libpng Out-of-Bounds Read Vulnerability in the Simplified API

A high-severity out-of-bounds read vulnerability has been identified in libpng versions 1.6.0 prior to 1.6.52. This vulnerability resides in the simplified API and allows reading up to 1012 bytes beyond the png_sRGB_base[512] array. The issue occurs when processing valid palette PNG images that include partial transparency and gamma correction. The vulnerability is rooted in libpng's internal state management, particularly a flag synchronization error that misinterprets sRGB data as linear, leading to the out-of-bounds access.

Impact

Exploitation of this vulnerability causes a global buffer overflow, allowing adjacent global data to be read, which could include sensitive information. The out-of-bounds read can also extend into unmapped memory, potentially causing a crash, creating a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using the simplified libpng API to process a valid palette PNG image (IHDR color type 3) that has partial transparency (alpha values between 1 and 254) and gamma correction (non-1.0 gamma value). The image must be processed with an output format that does not include alpha, and without an explicit background color. These conditions can be met with common, legitimate PNG files.

Remediation

Users are advised to upgrade to libpng version 1.6.52 or later. If an immediate upgrade is not possible, an explicit background color can be provided to the png_image_finish_read function, or the low-level API can be used instead of the simplified API. Additionally, requesting alpha-preserving output can help avoid the composition path that leads to the vulnerability.