Bug#851674: libpng16-16: Infinite Loop when parsing PNG file with bad ADLER32

Tue, 17 Jan 2017 05:18:27 -0800 

Package: libpng16-16
Severity: important

Dear Maintainer,

Hi,

there is an endless loop in libpng 1.6-1.6.26 as provided by testing, which 
could be abused for Denial of Service Attack,
as far as i can see, it is caused by the following bad error handling of the
inflate. For most errors with the zlib stream the function png_read_IDAT_data() 
will 
return to the caller, but if the ADLER32 checksum is corrupt, it will stay in 
an infinite loop.

In libpng1.6-1.6.26/pngrutil.c:4079

      /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
       * process.  If the LZ stream is truncated the sequential reader will
       * terminally damage the stream, above, by reading the chunk header of the
       * following chunk (it then exits with png_error).
       *
       * TODO: deal more elegantly with truncated IDAT lists.
       */
      ret = PNG_INFLATE(png_ptr, Z_NO_FLUSH);

      /* Take the unconsumed output back. */
      if (output != NULL)
         avail_out += png_ptr->zstream.avail_out;

      else /* avail_out counts the extra bytes */
         avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;

      png_ptr->zstream.avail_out = 0;


In case that the output is NULL (inflate failed), we increase the available 
output again.


        if (output != NULL)
         {
            if(!strncmp(png_ptr->zstream.msg,"incorrect data check",20))
            {
               png_chunk_benign_error(png_ptr, "ADLER32 checksum mismatch");
               continue;

If the inflate failed because of a checksum error, we continue with the loop


        } while (avail_out > 0);


Which will not finish, since the avail_out is always increased to the origial 
value again.


The issue is fixed upstream with commit 
https://github.com/glennrp/libpng/commit/d65a92b951079d315e17e20ba9e7b8423d19397e
as well as the version in unstable libpng16-16 (1.6.28-1).

Regards,
Eric




-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply via email to