PNG Reference Library: libpng

Security Advisory for libpng-1.4.0 and earlier, 27 February 2010

Because of the efficient compression method used in Portable Network Graphics (PNG) files, a small PNG file can expand tremendously, acting as a "decompression bomb". Malformed PNG chunks can consume a large amount of CPU and wall-clock time and large amounts of memory, up to all memory available on a system.

Eventually libpng would discover that the chunk was malformed or would run out of memory, abandon the chunk and return the allocated memory, so this is only a nasty Denial of Service (DoS) vulnerability that probably cannot be used to compromise a system.

Libpng versions 1.4.1, 1.2.43, and 1.0.53 have been revised to use less CPU time and memory. Libpng-1.4.1 also provides functions that applications can use to further defend against such files.

For further details, see the libpng document "Defending Libpng Applications Against Decompression Bombs", available at <http://libpng.sourceforge.net/decompression_bombs.html>

The PNG Development Group recommends that everyone upgrade to libpng version 1.4.1, if at all possible.