You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thank you for this challenging and useful dataset! After reviewing some of the libpng bugs manually, I currently believe
AAH004 appears to be untriggerable by the current harness. First, the harness validates that height*width < 100000000. In the best case, height=1, width=100000000. Equivalently, 2^26 < width < 2^27. Second, even with the largest transformed_pixel_depth of 64 set around here and checked here, the pixel_depth is divided by 8 at the bug site. Hence, 2^26 * 2^3 cannot overflow 2^32 as required by the Magma bug condition. Note that because the harness also bounds memory allocations here, there will also be a nullptr supplied here that I believe will early terminate the program as well.
AAH005 appears to be untriggerable by the current harness for similar reasons. The PNG_ROWBYTESmacro performs a similar divide-by-8 operation at the bug site here. Additionally, the bug site is also guarded by the height*width < 100000000 check. Interestingly enough, AAH001 does not suffer from this issue because it is called before the height*width < 100000000 check activates.
I am happy to provide POCs for demonstrability of both.
Given this information, should these bugs be moved to the graveyard or should the harnesses be fixed? What do you think?
The text was updated successfully, but these errors were encountered:
Thank you for this challenging and useful dataset! After reviewing some of the
libpngbugs manually, I currently believeAAH004appears to be untriggerable by the current harness. First, the harness validates thatheight*width < 100000000.In the best case,height=1, width=100000000. Equivalently, 2^26 <width< 2^27. Second, even with the largesttransformed_pixel_depthof 64 set around here and checked here, thepixel_depthis divided by 8 at the bug site. Hence, 2^26 * 2^3 cannot overflow 2^32 as required by the Magma bug condition. Note that because the harness also bounds memory allocations here, there will also be anullptrsupplied here that I believe will early terminate the program as well.AAH005appears to be untriggerable by the current harness for similar reasons. ThePNG_ROWBYTESmacro performs a similar divide-by-8 operation at the bug site here. Additionally, the bug site is also guarded by theheight*width < 100000000check. Interestingly enough,AAH001does not suffer from this issue because it is called before theheight*width < 100000000check activates.I am happy to provide POCs for demonstrability of both.
Given this information, should these bugs be moved to the graveyard or should the harnesses be fixed? What do you think?
The text was updated successfully, but these errors were encountered: