libpng Out-of-Bounds Read Vulnerability in Palette Compositing

A buffer overflow vulnerability has been identified in libpng versions 1.6.0 prior to 1.6.51. The issue arises in the function png_image_read_composite when handling palette images with the PNG_FLAG_OPTIMIZE_ALPHA flag enabled. The vulnerability is caused by incorrect background compositing during the premultiplication of palette entries, leading to values that exceed the allowed range for the PNG_sRGB_FROM_LINEAR lookup tables. This flaw can be exploited to read beyond the allocated buffer, potentially causing an application crash or disclosing adjacent memory contents.

Impact

Exploitation of this vulnerability causes a global buffer overflow, where out-of-bounds memory is accessed, leading to a crash or information disclosure.

Reproduction

The vulnerability can be reproduced by crafting a PNG file with palette mode and a transparency chunk, then processing it with libpng's simplified API while ensuring that PNG_FLAG_OPTIMIZE_ALPHA is enabled. This can be done using a fuzzer that targets the specific conditions of the vulnerability.

Remediation

Users are advised to upgrade to libpng version 1.6.51 or later. No practical workaround is available.