libpng Heap-Based Buffer Overflow Vulnerability in pnm2png Component

A heap-based buffer overflow vulnerability has been identified in the libpng library, specifically in versions through 1.6.55. The issue arises in the pnm2png component, within the do_pnm2png function of contrib/pngminus/pnm2png.c. The vulnerability is caused by an integer overflow when the program processes width and height values from the PNM file header. This overflow allows for attacker-controlled values to be used, leading to a heap-based buffer overflow during the image conversion process. The vulnerability requires local execution to exploit.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, where the buffer overflow occurs in the heap memory, typically allowing for more severe consequences compared to stack-based overflows.

Reproduction

The vulnerability can be reproduced by compiling the libpng library with AddressSanitizer enabled, which can be done using CMake. After compiling, the pnm2png tool can be executed with a crafted PNM file that exploits the integer overflow by using specific width and height values. The AddressSanitizer will detect the heap-buffer-overflow error, confirming the successful exploitation of the vulnerability.