As the cute_png.h library is used to load and parse PNG files, the returned image is not verified. This could cause the program's functionality to be disrupted.

An example I encountered was when the PNG headers stored excessive values for the image's height and width (despite the fact that the pixels are not stored in the data section of the format). This causes the malloc from the function cp_to_rgb to return NULL and, as a result of the pointer dereferencing below, the program will generate a SIGSERV and stop working.

I click on the program and there is a command line that briefly shows up before closing. Alright, I figure I then have to run it through CMD itself.

So I type cd:\Users\Me into CMD (which is where I put the executable and the image, and then enter hicolor-v0.3.1-win32.exe hicolor quantize -5 example.png

But then it says "invalid command" and simply tells me:
hicolor (encode|decode|quantize) [options] src [dest]
hicolor info file
hicolor version
hicolor help

I don't know what I'm being asked to do. Even hicolor help produces "invalid command"

When trying to build with "make test" i get the following:

./tests/hicolor.test


==== data-integrity-2.1 alpha roundtrip FAILED
==== Contents of test case:

    hicolor quant alpha.png alpha-q.png
    exec gm compare -metric rmse alpha.png alpha-q.png

---- Test generated error; Return code was: 1
---- Return code should have been one of: 0 2
---- errorInfo: source image "alpha.png" doesn't exist
    while executing
"exec {*}$::hicolorCommand {*}$args"
    (procedure "hicolor" line 2)
    invoked from within
"hicolor quant alpha.png alpha-q.png"
    ("uplevel" body line 2)
    invoked from within
"uplevel 1 $script"
---- errorCode: CHILDSTATUS 2909 1
==== data-integrity-2.1 FAILED

hicolor.test:   Total   24      Passed  23      Skipped 0       Failed  1
make: *** [Makefile:26: test] Error 1

Summary

Hi~，I did some fuzzy testing and found some bugs/vulnerabilities on hicolor v0.5.0. I hope these findings will help improve software quality.

These bugs/vulnerabilities are mainly caused by unsafe component cute_png.h v1.05. According to my analysis, Because the compilation environment of hicolor is inconsistent with the official compilation environment of cute_png.h v1.05, not all bugs in cute_png.h affect hicolor. The bugs/vulnerabilities listed below can truly affect hicolor v0.5.0.

All of the bugs/vulnerablities are triggered with no assertion raised. This means that these bugs/vulnerabilities are unexpected behaviors of the program.

hicolor: https://github.com/dbohdan/hicolor

cute_headers: https://github.com/RandyGaul/cute_headers

See also https://github.com/Helson-S/FuzzyTesting/tree/master/hicolor

heapof-r1-cp_unfilter-cute_png-1019c11

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_unfilter() at line 1019 of vendor/cute_png.h v1.05.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor encode -a ./poc/sample6.png ./output.hic && rm -f ./output.hic

Screen-shot

heapof-r65280-cp_stored-cute_png-543c2

Description

Heap-buffer-flow bug/vulnerability caused by read access found in function cp_stored() at line 543 of vendor/cute_png.h v1.05. What's more, sample10.png provided as attack vector causes double-free heap memory corruption in function cp_load_png_mem() at line 1194 of vendor/cute_png.h v1.05.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor encode -a ./poc/sample10.png ./output.hic && rm -f ./output.hic

Screen-shot

heap-buffer-overflow

double-free heap memory corruption

heapof-w1-cp_block-cute_png-623c12

Description

Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 623 of vendor/cute_png.h v1.05. What's more, sample11.png provided as attack vector causes double-free heap memory corruption in function cp_load_png() at line 1216 of vendor/cute_png.h v1.05.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor encode -a ./poc/sample11.png ./output.hic && rm -f ./output.hic

Screen-shot

heap-buffer-overflow

double-free heap memory corruption

heapof-w1-png_quantize-cli-220c32

Description

heap-buffer-overflow bug/vulnerability caused by write access found in function png_quantize() at line 220 of cli.c v1.05.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor quantize -n ./poc/sample18.png ./output.hic && rm -f ./output.hic

Screen-shot

heapof-w16-cp_block-cute_png-644c37

Description

Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 644 of vendor/cute_png.h v1.05. What's more, sample12.png provided as attack vector causes unmap invalid pointer memory corruption in function cp_load_png_mem() at line 1189 of vendor/cute_png.h v1.05.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor encode -a ./poc/sample12.png ./output.hic && rm -f ./output.hic

Screen-shot

heap-buffer-overflow

unmap invalid pointer

heapof-w98-cp_block-5c0-cute_png-642c5

Description

Heap-buffer-flow bug/vulnerability caused by write access found in function cp_block() at line 642 of vendor/cute_png.h v1.05.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor encode -a ./poc/sample13.png ./output.hic && rm -f ./output.hic

Screen-shot

stkof-w133-cp_dynamic-cute_png-603

Description

stack-buffer-overflow bug/vulnerability caused by write access found in function cp_dynamic() at line 603 of vendor/cute_png.h v1.05. It will lead to control flow hijacking.

Affected version: hicolor v0.5.0

Reproduction

Environment:

Operating system version: Ubuntu 22.04

Linux kernel version: Linux pc 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Compiler version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Compile hicolor with ASAN and run the following command in bash shell:

hicolor encode -a ./poc/sample16.png ./output.hic && rm -f ./output.hic

Screen-shot

It doesn't open on my PC at all. All it does is have a command prompt window pop up for a split second.

Also, the linux version isn't even a program, it's a blank file. Not even a binary.

I've tried it in other operating systems yet it still doesn't work.