Bug 1198171 (CVE-2015-2158) - CVE-2015-2158 pngcrush: pngcrush_measure_idat() off-by-one error
Summary: CVE-2015-2158 pngcrush: pngcrush_measure_idat() off-by-one error
Alias: CVE-2015-2158
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1198174 1198175
Blocks: 1198177
TreeView+ depends on / blocked
Reported: 2015-03-03 13:50 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:35 UTC (History)
3 users (show)

Fixed In Version: pngcrush 1.7.84
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-03-06 14:55:18 UTC

Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-03-03 13:50:35 UTC
A crash potentially leading to code execution was reported [1] and fixed [2] in pngcrush version 1.7.84.
Upstream commit that fixes this:

[1]: http://seclists.org/oss-sec/2015/q1/709
[2]: http://sourceforge.net/p/pmt/news/2015/02/pngcrush-1784-released/

Comment 1 Vasyl Kaigorodov 2015-03-03 13:53:31 UTC
Created pngcrush tracking bugs for this issue:

Affects: fedora-all [bug 1198174]
Affects: epel-all [bug 1198175]

Comment 2 Stefan Cornelius 2015-03-06 14:55:18 UTC
This is an off-by-one error in the "pngcrush_measure_idat()" function in pngcrush.c, introduced by commit http://sourceforge.net/p/pmt/code/ci/e1a36a9639e2db16494d90459c7c2b78677a20bf/ in version 1.7.83.

The code in pngcrush line 7405:
if (length < 28)
   for (ib=27; ib >= length; ib--) 
      buff[ib] = 0;

If length is 0, the last iteration will set "ib" to -1, thus buff[ib] = 0; will write outside of the "buff" buffer. I doubt that this can be exploited for anything else than an application crash.


This issue did not affect the versions of pngcrush as shipped with Red Hat Enterprise Linux 7.

Note You need to log in before you can comment on or make changes to this bug.