-
Notifications
You must be signed in to change notification settings - Fork 634
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
An infinite loop in png_read_png->..->png_write_row #492
Comments
I suggest you submit a small program and the input file that will repro this. As reported the bug is incredible. |
@jbowler You can reproduce this issue by running: |
You need to remove that file, it is reported by Chrome as containing a virus. I've separately reported this to github.com Please do not post compiled programs here. They are not useful in bug reports. What I'm asking for is a simple example which compiles, links, runs and demonstrates the problem. A program of this size is likely to be inappropriate even if you provide the source code. |
But apart from that your code is wrong; your read function does no error handling so when it reaches the end of the file (which it does because the enormous IDAT at the end is truncated) it just keeps on reading. @ctruta: application bug (bad read function) |
Summary
A infinite loop bug found in
png_read_png
.Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted PNG file.
POC
POC input
timeout-f74021412fba530904cddd63e3033f1527d52d76
Version
Found on version of 2023/06/07. Reproducible on the master branch.
Compile commands
Compile the poc program
Reproduce Step
Additional Information
When the variable
i = 0xff
(image_height = 0x100) in the loop from lines 751-755, thepng_read_row(png_ptr, *rp, NULL);
will hang.The program finally hang at the below loop.
Stack trace
The text was updated successfully, but these errors were encountered: