In AdvanceCOMP 2.1, png_compress in pngex.cc in advpng has an integer overflow upon encountering an invalid PNG size, which results in an attempted memcpy to write into a buffer that is too small. (There is also a heap-based buffer over-read.) Reference: https://sourceforge.net/p/advancemame/bugs/277/
Created advancecomp tracking bugs for this issue: Affects: fedora-all [bug 1684597]
Upstream patch: https://github.com/amadvance/advancecomp/commit/7894a6e684ce68ddff9f4f4919ab8e3911ac8040
asm reference: http://127.0.0.1:5600/static/#/asm_ticket/19558
Upstream analysis looks good. Small memory allocs occur after a addition wraps around a unsigned int. ``` │52 for(i=0;i<dy;++i) { │ │53 const unsigned char* p1 = &img_ptr[x * img_pixel + (i+y) * img_scanline]; │ │54 *p0++ = 0; │ >│55 memcpy(p0, p1, dx * img_pixel); │ │56 p0 += dx * img_pixel; │ │57 } ``` We then memcpy dx bytes, where dx is 4294967295. Segfault.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1037 https://access.redhat.com/errata/RHSA-2020:1037
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9210