[Dev-luatex] PNG file inclusion

Reinhard Kotucha reinhard.kotucha at web.de
Sun Jan 5 01:36:22 CET 2020


Hi,
I just encountered a problem with a broken PNG file.  The PNG file was
created with Microsoft's "Snipping Tool".

The problem affects both, LuaTeX and pdfTeX and proably XeTeX too (not
tested).

When I include a PNG file created by Microsoft's "Snipping Tool",
Okular crashes.  No Problem when I convert PNG->PNM->PNG with
ImageMagick.

In both cases the header is:

  1 0 obj
  <<
  /Type /XObject
  /Subtype /Image
  /Width 1942
  /Height 878
  /BitsPerComponent 8
  /ColorSpace /DeviceRGB
  /Length 5115228   
  >>
  stream
    ....
  endstream
  endobj


I would expect that the number of bytes between "stream" and
"endstream" is exactly the number of bytes denoted by /Length.

When I use the original PNG file, 6820463 bytes are inserted between
stream and endstream, with the converted file exactly 5115228 bytes
are written.

The value of /Length is obviously derived from the header:

   1942 × 878 × 3 = 5115228

Assuming that a PDF viewer uses the value of /Length to demermine the
amount of memory to allocate, crashes are quite likely and maybe this
behavior can be abused to inject code into unallocated memory.

Assuming that libpng is used for PNG decompression, it's probably the
culprit.  But I don't know whether the PNG standard allows to add
additional information to the file.  In this case the size cannot be
determined from the header.

My suggestion is, instead of relying entirely on external libraries,
to make sure that (pdf|Lua)TeX always inserts exactly /Length bytes to
the stream.  If this is not possible, abort with an meaningful error
message.  At the end TeX has to create valid PDF and without such a
check such problems get undetected.

I've got the PNG file from someone writing his master thesis on
Windows.  He didn't encounter any problem himself.  Here only Okular
crashed, Evince and two versions of Adobe Reader didn't complain.  And
a minimal example which contains only the PNG file is accepted by
Okular.  Thus I can't provide a minimal example.  But I've copied the
PNG and PDF files to

  http://ms25.ddns.net/texlive/png-inclusion.tar.xz

The PDF files were created by pdfTeX, using only the \pdfximage and
\pdfrefximage primitives.

Regards,
  Reinhard

-- 
------------------------------------------------------------------
Reinhard Kotucha                            Phone: +49-511-3373112
Marschnerstr. 25
D-30167 Hannover                    mailto:reinhard.kotucha at web.de
------------------------------------------------------------------


More information about the dev-luatex mailing list