This is a personal blog. My other stuff: book | home page | Twitter | prepping | CNC robotics | electronics

March 11, 2015

Another round of image bugs: PNG and JPEG XR

Today's release of MS15-024 and MS15-029 addresses two more image-related memory disclosure vulnerabilities in Internet Explorer - this time, affecting the little-known JPEG XR format supported by this browser, plus the far more familiar PNG. Similarly to the previously discussed bugs in MSIE TIFF and JPEG parsing, and to the BMP, ICO, and GIF and JPEG DHT & SOS flaws in Firefox and Chrome, these two were found with afl-fuzz. The earlier posts have more context - today, just enjoy some pretty pics, showing subsequent renderings of the same JPEG XR image:

Proof-of-concepts are here (JXR) and here (PNG). I am happy to report that Microsoft fixed them within roughly three months of the original report.

The total number of bugs squashed in this category is now ten. I have just one more multi-browser image parsing bug outstanding - but it should be an interesting one. Stay tuned.


  1. I was curious how you were able to instrument IE. I haven't played with the QEMU support in AFL, and was unaware that it had the ability to instrument Windows binaries. Is this the case, or was there some hackery involved in getting everything running?

    1. It's essentially the corpus generation approach discussed in the README for afl-fuzz: use an open-source parser to generate a corpus ( and then use the compact corpus to test a more heavyweight & slower implementation with a simple harness (see experimental/canvas_harness/ that comes with afl).