libpng Use-After-Free Vulnerability in png_set_tRNS and png_set_PLTE Functions

A use-after-free vulnerability has been identified in libpng, a library for handling PNG image files. This issue affects versions 1.2.1 through 1.6.55. The vulnerability arises from pointer aliasing between the png_struct and png_info structures in the png_set_tRNS and png_set_PLTE functions. Both functions share a single heap-allocated buffer across the two structures, leading to dangling pointers when the buffer is freed through png_info. This situation allows for exploitation by manipulating the image data, causing the program to read from or write to freed memory, which can result in heap corruption and potentially arbitrary code execution.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where freed memory is accessed via a dangling pointer. This can lead to reading sensitive information from the heap, writing attacker-controlled data to freed memory, and, on certain memory allocators, executing arbitrary code by hijacking control flow.

Reproduction

To reproduce this vulnerability, an application must be crafted to use a PNG file that exploits the tRNS or PLTE chunk values. The application should call png_free_data to release memory between png_read_info and png_read_update_info, a pattern common in memory-constrained environments. This sequence of operations will trigger the use-after-free condition during the subsequent image processing, particularly when the ARM NEON palette riffle is applied, which reads all 256 palette entries unconditionally.

Remediation

Users can upgrade to libpng version 1.6.56 or 1.8.0 (trunk) to address this vulnerability.