CVE-2019-9210
Description
AdvanceCOMP 2.1 advpng has an integer overflow in png_compress leading to heap buffer overflow when processing a crafted PNG file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AdvanceCOMP 2.1 advpng has an integer overflow in png_compress leading to heap buffer overflow when processing a crafted PNG file.
Vulnerability
In AdvanceCOMP 2.1, the png_compress function in pngex.cc of advpng contains an integer overflow vulnerability [1]. When processing a PNG file with an invalid size, the overflow causes an attempted memcpy to write into a buffer that is too small, resulting in a heap-based buffer overflow. Additionally, a heap-based buffer over-read occurs [1]. The vulnerable code path is reachable when advpng is invoked on a specially crafted PNG file.
Exploitation
An attacker must provide a crafted PNG file to the victim. No authentication or special privileges are required; the victim only needs to run advpng -z on the malicious file [1]. The integer overflow occurs during size calculation, leading to an undersized heap buffer allocation. Subsequent memcpy writes beyond the allocated buffer, corrupting heap metadata or adjacent data.
Impact
Successful exploitation can lead to arbitrary code execution in the context of the user running advpng [2]. The heap buffer overflow may allow an attacker to overwrite critical data structures, potentially gaining control of the program flow. The accompanying heap over-read could leak sensitive information from memory.
Mitigation
The vulnerability is fixed in later versions of AdvanceCOMP; the SourceForge bug report is marked as closed-fixed [1]. Ubuntu released USN-3936-2 on 23 April 2019, providing updated packages for Ubuntu 19.04 [2]. Users should upgrade to the patched version. As a workaround, avoid processing untrusted PNG files with advpng until the update is applied.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: advancecomp-1_10, advancecomp-1_11, advancecomp-1_12, …
- Range: = 2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Integer overflow in `fil_scanline = dx * img_pixel + 1` when `dx` is an invalid large value leads to a zero‑byte allocation and a subsequent heap buffer overflow in `memcpy`."
Attack vector
An attacker provides a crafted PNG file whose width field is set to an invalid value (e.g., `-1`, interpreted as `0xFFFFFFFF`). When `advpng -z` processes this file, `png_compress()` computes `fil_scanline = dx * img_pixel + 1`, which overflows to zero. This causes a zero‑byte heap allocation, and the subsequent `memcpy(p0, p1, dx * img_pixel)` attempts to copy `0xFFFFFFFF` bytes into that tiny buffer, producing a heap‑based buffer overflow [ref_id=1]. No authentication is required; the attacker only needs to supply the malformed PNG to the victim's command line.
Affected code
The vulnerability resides in `png_compress()` in `pngex.cc` (line 55) and is triggered through `png_write()` in the same file (line 355). The call chain flows from `write_image()` in `repng.cc` (line 101) through `convert_f()` and `convert_inplace()`.
What the fix does
The advisory does not include a published patch. The bug report states the issue was closed as fixed, but no diff is provided. The root cause is the lack of validation on the PNG width (`dx`) before the arithmetic in `fil_scanline = dx * img_pixel + 1`; a proper fix would check that `dx` and `dy` are within sane bounds and that the multiplication does not overflow before allocating the filter buffer.
Preconditions
- inputThe attacker must supply a PNG file with an invalid width (e.g., 0xFFFFFFFF) that causes integer overflow in the dimension calculation.
- inputThe victim must run `advpng -z` on the crafted file.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R56LVWC7KUNXFRKQB3Y5NX2YHFJKYZB4/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/3936-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/3936-2/mitrevendor-advisoryx_refsource_UBUNTU
- lists.debian.org/debian-lts-announce/2019/03/msg00004.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2021/12/msg00034.htmlmitremailing-listx_refsource_MLIST
- sourceforge.net/p/advancemame/bugs/277/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.