libwebsockets Out-of-Bounds Read Vulnerability in UPNG Handling

A vulnerability allowing out-of-bounds read has been identified in the libwebsockets library, specifically in version 4.4, when the LWS_WITH_UPNG flag is enabled during compilation. The issue arises in the PNG parsing component, particularly within the 'lws_upng_emit_next_line' function. When a user visits an attacker-controlled website that contains a specially crafted PNG file with a large height dimension, the vulnerability can be exploited. The manipulation causes the program to read past a heap-allocated buffer, potentially leading to a crash. This out-of-bounds read is triggered by PNG files with a width of 1, a bit depth of 1, and an exaggerated height, causing the application to access memory beyond the intended limits, resulting in a segmentation fault or crash.

Impact

Exploitation of this vulnerability can cause a segmentation fault or crash by making the program read past the heap-allocated buffer, into unallocated memory, leading to a crash.

Reproduction

To reproduce this vulnerability, compile libwebsockets with the LWS_WITH_UPNG flag enabled. Then, use an implementation of the library that employs the HTML display stack and can render PNG images. Visit a website that hosts a crafted PNG file, specifically one that is 1 pixel wide, 1 bit deep, and has a significantly large height. The address sanitizer will report the out-of-bounds read, indicating that the vulnerability has been successfully exploited.

Remediation

A patch has been proposed that modifies the array access to the PNG input buffer, ensuring it stays within the allocated limits. This patch is available in the Nozomi Networks advisory for CVE-2025-11679.