oss-security - CVE Request: Use-after-free in optipng 0.6.4

Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Sep 2015 08:11:03 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Use-after-free in optipng 0.6.4

We found a use-after-free causing an invalid/double free in optipng 0.6.4.
Upstream is working in fixing it but keep in mind that optipng 0.6.x is
officially unsupported. A CVE will be useful since such version is included
in distros like Debian and Ubuntu. Please find attached the test case to
trigger it. The valgrind report is here:

OptiPNG 0.6.4: Advanced PNG optimizer.
Copyright (C) 2001-2010 Cosmin Truta.

Processing: boom.png
Warning: pHYs: CRC error
Warning: gQMA: CRC error
1x2 pixels, 8 bits/pixel, 0 colors in palette
Error: Inconsistent data in libpng
==24844== Invalid read of size 4
==24844==    at 0x804DC68: opng_optimize (opngoptim.c:507)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==  Address 0x4281a08 is 0 bytes inside a block of size 8 free'd
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x407C073: png_free_default (pngmem.c:555)
==24844==    by 0x407C0C4: png_free (pngmem.c:539)
==24844==    by 0x406370D: png_free_data (png.c:594)
==24844==    by 0x4063A63: png_info_destroy (png.c:618)
==24844==    by 0x4071CF9: png_read_destroy (pngread.c:1208)
==24844==    by 0x4072153: png_destroy_read_struct (pngread.c:1147)
==24844==    by 0x804C593: opng_read_file (opngoptim.c:1145)
==24844==    by 0x804D77E: opng_optimize_impl (opngoptim.c:1580)
==24844==    by 0x804DD3B: opng_optimize (opngoptim.c:1890)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==
==24844== Invalid free() / delete / delete[] / realloc()
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x804DC8E: opng_optimize (opngoptim.c:507)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==  Address 0x4281a08 is 0 bytes inside a block of size 8 free'd
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x407C073: png_free_default (pngmem.c:555)
==24844==    by 0x407C0C4: png_free (pngmem.c:539)
==24844==    by 0x406370D: png_free_data (png.c:594)
==24844==    by 0x4063A63: png_info_destroy (png.c:618)
==24844==    by 0x4071CF9: png_read_destroy (pngread.c:1208)
==24844==    by 0x4072153: png_destroy_read_struct (pngread.c:1147)
==24844==    by 0x804C593: opng_read_file (opngoptim.c:1145)
==24844==    by 0x804D77E: opng_optimize_impl (opngoptim.c:1580)
==24844==    by 0x804DD3B: opng_optimize (opngoptim.c:1890)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==
==24844== Invalid free() / delete / delete[] / realloc()
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x804DC9B: opng_optimize (opngoptim.c:507)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==  Address 0x42816d8 is 0 bytes inside a block of size 768 free'd
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x407C073: png_free_default (pngmem.c:555)
==24844==    by 0x407C0C4: png_free (pngmem.c:539)
==24844==    by 0x4063282: png_zfree (png.c:204)
==24844==    by 0x4063788: png_free_data (png.c:569)
==24844==    by 0x4063A63: png_info_destroy (png.c:618)
==24844==    by 0x4071CF9: png_read_destroy (pngread.c:1208)
==24844==    by 0x4072153: png_destroy_read_struct (pngread.c:1147)
==24844==    by 0x804C593: opng_read_file (opngoptim.c:1145)
==24844==    by 0x804D77E: opng_optimize_impl (opngoptim.c:1580)
==24844==    by 0x804DD3B: opng_optimize (opngoptim.c:1890)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==
==24844== Invalid read of size 4
==24844==    at 0x804DCC8: opng_optimize (opngoptim.c:507)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==  Address 0x4281630 is 8 bytes inside a block of size 60 free'd
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x407C073: png_free_default (pngmem.c:555)
==24844==    by 0x407C0C4: png_free (pngmem.c:539)
==24844==    by 0x40639B4: png_free_data (png.c:537)
==24844==    by 0x4063A63: png_info_destroy (png.c:618)
==24844==    by 0x4071CF9: png_read_destroy (pngread.c:1208)
==24844==    by 0x4072153: png_destroy_read_struct (pngread.c:1147)
==24844==    by 0x804C593: opng_read_file (opngoptim.c:1145)
==24844==    by 0x804D77E: opng_optimize_impl (opngoptim.c:1580)
==24844==    by 0x804DD3B: opng_optimize (opngoptim.c:1890)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==
==24844== Invalid free() / delete / delete[] / realloc()
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x804DCEB: opng_optimize (opngoptim.c:507)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==  Address 0x4281628 is 0 bytes inside a block of size 60 free'd
==24844==    at 0x402B3D8: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24844==    by 0x407C073: png_free_default (pngmem.c:555)
==24844==    by 0x407C0C4: png_free (pngmem.c:539)
==24844==    by 0x40639B4: png_free_data (png.c:537)
==24844==    by 0x4063A63: png_info_destroy (png.c:618)
==24844==    by 0x4071CF9: png_read_destroy (pngread.c:1208)
==24844==    by 0x4072153: png_destroy_read_struct (pngread.c:1147)
==24844==    by 0x804C593: opng_read_file (opngoptim.c:1145)
==24844==    by 0x804D77E: opng_optimize_impl (opngoptim.c:1580)
==24844==    by 0x804DD3B: opng_optimize (opngoptim.c:1890)
==24844==    by 0x804A02A: main (optipng.c:719)
==24844==


Regards,
Gustavo.

Content of type "text/html" skipped
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.