Applications using libpng that install unknown chunk handlers, or copy unknown chunks, may be vulnerable to a security issue which may result in incorrect output, information leaks, crashes, or arbitrary code execution.
The issue involves libpng incorrectly handling zero length chunks which results in uninitialized memory affecting the control flow of the application.
Vulnerable Systems:
* libpng-1.0.6 through 1.0.32
* libpng-1.2.0 through 1.2.26
* libpng-1.4.0beta01 through libpng-1.4.0beta19
All these versions in the case that they were built with PNG_READ_UNKNOWN_CHUNKS_SUPPORTED or PNG_READ_USER_CHUNKS_SUPPORTED (default configuration)
Immune Systems:
* libpng version 1.2.27
* libpng version 1.0.33
* libpng version 1.2.27beta01
Technical Details:
The bug exists in all libpng versions since 1.0.6. It only manifests itself when all three of the following conditions exist:
1. The application is loaded with libpng-1.0.6 through 1.0.32, libpng-1.2.0 through 1.2.26, or libpng-1.4.0beta01 through libpng-1.4.0beta19, and
2. libpng was built with PNG_READ_UNKNOWN_CHUNKS_SUPPORTED or with PNG_READ_USER_CHUNKS_SUPPORTED (both are active in default libpng installations), and
3. the application includes either a call to
png_set_read_user_chunk_fn(png_ptr, user_ptr, callback_fn)
with keep = PNG_HANDLE_CHUNK_IF_SAFE (2)
or keep = PNG_HANDLE_CHUNK_ALWAYS (3)
It is believed that this is a rare circumstance. It occurs in "pngtest" that is a part of the libpng distribution, in pngcrush, and in recent versions of ImageMagick (6.2.5 through 6.4.0-4). The vendor of the library is not currently aware of any other vulnerable applications. When an application with the bug is run, libpng will generate spurious warning messages about a CRC error in the zero-length chunk and an out-of-memory condition, unless warnings are being suppressed. There is not actually a memory overflow, but the NULL pointer returned from the memory allocator when it tries to generate a zero-length buffer for the chunk data triggers the warning. Later, there may be an error when the application tries to free the non-existent buffer. This has been observed to cause a segmentation violation in pngtest.
