randy408/libspng

SIGIOT encode error on a crafted PNG

hongxuchen opened this issue · 2 comments

hongxuchen commented

On commit b530b94, the examples/example utility may crash with a SIGIOT when running ./examples/example iot.png.

width: 131
height: 1
bit depth: 4
color type: 0 - grayscale
compression method: 0
filter method: 0
interlace method: 1
free(): invalid pointer
[1]    1727648 IOT instruction  ./examples/example ~/fuzzing/projects/libspng/out/iot.png

iot.png.zip
(png zipped, to avoid github displaying the image file)

A valgrind result shows that it may be caused by an invalid write.

==213797==
  ==213797== Invalid write of size 8
  ==213797==    at 0x484D73B: memset (vg_replace_strmem.c:1270)
  ==213797==    by 0x49CFB21: encode_row (spng.c:4603)
  ==213797==    by 0x49D291F: spng_encode_image (spng.c:4816)
  ==213797==    by 0x10B329: main (example.c:226)
  ==213797==  Address 0x5965fb0 is 64 bytes inside a block of size 66 alloc'd
  ==213797==    at 0x4843839: malloc (vg_replace_malloc.c:380)
  ==213797==    by 0x49A263D: spng__malloc (spng.c:395)
  ==213797==    by 0x49D1570: spng_encode_image (spng.c:4753)
  ==213797==    by 0x10B329: main (example.c:226)
  ==213797==
  {
     <insert_a_suppression_name_here>
     Memcheck:Addr8
     fun:memset
     fun:encode_row
     fun:spng_encode_image
     fun:main
  }
  ==213797== Invalid write of size 8
  ==213797==    at 0x484D73F: memset (vg_replace_strmem.c:1270)
  ==213797==    by 0x49CFB21: encode_row (spng.c:4603)
  ==213797==    by 0x49D291F: spng_encode_image (spng.c:4816)
  ==213797==    by 0x10B329: main (example.c:226)
  ==213797==  Address 0x5965fb8 is 6 bytes after a block of size 66 alloc'd
  ==213797==    at 0x4843839: malloc (vg_replace_malloc.c:380)
  ==213797==    by 0x49A263D: spng__malloc (spng.c:395)
  ==213797==    by 0x49D1570: spng_encode_image (spng.c:4753)
  ==213797==    by 0x10B329: main (example.c:226)
  ==213797==
  {
     <insert_a_suppression_name_here>
     Memcheck:Addr8
     fun:memset
     fun:encode_row
     fun:spng_encode_image
     fun:main
  }

iot.valgrind.txt

randy408 commented

Should be fixed by #197.

Next time please report security issues over e-mail: contact@libspng.org.

hongxuchen commented

Fixed for my cases.

OK, will report over the email.