D. J. Bernstein
UNIX
MCS 494, UNIX Security Holes, Fall 2004

2004.09.17 libpng assignment

Portable Network Graphics (PNG) is a lossless compressed image format. For comparison, JPEG is a lossy compressed image format: it throws away some information to save space.

libpng is software that, among other things, reads PNG files and uncompresses them for display. On 2004.08.04, several security holes were announced in libpng. The security holes were fixed in version 1.2.6. (Some serious non-security-related bugs were added in the rush and fixed in version 1.2.7.) The following comments apply to version 1.2.5. (All files; libpng-1.2.5.tar.gz.)

The function png_handle_tRNS, at line 1216 of libpng-1.2.5/pngrutil.c, defines an array readbuf of length PNG_MAX_PALETTE_LENGTH, and writes to it by calling a function png_crc_read.

Question 1, due 2004.09.20: Assume that libpng is used to read a PNG file that was created by an attacker. How can the attacker overflow the readbuf array?

Question 2, due 2004.09.22: How can the attacker use this bug to modify user files on a system with an executable stack?

Question 3, due 2004.09.24: How can the attacker use this bug to modify user files on a system with non-executable stack, non-executable heap, etc.?