libpng Pointer Aliasing Vulnerability in PLTE, tRNS, and hIST Setters Causes Use-After-Free

A use-after-free vulnerability has been identified in libpng, a library for handling PNG image files. This issue affects versions 1.0.9 prior to 1.6.57. The vulnerability arises when pointers obtained from the getters for PLTE, tRNS, or hIST are passed back into the corresponding setters on the same png_struct/png_info pair. The setters read from freed memory, leading to the potential corruption of chunk metadata or the leakage of unrelated heap data into the chunk structure. The vulnerability can be exploited by following a 'get, inspect, set' pattern with the chunk getters and setters.

Impact

Exploitation of this vulnerability causes a heap use-after-free, which can lead to a process crash, undefined behavior in non-sanitized builds, and the potential propagation of stale heap data into newly allocated buffers. Under AddressSanitizer, the process aborts after detecting the use-after-free.

Reproduction

The vulnerability can be reproduced by creating a PNG write structure and an info structure, then setting a palette, transparency, or histogram data. After setting this data, the corresponding getter is called to retrieve the internal pointer, which is then passed back into the setter. This sequence triggers the vulnerability by causing the setter to read from a memory location that has already been freed.

Remediation

The vulnerability has been fixed in libpng version 1.6.57. Applications should also be updated to this version.