Memory leaks in png_malloc_base Function in libpng 1.6.43-1.6.46

[kittener]

I found the vulnerability while testing my new fuzz tool.

Description

While running pngimage tests with AddressSanitizer (ASan), memory leaks were detected in read_png() during calls to png_create_read_struct() and png_create_info_struct(). The leaked memory is allocated in png_malloc_base() but never freed.

Steps to Reproduce

1. Compile the application.
2. Run the application using the following command:
   pngimage poc.png

3. Observe that the application crashes indicating a Memory leaks error.

Expected Behavior

The application should manage memory correctly without trying to access memory after it has been freed.

Actual Behavior

The application crashes, showing a heap use-after-free error. Here's the output from AddressSanitizer:

Direct leak of 1240 byte(s) in 1 object(s) allocated from:
    #0 0x7f8c1e429c47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55f7c9f68bdf in png_malloc_base ../pngmem.c:97
    #2 0x55f7c9f68e6a in png_malloc_warn ../pngmem.c:215
    #3 0x55f7c9f52d3a in png_create_png_struct ../png.c:327
    #4 0x55f7c9f69151 in png_create_read_struct_2 ../pngread.c:44
    #5 0x55f7c9f690fa in png_create_read_struct ../pngread.c:32
    #6 0x55f7c9f4d737 in read_png ../contrib/libtests/pngimage.c:883
    #7 0x55f7c9f4d889 in update_display ../contrib/libtests/pngimage.c:933
    #8 0x55f7c9f50c95 in test_one_file ../contrib/libtests/pngimage.c:1426
    #9 0x55f7c9f51211 in do_test ../contrib/libtests/pngimage.c:1577
    #10 0x55f7c9f51d8e in main ../contrib/libtests/pngimage.c:1681
    #11 0x7f8c1e03f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Direct leak of 352 byte(s) in 1 object(s) allocated from:
    #0 0x7f8c1e429c47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55f7c9f68bdf in png_malloc_base ../pngmem.c:97
    #2 0x55f7c9f53084 in png_create_info_struct ../png.c:376
    #3 0x55f7c9f4d7a1 in read_png ../contrib/libtests/pngimage.c:891
    #4 0x55f7c9f4d889 in update_display ../contrib/libtests/pngimage.c:933
    #5 0x55f7c9f50c95 in test_one_file ../contrib/libtests/pngimage.c:1426
    #6 0x55f7c9f51211 in do_test ../contrib/libtests/pngimage.c:1577
    #7 0x55f7c9f51d8e in main ../contrib/libtests/pngimage.c:1681
    #8 0x7f8c1e03f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Indirect leak of 768 byte(s) in 1 object(s) allocated from:
    #0 0x7f8c1e429c47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55f7c9f68bdf in png_malloc_base ../pngmem.c:97
    #2 0x55f7c9f68db7 in png_malloc ../pngmem.c:177
    #3 0x55f7c9f68b3e in png_calloc ../pngmem.c:53
    #4 0x55f7c9fafda1 in png_set_PLTE ../pngset.c:794
    #5 0x55f7c9f9bc1e in png_handle_PLTE ../pngrutil.c:1069
    #6 0x55f7c9fa6a53 in png_handle_chunk ../pngrutil.c:3213
    #7 0x55f7c9f696df in png_read_info ../pngread.c:163
    #8 0x55f7c9f6c489 in png_read_png ../pngread.c:874
    #9 0x55f7c9f4d853 in read_png ../contrib/libtests/pngimage.c:904
    #10 0x55f7c9f4d889 in update_display ../contrib/libtests/pngimage.c:933
    #11 0x55f7c9f50c95 in test_one_file ../contrib/libtests/pngimage.c:1426
    #12 0x55f7c9f51211 in do_test ../contrib/libtests/pngimage.c:1577
    #13 0x55f7c9f51d8e in main ../contrib/libtests/pngimage.c:1681
    #14 0x7f8c1e03f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Indirect leak of 26 byte(s) in 1 object(s) allocated from:
    #0 0x7f8c1e429c47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55f7c9f68bdf in png_malloc_base ../pngmem.c:97
    #2 0x55f7c9f98db6 in png_read_buffer ../pngrutil.c:392
    #3 0x55f7c9fa410c in png_handle_tEXt ../pngrutil.c:2419
    #4 0x55f7c9fa6a53 in png_handle_chunk ../pngrutil.c:3213
    #5 0x55f7c9f696df in png_read_info ../pngread.c:163
    #6 0x55f7c9f6c489 in png_read_png ../pngread.c:874
    #7 0x55f7c9f4d853 in read_png ../contrib/libtests/pngimage.c:904
    #8 0x55f7c9f4d889 in update_display ../contrib/libtests/pngimage.c:933
    #9 0x55f7c9f50c95 in test_one_file ../contrib/libtests/pngimage.c:1426
    #10 0x55f7c9f51211 in do_test ../contrib/libtests/pngimage.c:1577
    #11 0x55f7c9f51d8e in main ../contrib/libtests/pngimage.c:1681
    #12 0x7f8c1e03f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: 2386 byte(s) leaked in 4 allocation(s).

by,
kaiyu Xie

[jbowler]

Are you saying that this does not happen in 1.6.42?

[kittener]

In fact, I am not sure which version is the earliest affected. My experimental choice is 1.6.43. It is possible that earlier versions are also affected.

[jbowler]

The behaviour was always there. pngimage simply returns 99 without any cleanup on an argument error (an unreadable PNG file) or an internal error. Any damaged PNG file will show the behaviour, as will -fsantize=address to GCC.

I added the cleanup anyway; it's useful if pngimage can handle invalid files correctly too. The fix is #657