Bug 1684596 (CVE-2019-9210)

Summary: CVE-2019-9210 advancecomp: integer overflow in png_compress in pngex.cc
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: i, lupinix.fedora, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 22:33:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1684597, 1686115    
Bug Blocks: 1684598    

Description msiddiqu 2019-03-01 15:46:43 UTC 
In AdvanceCOMP 2.1, png_compress in pngex.cc in advpng has an integer overflow upon encountering an invalid PNG size, which results in an attempted memcpy to write into a buffer that is too small. (There is also a heap-based buffer over-read.) 

Reference:
https://sourceforge.net/p/advancemame/bugs/277/
Comment 1 msiddiqu 2019-03-01 15:46:53 UTC 
Created advancecomp tracking bugs for this issue:

Affects: fedora-all [bug 1684597]
Comment 2 msiddiqu 2019-03-01 15:56:00 UTC 
Upstream patch:
https://github.com/amadvance/advancecomp/commit/7894a6e684ce68ddff9f4f4919ab8e3911ac8040
Comment 3 msiddiqu 2019-03-01 16:01:49 UTC 
asm reference: http://127.0.0.1:5600/static/#/asm_ticket/19558
Comment 4 Scott Gayou 2019-03-06 18:26:55 UTC 
Upstream analysis looks good. Small memory allocs occur after a addition wraps around a unsigned int.

```
   │52              for(i=0;i<dy;++i) {                                                                                          │
   │53                      const unsigned char* p1 = &img_ptr[x * img_pixel + (i+y) * img_scanline];                            │
   │54                      *p0++ = 0;                                                                                           │
  >│55                      memcpy(p0, p1, dx * img_pixel);                                                                      │
   │56                      p0 += dx * img_pixel;                                                                                │
   │57              }     
```

We then memcpy dx bytes, where dx is 4294967295. Segfault.
Comment 9 errata-xmlrpc 2020-03-31 19:14:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1037 https://access.redhat.com/errata/RHSA-2020:1037
Comment 10 Product Security DevOps Team 2020-03-31 22:33:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9210