Description
Hi there
We would like to share that the latest version of pdf2swf causes heap-buffer-overflow when executed with a crafted png input.
We assume that the invalid memory access happens due to the improper processing malformed input in png_read_chunk() in spite of the error handling.
Here is the output of program with address sanitizer attached.
Bug Report
==32129==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x9c000000 bytes
#0 0x7f9ccb581808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x56345b1588fa in png_read_chunk /home/ubuntu/targets/swftools/lib/png.c:63
#2 0x56345b158cab in png_read_header /home/ubuntu/targets/swftools/lib/png.c:106
#3 0x56345b15bc0f in png_load /home/ubuntu/targets/swftools/lib/png.c:498
#4 0x56345b131d40 in MovieAddFrame /home/ubuntu/targets/swftools/src/png2swf.c:494
#5 0x56345b12e2f6 in main /home/ubuntu/targets/swftools/src/png2swf.c:822
#6 0x7f9ccad9e082 in __libc_start_main ../csu/libc-start.c:308
==32129==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 in __interceptor_malloc
==32129==ABORTING
Environment
OS: Ubuntu 20.04.5 LTS
Release: latest commit of master branch on this github
Program: png2swf
How to reproduce
$ png2swf poc-file
poc-file is attached.
poc-file.txt