Crashing OSX and iOS apps with a simple PNG image

Lander Brandt has discovered a denial of service vulnerability in ImageIO, a library of utilities for parsing various image formats.

Which apps as affected?

It’s used in many OS X and iOS applications including:

  • Tweetbot
  • Safari
  • Messages
  • Mail
  • Preview

Some popular applications that do not use ImageIO include:

  • Chrome
  • Firefox
  • Telegram

The bug is a simple Null Point Reference in PNG parsing (more technical info on Lander Brandt article):


What’s happening here is:

– libpng hits an unknown chunk

– The custom chunk callback is called

– Apple’s own internal method which returns a pointer to the chunk returns null since there’s no data

– There’s no check on the chunk pointer returned

– Oops


What is the impact?

This bug can be triggered any time a PNG file is being processed. So really, anything that processes the image can be caused to crash.

Some examples:

  • Receiving the malicious image via text message with message previews turned on will crash SpringBoard on iOS
  • Entering a message thread containing the image will crash the messages app
  • Opening an email containing the image will crash the mail client
  • Posting a link to the image will crash some third-party Twitter clients which try to load the image
  • Visiting a page containing the image will crash Safari’s content renderer

The fix?

The bug was reported to Apple in Dec 16, 2015, and in Mar 22, 2016 the fix was notified as ‘in progress’.

Comments