hopper-vul
hopper-vul
Here is the trigger case, you can compile it to reproduce the crash. ``` #include "png.h" #include #include #include typedef uint8_t u8; typedef uint64_t u64; typedef int8_t i8; typedef int32_t...
Here is a smallest trigger case, compile and link with `-fsanitize=address` flag and it will trigger the overflow. ``` #include "png.h" #include #include typedef uint16_t u16; typedef int8_t i8; typedef...
Here is the trigger case, you can compile it to reproduce the crash. ``` #include "png.h" #include #include #include #include #include #include typedef uint8_t u8; typedef uint16_t u16; typedef uint32_t...
@thealberto hi, we have found some fresh crashes. That seems the `png_read_png` function has some problems actually and maybe suffer security risks. Hope those problems could be properly fixed. Best...
Here is the trigger case, you can compile it to reproduce the crash. ``` #include "png.h" #include #include #include typedef uint8_t u8; typedef uint64_t u64; typedef int8_t i8; typedef int32_t...
@nayuki ,Sorry about somethings not described clearly. `row_info->rowbytes == 0` is because `row_info` is computed from `png_ptr->pixel_depth` and `png_ptr->iwidth`, where `png_ptr->pixel_depth=8` is read from IHDR and `png_ptr->iwidth` holds the default...
This is the full trigger case, the overflow will be triggered if this file was compiled and linked with AddressSanitizer (add '-fsanitize=address' flag). In this case, the 17th-20th bytes of...
> I saw that you found another possible bug described in the issue #454 , did you improve the fuzzer or just created a custom one? @thealberto Yes, we have...
@thealberto Sorry, i'm afraid not, whether/how it should be released or open sourced is not up to me, and i haven't heard anything about releasing it yet. Nevertheless, we are...
@thealberto Good news, our team woould like to open source the fuzzer tool after this tool was completed. At that time, it was possible to integrate it to libpng and...