libpng Heap Buffer Overflow Vulnerability in Interlaced PNG Processing

A heap buffer overflow vulnerability has been identified in libpng versions 1.6.0 prior to 1.6.51. The issue arises in the simplified API function 'png_image_finish_read' when handling 16-bit interlaced PNGs while the output format is set to 8 bits. This vulnerability allows for heap writes that exceed the allocated buffer limits, leading to potential memory corruption. The overflow occurs because 'png_combine_row' writes 16-bit data into a buffer sized for 8-bit output, a discrepancy that can be exploited by crafting specific PNG files.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, with the potential to corrupt heap metadata. Such corruption can be leveraged to manipulate program control flow. Additionally, the vulnerability leads to a deterministic crash, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by building libpng with address and undefined behavior sanitizers enabled, and then using a fuzzer to input a crafted 16-bit interlaced PNG file into the 'png_image_finish_read' function. The fuzzer will trigger the buffer overflow, which can be confirmed by the AddressSanitizer's heap-buffer-overflow error report.

Remediation

Users are advised to upgrade to libpng version 1.6.51 or later, where this vulnerability has been patched. For those unable to upgrade immediately, a temporary workaround involves forcing 16-bit output for interlaced 16-bit PNGs, although this approach is not officially supported and may break with future libpng updates.