libpng Heap Buffer Over-Read Vulnerability in Palette Quantization

A heap buffer over-read vulnerability has been identified in libpng versions prior to 1.6.51. The issue arises in the 'png_do_quantize' function, which processes PNG files with malformed palette indices. The vulnerability occurs because the 'palette_lookup' array bounds are not properly validated against external image data. This oversight allows attackers to craft PNG files with out-of-range palette indices, leading to out-of-bounds memory access. Exploitation requires convincing a user to open a maliciously crafted PNG file.

Impact

Exploitation of this vulnerability causes a heap buffer over-read, which can lead to information disclosure through heap memory leakage and a denial-of-service by crashing the application.

Reproduction

To reproduce this vulnerability, create a PNG file that includes palette indices exceeding the valid range, and then process this file with an application that uses libpng.

Remediation

Users can upgrade to libpng version 1.6.51 or later, where this vulnerability has been patched.