally hang at the below loop.
Stack trace