Fix possible malware in one of the test files

[jrocnuck]

After downloading the latest version of Pillow (2.0)

The virus scanners are triggering on this file:

/Tests/images/pngtest_bad.png.base64

Virus Total has 14 virus scanners calling this malware:

https://www.virustotal.com/en/file/7bc6edd81fb3d2741382863b0670cf2260b495f0065d83ea00c64fc5eddcefa1/analysis/1371264441/

[aclark4life]

Likely a false positive

[cgohlke]

It's not really a fp. Pngtest_bad.png was previously base64 encoded to avoid virus warnings and other incidents. It is designed to test/trigger a buffer overflow vulnerability in libpng-1.2.5.

[aclark4life]

Ah, thanks @cgohlke

[jrocnuck]

I was guessing it might be something like that and just wanted to point it out in case.
I guess the virus scanners look for its b64 pattern too.

So that png will cause a crash if there's an old libpng, but it won't run any exploit code / shell code?

[aclark4life]

Looks like it, I guess you'd have to decode and examine it… actually you can examine the file pre-encoding here: http://hg.effbot.org/pil-117/raw/2ca582d524163216973285a5bc19706b82d094b3/Tests/images/pngtest_bad.png.

Also a bit more about the vulnerability in libpng is here: http://scary.beasts.org/security/CESA-2004-001.txt

[wiredfool]

Might make sense to add a note in the source or in the test image directory, so that the answer to this isn't buried in the comments and the source control. (and I suppose, the next step is to encrypt, rather than b64)

[cgohlke]

Another workaround might be to save the image without the complete PNG header (e.g. the first 4 bytes) and add it back in memory during the test.