New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in png_create_info_struct #269

Open
zerokeeper opened this Issue Jan 5, 2019 · 4 comments

Comments

Projects
None yet
5 participants
@zerokeeper
Copy link

zerokeeper commented Jan 5, 2019

Hi,libpng team. there is a memory leak in the file png.c:368 of function png_create_info_struct.
the bug is trigered by ./pngcp poc /dev/null

libpng_poc.zip

the asan debug info is as follows:

=================================================================
==10300==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 360 byte(s) in 1 object(s) allocated from:
#0 0x7fe088bf9602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x422f95 in png_create_info_struct /root/fuzz/libpng-1.6.36/png.c:368

SUMMARY: AddressSanitizer: 360 byte(s) leaked in 1 allocation(s).

libpng/png.c

Lines 352 to 376 in eddf902

/* Allocate the memory for an info_struct for the application. */
PNG_FUNCTION(png_infop,PNGAPI
png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
{
png_inforp info_ptr;
png_debug(1, "in png_create_info_struct");
if (png_ptr == NULL)
return NULL;
/* Use the internal API that does not (or at least should not) error out, so
* that this call always returns ok. The application typically sets up the
* error handling *after* creating the info_struct because this is the way it
* has always been done in 'example.c'.
*/
info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
(sizeof *info_ptr)));
if (info_ptr != NULL)
memset(info_ptr, 0, (sizeof *info_ptr));
return info_ptr;
}

@carnil

This comment has been minimized.

Copy link

carnil commented Jan 11, 2019

CVE-2019-6129 was assigned for this issue.

@pgajdos

This comment has been minimized.

Copy link

pgajdos commented Jan 14, 2019

$ pngcp libpng_poc /dev/null
libpng_poc: error(libpng): read: Not a PNG file

=================================================================
==30270==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 360 byte(s) in 1 object(s) allocated from:
    #0 0x7f07e0ecced0 in malloc (/usr/lib64/libasan.so.5+0xebed0)
    #1 0x7f07e1d3c23f in png_malloc_base /usr/src/debug/libpng16-1.6.36-0.x86_64/pngmem.c:95
    #2 0x7f07e1d24d55 in png_create_info_struct /usr/src/debug/libpng16-1.6.36-0.x86_64/png.c:368
    #3 0x55806e30a07b in read_png contrib/tools/pngcp.c:1775
    #4 0x55806e30d0b1 in cp_one_file contrib/tools/pngcp.c:2180
    #5 0x55806e30dba4 in cppng contrib/tools/pngcp.c:2288
    #6 0x55806e30e081 in main contrib/tools/pngcp.c:2351
    #7 0x7f07e0a43fea in __libc_start_main (/lib64/libc.so.6+0x22fea)

SUMMARY: AddressSanitizer: 360 byte(s) leaked in 1 allocation(s).
$

Yes, pngcp does not call png_destroy_info_struct() in error case. I think this is not a security issue at all.

@ctruta

This comment has been minimized.

Copy link
Collaborator

ctruta commented Jan 21, 2019

There are various issues with pngcp. Just FYI, in libpng-1.6.37 I will still focus on fixing core libpng issues. I plan to address the issues with 3rd-party contributed code (like pngcp) after 1.6.37.

@hlef

This comment has been minimized.

Copy link

hlef commented Jan 21, 2019

right, there is a memory leak but the security impact is extremely low if not absent:

  • the memory is leaked during abort(), so in the vast majority of cases there's no leak at all, memory is going to be released by the operating system anyways

  • leaked memory is allocated by pngcp which passes a pointer to the library, so even if the process does not abort this is not an issue in the library but rather in the code using it. I don't think it is libpng's job to free this buffer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment