libpng: memory leak in png_handle_eXIf() in case of CRC error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libpng1.6 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Package:
ii libpng16-16:amd64 1.6.37-2 amd64 PNG library - runtime (version 1.6)
$ lsb_release -a
LSB Version: core-11.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
On the attached file, coming from https:/
valgrind --leak-check=full pnginfo clusterfuzz-
==3631607== Memcheck, a memory error detector
==3631607== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3631607== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==3631607== Command: pnginfo clusterfuzz-
==3631607==
clusterfuzz-
libpng warning: eXIf: CRC error
libpng error: Read Error
Could not set PNG jump value
==3631607==
==3631607== HEAP SUMMARY:
==3631607== in use at exit: 2,107,548 bytes in 5 blocks
==3631607== total heap usage: 7 allocs, 2 frees, 2,112,668 bytes allocated
==3631607==
==3631607== 4 bytes in 1 blocks are definitely lost in loss record 1 of 5
==3631607== at 0x483B7F3: malloc (in /usr/lib/
==3631607== by 0x4886397: png_malloc_warn (in /usr/lib/
==3631607== by 0x4895CD0: ??? (in /usr/lib/
==3631607== by 0x488A15D: png_read_info (in /usr/lib/
==3631607== by 0x10947C: ??? (in /usr/bin/pnginfo)
==3631607== by 0x109175: ??? (in /usr/bin/pnginfo)
==3631607== by 0x48D90B2: (below main) (libc-start.c:308)
The issue is present in libpng 1.6.37, but no longer in the master branch of https:/
https:/
Turning that as a security issue, as this could cause a denial of service in a situation where a long living process would get exposed to broken images