CVE-2017-6192

Vulnerability

APNGDis version 2.8 (and earlier) suffers from a heap buffer overflow vulnerability in the read_chunk function when processing malformed chunk size descriptors in APNG files [1][3]. The tool fails to validate the chunk size value read from the input file, leading to an undersized allocation and subsequent out-of-bounds write. The proof-of-concept image contains an IHDR chunk size descriptor of 0xFFFFFFF4, which triggers the overflow [3].

Exploitation

An attacker can exploit this by crafting a malicious APNG file with a chunk size descriptor containing a large value (e.g., exceeding expected boundaries) [3]. The file must be loaded by a victim using APNGDis; no special privileges or authentication are required. When the program reads the crafted chunk size, it allocates insufficient memory and then writes data beyond the allocated buffer [1][3]. The exploit can be delivered remotely via a website or email attachment.

Impact

Successful exploitation results in a heap-based buffer overflow, which can cause a denial of service (application crash) as demonstrated by the free() error and invalid memory writes shown in the references [1][3]. Under controlled conditions, an attacker may achieve arbitrary code execution with the privileges of the user running APNGDis, though the available references primarily demonstrate crash conditions [1][3].

Mitigation

No official patch or fixed version has been released; APNGDis 2.8 is the last version available from SourceForge [1][3]. Users should avoid processing untrusted APNG files with this tool. As no further development is known, the only mitigation is to discontinue use of APNGDis and migrate to an alternative image decoder that properly validates chunk sizes.