Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FLIF aborted when reading some invalid png files #515

Open
hongxuchen opened this issue Jun 12, 2018 · 1 comment
Open

FLIF aborted when reading some invalid png files #515

hongxuchen opened this issue Jun 12, 2018 · 1 comment

Comments

@hongxuchen
Copy link

hongxuchen commented Jun 12, 2018
edited
Loading

We found with our fuzzer that FLIF may crash with the libpng16 png_read_png with some invalid png files (CRC error). From a gdb backtrace, it is like:

libpng error: IHDR: CRC error
51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
...

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff6464801 in __GI_abort () at abort.c:79
#2  0x00007ffff79a5618 in png_longjmp () from /usr/lib/x86_64-linux-gnu/libpng16.so.16
#3  0x00007ffff79a5687 in png_error () from /usr/lib/x86_64-linux-gnu/libpng16.so.16
#4  0x00007ffff79a5710 in png_chunk_error () from /usr/lib/x86_64-linux-gnu/libpng16.so.16
#5  0x00007ffff79b3cfd in ?? () from /usr/lib/x86_64-linux-gnu/libpng16.so.16
#6  0x00007ffff79b441e in ?? () from /usr/lib/x86_64-linux-gnu/libpng16.so.16
#7  0x00007ffff79aa57e in png_read_info () from /usr/lib/x86_64-linux-gnu/libpng16.so.16
#8  0x00007ffff79acffa in png_read_png () from /usr/lib/x86_64-linux-gnu/libpng16.so.16
#9  0x000000000053e24d in image_load_png (filename=<optimized out>, image=..., options=...) at image/image-png.cpp:98
#10 0x000000000053d3e1 in Image::load (this=0x7fffffffaff0, filename=0x7fffffffbe1c "out/s2/crashes/id:000007,sig:06,src:000008,op:havoc,rep:64", options=...) at image/image.cpp:54
#11 0x000000000051def2 in encode_load_input_images (argc=0x2, argv=0x7fffffffb758, images=std::vector of length 0, capacity 0, options=...) at flif.cpp:230
#12 0x0000000000531308 in handle_encode (argc=<optimized out>, argv=<optimized out>, images=std::vector of length 0, capacity 0, options=...) at flif.cpp:356
#13 main (argc=0x2, argv=0x7fffffffb758) at flif.cpp:763

PoC file:
libpng_issue

$ uname -a
Linux CSL-H5 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ apt show libpng-dev
Package: libpng-dev
Version: 1.6.34-1
Priority: optional
Section: libdevel
Source: libpng1.6
Origin: Ubuntu
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Anibal Monsalve Salazar <[email protected]>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 608 kB
Depends: libpng16-16 (= 1.6.34-1), zlib1g-dev
Recommends: libpng-tools
Conflicts: libpng12-0-dev, libpng12-dev, libpng2-dev, libpng3-dev
Breaks: libpng16-dev (<< 1.6.20-3), libpng16-devtools (<< 1.6.21-1)
Replaces: libpng16-dev (<< 1.6.20-3), libpng16-devtools (<< 1.6.21-1)
Homepage: http://libpng.org/pub/png/libpng.html
Supported: 5y
Download-Size: 177 kB
...

Note also that the results of file (wrongly) tells:

$ file libpng_issue.png
libpng_issue.png: PNG image data, -67108639 x 225, 8-bit
@hongxuchen
Copy link
Author

Another PoC which contains one byte:
libpng_issue_1

@hongxuchen hongxuchen mentioned this issue Jul 28, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hongxuchen