social.noyu.me

I found a bug in stb_image, but not the sexy security vulnerability kind

ooh it’s a regression. I’m scared that the cause of the regression will be “introducing security checks” though

(narrator voice) it was

I might have found the problem ^^

It was a team effort, though!

me: so, the purpose of the adler-32 checksum at the end of a png’s zlib stream…
you: …is to check the data integrity, right?
me: no, the purpose of a system is what it does
you: oh no
me: and what it does is let the decompressor have little a buffer overrun, as a treat
you:

well, i think i nerd-sniped @.rygorous, they fixed it properly now. thank you!!

hey wait hang on this actually IS a security vulnerability… in old versions of stb_image, before the buffer overrun check. oh no

@hikari That is incorrect. There've been several vulns in stb_image but this was never one of them.

All the reads in that path go through zget8 which just keeps going and returning 0 (and not advancing the read cursor) at the end of the buffer. So no actual overrun.

The actual original issue was that in certain situations you could get stuck in an infinite loop reading ever more implicit zeros that way, never returning an error. (So DoS)

@hikari So that one was still bad, but a very different kind of bad!

@hikari The EOF check was added later to prevent this, and is too eager (triggers when we fill the extra bits into the buffer - which is speculative - not after we actually consume them), but this was fine for regular PNGs which always have the 32-bit Adler32 footer after them.

In CgBIs though which got both the new overeager check _and_ no Adler32 footer, it can misfire.

@rygorous oh right of course, I supposedly knew that… was zget8 always used though?

@hikari yes! Pretty sure that was already that way in the original 2007 releases

@rygorous ah, good to know! this makes me feel a little better about relying on stb_image

@hikari not even a nerd snipe, this is just my job. :)

@rygorous aha, congratulations?

@hikari TIL about `git bisect` 👀