libpng Heap Buffer Over-Read Vulnerability in Simplified API Function

A heap buffer over-read vulnerability has been identified in libpng versions 1.6.51 prior to 1.6.54. The issue arises in the simplified API function 'png_image_finish_read' when handling interlaced 16-bit PNG images with an 8-bit output format and non-minimal row stride. This vulnerability, which can lead to memory disclosure and application crashes, is a regression from a previous fix for a different vulnerability (CVE-2025-65018).

Impact

Exploitation of this vulnerability causes a heap buffer over-read, which can lead to a segmentation fault by accessing unmapped memory, or allow sensitive heap data to be exposed in the output image buffer. The vulnerability also disrupts normal application processing, particularly for those using the default row stride.

Reproduction

To reproduce this vulnerability, use an application that processes PNG files with the libpng simplified API. Open an interlaced 16-bit PNG image using a row stride that exceeds the actual row width or a negative stride. This will trigger the buffer over-read in the 'png_image_read_direct_scaled' function.

Remediation

Users can upgrade to libpng version 1.6.54 or later, where this vulnerability has been fixed.