The condition triggering Heuristics.PNG.CVE-2010-1205 is more common
than expected. Considering this type of malformed PNG is somewhat common
and the CVE is more than 10 years old, it is reasonable to place this
detection behind the --alert-broken-media (SCAN_HEURISTIC_BROKEN_MEDIA)
option.
... | ... |
@@ -357,7 +357,7 @@ cl_error_t cli_parsepng(cli_ctx *ctx) |
357 | 357 |
zstrm_initialized = false; |
358 | 358 |
idat_state = PNG_IDAT_DECOMPRESSION_COMPLETE; |
359 | 359 |
|
360 |
- if (decompressed_data_len > image_size) { |
|
360 |
+ if ((decompressed_data_len > image_size) && (SCAN_HEURISTIC_BROKEN_MEDIA)) { |
|
361 | 361 |
status = cli_append_virus(ctx, "Heuristics.PNG.CVE-2010-1205"); |
362 | 362 |
goto done; |
363 | 363 |
} |