Potential Vulnerability in libpng Leading to Hang or Infinite Loop when Processing Malformed PNG Files

[YancyLii]

Description:
I've encountered a potential vulnerability in libpng when processing certain malformed PNG files. Specifically, when libpng attempts to process a PNG file with an invalid bit depth for a grayscale image, it may enter an infinite loop or hang indefinitely. This issue can potentially be exploited to cause a denial-of-service (DoS) attack.

Steps to Reproduce:

1. Download the two test codes input from the link I provided(https://drive.google.com/file/d/1WbYNYPYHD-mrtJqUGHx7brmmYt72DVhY/view?usp=sharing)
2. Compile test code
3. Execute the test program and input it, observe the infinite loop and error message respectively

Observed Behavior:
The program runs indefinitely when png_read_info() is called, instead of triggering an error or exiting gracefully. This suggests that libpng is not correctly handling the malformed PNG data, leading to a potential infinite loop or hang.

Expected Behavior:
libpng should detect the invalid bit depth and trigger an error, preventing the program from hanging indefinitely.

[jbowler]

@YancyLii simple question: who employs you?

[YancyLii]

Independent academic researcher

[jbowler]

Independent academic researcher

Focused on fuzzing then producing obviously erroneous, though cleverly obfuscated, code. Ok, I can see you are capable and you say you are working for free, so take a look at this: #579

And just close this, please.

[jbowler]

To those who can't work it out compare the usages of 'fake_file'
in the two pieces of code, Test_png_2.c which works and uses 'fake_file', despite the name and Test_png_1.c which passes a pointer to the stack to png_set_read_fn.

Particularly given that removal of the added "&" in png_set_read_fn results in a very obvious crash when fread is called with NULL.