
Another round of image bugs: PNG and JPEG XR - robin_reala
http://lcamtuf.blogspot.com/2015/03/another-round-of-image-bugs-png-and.html
======
lmm
Now that we have an OCaml SSL implementation, has anyone put together a
roadmap for building up to a complete browser in OCaml?

It would be the work of a decade or more to rewrite image parsing, HTML
rendering and all the rest of it, but I honestly think it's the only way we're
ever going to get decent security.

~~~
gsnedders
Last I knew they didn't have much in the way of defence against timing side-
channels, which pretty much rules it out for any real deployment.

~~~
lmm
Don't they? I'd think someone would crack the bitcoin piñata if so.

~~~
sp332
Bitcoin piñata [http://ownme.ipredator.se/](http://ownme.ipredator.se/)
[https://news.ycombinator.com/item?id=9027743](https://news.ycombinator.com/item?id=9027743)

------
TazeTSchnitzel
I think I need to write a "C Programming Language Considered Harmful" essay.
In this era, using a language which allows buffer overflows, heap corruption,
use-after-free, integer overflow, and eliminates "undefined" but security-
critical code, is utterly irresponsible for anything where security matters -
and that is virtually anything, given the complexity and interactions in
modern systems.

All code should have mandatory, compiler-enforced integer overflow and bounds
checks at the very least.

~~~
pjmlp
This was already clear to many of us Modula-2/Turbo Pascal developers back in
the mid-90's, but then C won thanks to UNIX adoption.

\- Array implicit decay into pointers instead of requiring an explicit
"address of" operator

\- No bounds checking

\- Implicit conversion between enumerations and numeric types

\- Implicit conversions between numeric types

\- Null terminated strings

Every time I had code in straight C, I made it look like Pascal by validating
all the parameters, compiling with all warnings enabled, warnings as errors,
using ADTs with no field access to structs.

A static analyzer is also compulsory.

The amount of money caused by bug fixing in developer time, creation of C
memory corruption detection tools and paying for them is just endless.

~~~
TazeTSchnitzel
Oh, right, I forgot about null-terminated (aka "C") strings! But you'd have to
get rid of them for bounds-checks anyway.

~~~
TheLoneWolfling
Nah.

You can deal with null-terminated strings.

You "just" have to be able to prove that all operations ensure a string
remains postpended with a null, and doesn't get extended beyond the length of
the underlying allocation.

------
foliveira
It seems that Safari 8.0.3 on OS 10.10.2 is also affected by the PNG bug.
Although it has a variable number of variants each time the page is
open/refreshed (don't have access to a vulnerable IE to test if it has the
same behaviour)

~~~
acdha
It might be the case that the variants aren't exploitable – Safari uses
CoreImage and that framework tends to bend over backwards to support malformed
images so I wouldn't be surprised to see it render differently for each
slightly different test image even if none of them are exploitable.

~~~
0x0
But isn't the idea here that all the "variants" are actually the same exact
.png byte stream? So any differences are the result of leaking memory...?

~~~
acdha
You're right – the random call is just a dodge around caching. It could be
leaked memory or possibly something like an address dependency but I'd hope
that he submitted it to Apple along with the other browsers he's been testing.

~~~
0x0
It's also acting up in iOS on mobile safari. And, even more interestingly, if
you long-tap a few of the images and save them to the photo stream, you'll see
them change "live" in lots of applications like the photo browser, photo
editors, pasting in an iMessage, etc.

------
pjmlp
Yep, another example of C features.

I am really looking forward that the likes of D, Go, Rust, .NET Native, Ada,
ParaSail, Chapel, Java (past v10) and many others help reduce even more the
need for C to the same level as Assembly use nowadays.

------
shubhamjain
Seriously, how does one go about discovering obscure exploits like these?

~~~
medmunds
Well, fuzzing, apparently:

> Similarly to the previously discussed bugs ... these two were found with
> afl-fuzz.

[http://lcamtuf.coredump.cx/afl/](http://lcamtuf.coredump.cx/afl/)

