Internet Bug Bounty: pngcrush_measure_idat() off-by-one error (CVE-2015-2158)

This is an off-by-one error in the “pngcrush_measure_idat()” function in pngcrush.c, introduced by commit http://sourceforge.net/p/pmt/code/ci/e1a36a9639e2db16494d90459c7c2b78677a20bf/ in version 1.7.83.

The code in pngcrush.c line 7405:
if (length < 28)
for (ib=27; ib >= length; ib–)
buff[ib] = 0;

If length is 0, the last iteration will set “ib” to -1, thus buff[ib] = 0; will write outside of the “buff” buffer.

Attackers could potentially exploit this issue to execute arbitrary code in the context of the user running the affected applications. Failed exploit attempts will likely cause a denial-of-service condition. This issue was fixed in version 1.7.84 by commit http://sourceforge.net/p/pmt/code/ci/a1ce646d00a400fd9ec321ab5cb522f40b7bdfe6/.

I reported this to the project maintainer on February 27th 2015 via email, he reported it fixed on February 28th 2015.