Hi,
I'm writing an article of AFL for a German magazine and I want to provide an example which
readers could try out, and I've decided to show how CVE-2015-8126 can be/has been found by/
with AFL in an older tarball of libpng.
That's a buffer overflow in png_set_PLTE and png_get_PLTE in libpng before 1.0.64, 1.2.54, 1.4.17,
1.5.24 and 1.6.19 (fail to check for an out-of-range-palette when reading or writing a PNG with
a bit depth less than 8).
This has been reported by Jakub against optipng first in 2015 (
https://bugs.debian.org/787647), and then
later it has been reassigned to libpng itself.
libpng is rather easy to build as widely known, only zlib is needed, and there's also a pngtest.c
which can be used to test drive the thing on the spot - easy to follow and to try out. The crash sample
from the bug report on optipng as a matter of fact triggers a crash in libpng 1.2.53:
<cut>
$ ./libpng-1.2.53/pngtest crash.png
Testing libpng version 1.2.53
with zlib version 1.2.8
libpng version 1.2.53 - February 26, 2015
Copyright (c) 1998-2015 Glenn Randers-Pehrson
Copyright (c) 1996-1997 Andreas Dilger
Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
library (10253): libpng version 1.2.53 - February 26, 2015
pngtest (10253): libpng version 1.2.53 - February 26, 2015
sizeof(png_struct)=1264, sizeof(png_info)=464
libpng error: Read Error
Testing crash.png:crash.png -> pngout.png: libpng read error
</cut>
I'm fuzzying the library now using pngtest, and I've only instrumented pngget.c (targeting png_get_PLTE)
to trigger a read error following the advice in perf_tips.txt of AFL because building the whole library
with afl-gcc brought up a "too slow" warning. I've seeded afl-fuzz with not_kitty.png from the shipped
testcases.
The article is waiting for this to succeed with hopefully one try, for that I want to ask if
somebody has done this, this CVE in particular or fuzzed libpng on another issue before and some
advice how to do that right, and bring up the targeted result (maybe next to others).
Thanks
Daniel Stender
--
4096R/DF5182C8 (
ste...@debian.org)
http://www.danielstender.com/