Bug 1684596 (CVE-2019-9210) - CVE-2019-9210 advancecomp: integer overflow in png_compress in pngex.cc
Summary: CVE-2019-9210 advancecomp: integer overflow in png_compress in pngex.cc
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9210
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1684597 1686115
Blocks: 1684598
TreeView+ depends on / blocked
 
Reported: 2019-03-01 15:46 UTC by msiddiqu
Modified: 2020-03-31 22:33 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-31 22:33:41 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1037 0 None None None 2020-03-31 19:14:37 UTC

Description msiddiqu 2019-03-01 15:46:43 UTC
In AdvanceCOMP 2.1, png_compress in pngex.cc in advpng has an integer overflow upon encountering an invalid PNG size, which results in an attempted memcpy to write into a buffer that is too small. (There is also a heap-based buffer over-read.) 

Reference:
https://sourceforge.net/p/advancemame/bugs/277/

Comment 1 msiddiqu 2019-03-01 15:46:53 UTC
Created advancecomp tracking bugs for this issue:

Affects: fedora-all [bug 1684597]

Comment 3 msiddiqu 2019-03-01 16:01:49 UTC
asm reference: http://127.0.0.1:5600/static/#/asm_ticket/19558

Comment 4 Scott Gayou 2019-03-06 18:26:55 UTC
Upstream analysis looks good. Small memory allocs occur after a addition wraps around a unsigned int.

```
   │52              for(i=0;i<dy;++i) {                                                                                          │
   │53                      const unsigned char* p1 = &img_ptr[x * img_pixel + (i+y) * img_scanline];                            │
   │54                      *p0++ = 0;                                                                                           │
  >│55                      memcpy(p0, p1, dx * img_pixel);                                                                      │
   │56                      p0 += dx * img_pixel;                                                                                │
   │57              }     
```

We then memcpy dx bytes, where dx is 4294967295. Segfault.

Comment 9 errata-xmlrpc 2020-03-31 19:14:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1037 https://access.redhat.com/errata/RHSA-2020:1037

Comment 10 Product Security DevOps Team 2020-03-31 22:33:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9210


Note You need to log in before you can comment on or make changes to this bug.