libpng Heap Buffer Overflow Vulnerability in png_set_quantize Function

A heap buffer overflow vulnerability has been identified in libpng versions prior to 1.6.55, specifically within the low-level png_set_quantize() API function. This vulnerability arises when the function is called without a histogram and the palette size exceeds twice the maximum colors supported by the user's display. Under these conditions, certain palettes can cause the function to enter an infinite loop, reading past the end of a heap-allocated buffer. The vulnerability has existed since the function's introduction, under the name png_set_dither(). Exploitation can lead to a denial-of-service condition, causing a crash, or potentially allow for information disclosure or arbitrary code execution through heap corruption.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the application. However, with proper heap grooming, it may be possible to induce an infinite loop that reads and writes past the allocated buffer, leading to heap corruption. This could be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by using a PNG image with a PLTE chunk and no hIST chunk. The image must have a palette size larger than twice the maximum number of colors supported by the display. When the image is processed with the png_set_quantize() function under these conditions, the vulnerability is triggered, causing a heap buffer overflow.

Remediation

Users are advised to upgrade to libpng version 1.6.55, which addresses the vulnerability by correcting the logic in the png_set_quantize() function to prevent out-of-bounds reads.