SIGIOT encode error on a crafted PNG
hongxuchen opened this issue · 2 comments
hongxuchen commented
On commit b530b94, the examples/example utility may crash with a SIGIOT when running ./examples/example iot.png
.
width: 131
height: 1
bit depth: 4
color type: 0 - grayscale
compression method: 0
filter method: 0
interlace method: 1
free(): invalid pointer
[1] 1727648 IOT instruction ./examples/example ~/fuzzing/projects/libspng/out/iot.png
iot.png.zip
(png zipped, to avoid github displaying the image file)
A valgrind result shows that it may be caused by an invalid write.
==213797==
==213797== Invalid write of size 8
==213797== at 0x484D73B: memset (vg_replace_strmem.c:1270)
==213797== by 0x49CFB21: encode_row (spng.c:4603)
==213797== by 0x49D291F: spng_encode_image (spng.c:4816)
==213797== by 0x10B329: main (example.c:226)
==213797== Address 0x5965fb0 is 64 bytes inside a block of size 66 alloc'd
==213797== at 0x4843839: malloc (vg_replace_malloc.c:380)
==213797== by 0x49A263D: spng__malloc (spng.c:395)
==213797== by 0x49D1570: spng_encode_image (spng.c:4753)
==213797== by 0x10B329: main (example.c:226)
==213797==
{
<insert_a_suppression_name_here>
Memcheck:Addr8
fun:memset
fun:encode_row
fun:spng_encode_image
fun:main
}
==213797== Invalid write of size 8
==213797== at 0x484D73F: memset (vg_replace_strmem.c:1270)
==213797== by 0x49CFB21: encode_row (spng.c:4603)
==213797== by 0x49D291F: spng_encode_image (spng.c:4816)
==213797== by 0x10B329: main (example.c:226)
==213797== Address 0x5965fb8 is 6 bytes after a block of size 66 alloc'd
==213797== at 0x4843839: malloc (vg_replace_malloc.c:380)
==213797== by 0x49A263D: spng__malloc (spng.c:395)
==213797== by 0x49D1570: spng_encode_image (spng.c:4753)
==213797== by 0x10B329: main (example.c:226)
==213797==
{
<insert_a_suppression_name_here>
Memcheck:Addr8
fun:memset
fun:encode_row
fun:spng_encode_image
fun:main
}
randy408 commented
Should be fixed by #197.
Next time please report security issues over e-mail: contact@libspng.org.
hongxuchen commented
Fixed for my cases.
OK, will report over the email.