libpng Out-of-Bounds Read and Write Vulnerability in ARM/AArch64 Neon-Optimized Palette Expansion

A vulnerability allowing out-of-bounds (OOB) read and write operations has been identified in libpng versions 1.6.36 prior to 1.6.55. This issue arises in the library's ARM/AArch64 Neon-optimized palette expansion path when converting 8-bit paletted rows to RGB or RGBA. The Neon loop improperly processes the final partial chunk, leading to OOB reads and writes. The vulnerability can be exploited during the normal decoding of attacker-controlled PNG files, provided that Neon is enabled.

Impact

Exploitation of this vulnerability causes process crashes. However, the OOB read can leak heap contents through the decoded pixel output, and the OOB write corrupts the heap by overwriting data with attacker-controlled values.

Reproduction

To reproduce this vulnerability, compile libpng with ARM/AArch64 Neon optimizations enabled. Then, use the library to decode a crafted paletted PNG image (color type 3) that exploits the Neon-optimized palette expansion functions. For the RGBA path, ensure the image includes a tRNS chunk; for the RGB path, omit the tRNS chunk. The vulnerability manifests when the row width of the image is not a multiple of the chunk size, leading to out-of-bounds accesses.

Remediation

Users can upgrade to libpng version 1.6.56 or 1.8.0 (trunk), both of which address this vulnerability. Alternatively, libpng can be built with hardware optimizations disabled to avoid the issue.