libpng Heap Buffer Over-Read Vulnerability in png_write_image_8bit Function

A heap buffer over-read vulnerability has been identified in libpng versions 1.6.0 prior to 1.6.51. The issue arises in the png_write_image_8bit function when processing 8-bit images through the simplified write API with the convert_to_8bit option enabled. This vulnerability affects 8-bit grayscale+alpha, RGB/RGBA images, and images with incomplete row data. The root cause is a conditional guard that improperly allows 8-bit input to be processed as 16-bit, leading to out-of-bounds reads of up to 2 bytes beyond the allocated buffer.

Impact

Exploitation of this vulnerability causes a heap buffer over-read, which can lead to information disclosure through memory leakage and potential application crashes.

Reproduction

To reproduce this vulnerability, write a specially-formatted 8-bit PNG image using the simplified write API, with the convert_to_8bit flag enabled. This combination is invalid but accepted, allowing the vulnerability to be triggered.

Remediation

Users can upgrade to libpng version 1.6.51, where this vulnerability has been patched.