libpng Heap Buffer Over-Read Vulnerability in Simplified Write API

A heap buffer over-read vulnerability has been identified in libpng versions 1.6.26 prior to 1.6.53. This issue arises from an integer truncation in the simplified write API functions 'png_write_image_16bit' and 'png_write_image_8bit'. When the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes, it leads to a heap buffer over-read. The vulnerability was introduced in libpng 1.6.26 by casts added to silence compiler warnings on 16-bit systems, and it has been fixed in version 1.6.54.

Impact

Exploitation of this vulnerability causes a heap buffer over-read, which may lead to information disclosure by exposing adjacent heap data in the output image. Additionally, it can cause a denial-of-service by creating an infinite loop or crashing the application after reading unmapped memory.

Reproduction

The vulnerability can be reproduced by using the libpng simplified write API with a negative row stride or a stride greater than 65535 bytes. This can be done by creating a PNG image with a bottom-up layout and specifying a negative stride, or by using a very wide 16-bit image and setting the stride to a value that exceeds 65535 bytes.

Remediation

Users can upgrade to libpng version 1.6.54 or later to address this vulnerability.