{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1760995861, "reponame":"libwebsockets", "desc":"libwebsockets lightweight C networking library", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://libwebsockets.org/repo/libwebsockets", "f":3, "items": [ {"schema":"libjg2-1", "cid":"8792b660fd284f081c355a7bf49626ba", "commit": {"type":"commit", "time": 1759939412, "time_ofs": 60, "oid_tree": { "oid": "4bb9a5591c0d9e8c00ee407d4360c01dcd5839e3", "alias": []}, "oid":{ "oid": "7df24cca7144d7bc9233b6b0a71108bd154ce101", "alias": []}, "msg": "NN-2025-0104: UPNG out of bounds read", "sig_commit": { "git_time": { "time": 1759939412, "offset": 60 }, "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" }, "sig_author": { "git_time": { "time": 1758717537, "offset": 60 }, "name": "Nozomi Network Labs", "email": "labs-advisory@nozominetworks.com", "md5": "e570194d13a3ff6c89099f07c6cf4a59" }}, "body": "NN-2025-0104: UPNG out of bounds read\n\nThis document contains sensitive information collected during our\nsecurity research activities related with the Libwebsockets library made\nby Andy Green (warmcat).\n\n+-------------------------------------------------------------------------------------------------------+\n| Report information |\n+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+\n| Vendor | warmcat |\n+-------------------------------------+-----------------------------------------------------------------+\n| Vendor URL | https://libwebsockets.org/git/libwebsockets |\n+-------------------------------------+-----------------------------------------------------------------+\n| Affected component | libwebsockets |\n+-------------------------------------+-----------------------------------------------------------------+\n| Affected version | 4.4 |\n+-------------------------------------+-----------------------------------------------------------------+\n| Vulnerability | CWE-125: Out-of-bounds Read |\n+-------------------------------------+-----------------------------------------------------------------+\n| Proposed CVSS v3.1 Base Score | 6.0 |\n+-------------------------------------+-----------------------------------------------------------------+\n| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |\n+-------------------------------------+-----------------------------------------------------------------+\n\n+-----------------------------------------------------------------------------+\n| Security Researcher(s) |\n+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+\n| Name | **Email address** |\n+-------------------------------------+---------------------------------------+\n| Raffaele Bova | labs-advisory@nozominetworks.com |\n+-------------------------------------+---------------------------------------+\n\nLibwebsockes is a C library that provides client and server\nimplementation for various protocols (e.g., HTTP, websockets, MQTT) and\nmore.\n\nNozomi Networks Lab discovered a \u0022CWE-125: Out-of-bounds Read\u0022 in the\nlatest software version of libwebsockets, specifically in the PNG\nparsing.\n\nDepending on the use of the API, the vulnerability allows an attacker\nthat can provide a PNG to the software, (e.g., victim visits an attacker\ncontrolled server using the http client in an implementation that uses\nthe display stack and renders the PNG), could cause a segmentation fault\nor crash by making the program read past the heap allocated buffer.\n\nThe issue is caused by the `lws_upng_emit_next_line` function,\nspecifically in the branch when `uf-\u003epadded` is true, in the loop where\nit reads from the sliding window, ibp is incremented but never reset,\nmaking it possible to read past the buffer, and if the input file is big\nenough, reading past the currently mapped heap memory causing a crash.\n\nThe way to trigger this issue is to construct a big enough PNG file that\nhas a width of 1, bit depth of 1 and a very big height.\n\n\n\nWe have provided all the necessary files to reproduce the issue and a\npatch that resolves the problem.\n\nFrom our understanding of the code, it could be sufficient to fix the\narray access to the `uf-\u003ein` buffer by doing it modulo `u-\u003einf.info_size`,\nwe don't know whether that is the intended approach, however it resolves\nthe issue.\n" , "diff": "diff --git a/lib/misc/upng.c b/lib/misc/upng.c\nindex b3fa5f5..becab64 100644\n--- a/lib/misc/upng.c\n+++ b/lib/misc/upng.c\n@@ -276,7 +276,7 @@ lws_upng_emit_next_line(lws_upng_t *u, const uint8_t **ppix,\n \t\tunsigned long x;\n \n \t\tfor (x \u003d 0; x \u003c (unsigned long)u-\u003ewidth * (unsigned long)uf-\u003ebpp; x++) {\n-\t\t\tuint8_t bit \u003d (uint8_t)((uf-\u003ein[(uf-\u003eibp) \u003e\u003e 3] \u003e\u003e\n+\t\t\tuint8_t bit \u003d (uint8_t)((uf-\u003ein[((uf-\u003eibp) \u003e\u003e 3) % u-\u003einf.info_size] \u003e\u003e\n \t\t\t\t\t\t(7 - ((uf-\u003eibp) \u0026 7))) \u0026 1);\n \t\t\tuf-\u003eibp++;\n \n","s":{"c":1760971171,"u": 2070}} ],"g": 1580,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "7d0a"}