Thread with 12 posts
jump to expanded post
I found a bug in stb_image, but not the sexy security vulnerability kind
https://github.com/nothings/stb/issues/1456
can I nerd-snipe someone who knows about DEFLATE and/or Huffman coding? 🥺
ooh it’s a regression. I’m scared that the cause of the regression will be “introducing security checks” though
(narrator voice) it was
I might have found the problem ^^
It was a team effort, though!
me: so, the purpose of the adler-32 checksum at the end of a png’s zlib stream…
you: …is to check the data integrity, right?
me: no, the purpose of a system is what it does
you: oh no
me: and what it does is let the decompressor have little a buffer overrun, as a treat
you:
well, i think i nerd-sniped @.rygorous, they fixed it properly now. thank you!!
hey wait hang on this actually IS a security vulnerability… in old versions of stb_image, before the buffer overrun check. oh no
@hikari That is incorrect. There've been several vulns in stb_image but this was never one of them.
All the reads in that path go through zget8 which just keeps going and returning 0 (and not advancing the read cursor) at the end of the buffer. So no actual overrun.
The actual original issue was that in certain situations you could get stuck in an infinite loop reading ever more implicit zeros that way, never returning an error. (So DoS)
@rygorous oh right of course, I supposedly knew that… was zget8 always used though?
@hikari yes! Pretty sure that was already that way in the original 2007 releases
@rygorous ah, good to know! this makes me feel a little better about relying on stb_image