DEBIAN-CVE-2026-33416

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, pngsettRNS and pngsetPLTE each alias a heap-allocated buffer between png_struct and png_info, sharing a single allocation across two structs with independent lifetimes. The trans_alpha aliasing has been present since at least libpng 1.0, and the palette aliasing since at least 1.2.1. Both affect all prior release lines pngsettRNS sets pngptr->transalpha = infoptr->transalpha (256-byte buffer) and pngsetPLTE sets infoptr->palette = pngptr->palette (768-byte buffer). In both cases, calling pngfreedata (with PNGFREETRNS or PNGFREEPLTE) frees the buffer through info_ptr while the corresponding png_ptr pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to pngsettRNS or pngsetPLTE has the same effect, because both functions call pngfreedata internally before reallocating the info_ptr buffer. Version 1.6.56 fixes the issue.