New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use after free #275
Comments
I am seeing the same bug on the current master.
Full report:
Discovered by extending a fuzz target on oss-fuzz |
and here is the oss-fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803 |
There are two important conditions that must be met in general:
The fix is simple: call
|
I recommend opening a CVE. The next libpng update will contain this fix. |
Filed a request for a CVE. |
This issue has been assigned CVE-2019-7317. |
Can the affected versions in the CVE be updated? Currently it says it only affects 1.6.36 instead of all versions of 1.6 through 1.6, all versions of 1.4 through ..., etc. |
png_safe_execute() isn't present prior to libpng 1.6 so I guess 1.5.x and older versions are not affected by this? |
Ok, if that's the case then I suggest updating the CVE to say that versions 1.6 through 1.6.36 are affected and having the description explicitly call out that earlier versions are not affected - because people using earlier versions will ask if that's not included. |
Is the patch recommended above by ctruta the accepted fix for CVE-2019-7317? |
I will integrate it in the upcoming libpng-1.6.37. |
until pnggroup/libpng#275 is fixed upstream.
Any chance to submit this patch to the master branch now? |
Which commands should I use for reproducing the bug? Thanks. |
See the comment by @kcc on Feb.1, at the top of this issue. |
Can we then close this one? |
https://salsa.debian.org/debian/libpng1.6/blob/master/debian/patches/series |
Published libpng version 1.6.37, including this fix. |
png_image_free_function (or any other destructor) should never fail. Destructors need not and must not be executed under png_safe_execute. Reference: CVE-2019-7317, use-after-free in png_image_free Upstream commit: pnggroup/libpng@9c0d5c7 pnggroup/libpng#275 Change-Id: I6f2cb07137d6f7f1f4319a377b188adbcc3efae7
png_image_free_function (or any other destructor) should never fail. Destructors need not and must not be executed under png_safe_execute. Reference: CVE-2019-7317, use-after-free in png_image_free Upstream commit: pnggroup/libpng@9c0d5c7 pnggroup/libpng#275 Change-Id: I1f8f39bb80e8be17aaa565c8efc28a93d56b0b12
png_image_free_function (or any other destructor) should never fail. Destructors need not and must not be executed under png_safe_execute. Reference: CVE-2019-7317, use-after-free in png_image_free Upstream commit: pnggroup/libpng@9c0d5c7 pnggroup/libpng#275 Change-Id: Ia833db5acfb172e6f63b404f589492730c8b0217
png_image_free_function (or any other destructor) should never fail. Destructors need not and must not be executed under png_safe_execute. Reference: CVE-2019-7317, use-after-free in png_image_free Upstream commit: pnggroup/libpng@9c0d5c7 pnggroup/libpng#275 Change-Id: I6f2cb07137d6f7f1f4319a377b188adbcc3efae7
png_image_free_function (or any other destructor) should never fail. Destructors need not and must not be executed under png_safe_execute. Reference: CVE-2019-7317, use-after-free in png_image_free Upstream commit: pnggroup/libpng@9c0d5c7 pnggroup/libpng#275 Change-Id: Ia833db5acfb172e6f63b404f589492730c8b0217
png_image_free_function (or any other destructor) should never fail. Destructors need not and must not be executed under png_safe_execute. Reference: CVE-2019-7317, use-after-free in png_image_free Upstream commit: pnggroup/libpng@9c0d5c7 pnggroup/libpng#275 Change-Id: I1f8f39bb80e8be17aaa565c8efc28a93d56b0b12
png_image_free_function (or any other destructor) should never fail. Destructors need not and must not be executed under png_safe_execute. Reference: CVE-2019-7317, use-after-free in png_image_free Upstream commit: pnggroup/libpng@9c0d5c7 pnggroup/libpng#275 Change-Id: Ia833db5acfb172e6f63b404f589492730c8b0217
We ran some tests on an older version of libpng and found a use-after-free bug while running one the test cases. It looks like the bug is still there in the latest code. Here's the output from our tool
DTS_MSG: Stensal DTS detected a fatal program error!
DTS_MSG: Continuing the execution will cause unexpected behaviors, abort!
DTS_MSG: Access the memory block that is freed.
DTS_MSG: Diagnostic information:
Caution: the allocation info is correct only if the freed memory is not reused.
the memory block (start:0xffb4269c, size:24 bytes) was allocated at
file:/home/sbuilder/workspace/stensal/aports/main/libpng/src/libpng-1.6.25/png.c::4451, 16
Stack trace (most recent call first):
-[1] file:/home/sbuilder/workspace/stensal/aports/main/libpng/src/libpng-1.6.25/pngerror.c::954, 4
-[2] file:/home/sbuilder/workspace/stensal/aports/main/libpng/src/libpng-1.6.25/png.c::4517, 13
-[3] file:/home/sbuilder/workspace/stensal/aports/main/libpng/src/libpng-1.6.25/pngread.c::4242, 19
-[4] file:/home/sbuilder/workspace/stensal/aports/main/libpng/src/libpng-1.6.25/contrib/libtests/pngstest.c::3024, 16
-[5] file:/home/sbuilder/workspace/stensal/aports/main/libpng/src/libpng-1.6.25/contrib/libtests/pngstest.c::3120, 11
-[6] file:/home/sbuilder/workspace/stensal/aports/main/libpng/src/libpng-1.6.25/contrib/libtests/pngstest.c::3446, 13
-[7] file:/home/sbuilder/workspace/stensal/aports/main/libpng/src/libpng-1.6.25/contrib/libtests/pngstest.c::3664, 20
-[8] file:/musl-1.1.10/src/env/__libc_start_main.c::180, 11
Basically, png_image_free() calls png_safe_execute(image, png_image_free_function, image). In png_safe_execute you have the following code:
When result is != 0, image is freed, but then image->opaque->error_buf is assigned directly after.
The text was updated successfully, but these errors were encountered: