libpng crashes when processing malformed cHRM chunks.
When libpng encounters a cHRM chunk that is malformed it will perform a divide-by-zero causing libpng to crash. This bug was introduced in libpng version 1.5.4 and has been fixed in libpng version 1.5.5.
By tricking a user into opening a specifically crafted PNG file within an application that uses libpng, an attacker may be able to cause a denial of service crash.
The PNG Development Group has stated that: Such malformed PNG files are not necessarily malevolent (ones have been observed on the Internet that were created by accident) but they will cause a crash anyway.
Apply an Update
This vulnerability is addressed in the following libpng versions: libpng-1.5.5
The PNG Development Group recommends upgrading to libpng-1.5.5. However, if you must continue to use libpng-1.5.4, you can apply the following patch to libpng-1.5.4:
@@ -1037,12 +1037,15 @@ png_handle_cHRM(png_structp png_ptr, png_infop
info_ptr, png_uint_32 length)
png_uint_32 w = y_red + y_green + y_blue;
- png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red
- png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
- * 32768)/w);
- png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue
+ if (w != 0)
+ png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red
+ png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
+ * 32768)/w);
+ png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue
According to The PNG Development Group: Those that use a "system" libpng that happens to be libpng-1.5.4 are vulnerable to a divide-by-zero crash. Mozilla products that use the embedded libpng are not vulnerable.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Vendor has issued information
__ Sort by: Status Alphabetical
Affected Unknown __ Unaffected
Updated: September 22, 2011
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A
Thanks to Glenn Randers-Pehrson of the PNG Development Group for reporting this vulnerability.
This document was written by Michael Orlando.