CVE-2020-28248
Description
An integer overflow in png-img's PngImg::InitStorage_() causes heap under-allocation and buffer overflow when loading a crafted PNG, potentially allowing remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An integer overflow in png-img's PngImg::InitStorage_() causes heap under-allocation and buffer overflow when loading a crafted PNG, potentially allowing remote code execution.
Vulnerability
Details
CVE-2020-28248 is an integer overflow vulnerability in the PngImg::InitStorage_() function of the png-img library, a Node.js binding for libpng. The overflow occurs when computing the size of a heap buffer: info_.height * info_.rowbytes. Both operands are 32-bit unsigned integers (png_uint_32), and the multiplication can wrap around, resulting in a small allocation. For example, setting height to 0x01000001 and rowbytes to 0x100 yields a product of 0x100 after truncation, leading to an under-allocated buffer [1][3].
Exploitation
An attacker can exploit this by crafting a PNG file with carefully chosen height and rowbytes values that trigger the integer overflow. When the library processes the image, the subsequent loop that populates row pointers writes beyond the allocated memory, causing a heap-based buffer overflow. No authentication or special privileges are required; the victim only needs to load the malicious PNG using png-img [3].
Impact
Successful exploitation allows an attacker to corrupt heap memory, potentially leading to arbitrary code execution or denial of service. Additionally, the version of png-img affected (before 3.1.0) bundles libpng 1.6.14, which contains other known vulnerabilities, increasing the risk [3].
Mitigation
The vulnerability was fixed in png-img version 3.1.0, released on October 5, 2020. Users should upgrade to this version or later. The fix likely involves using a larger integer type or checking for overflow before allocation [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
png-imgnpm | < 3.1.0 | 3.1.0 |
Affected products
2- png-img/png-imgdescription
Patches
114ac462a32caHandle image size overflow
1 file changed · +12 −2
src/PngImg.cc+12 −2 modified@@ -60,10 +60,20 @@ void PngImg::ReadInfo_(PngReadStruct& rs) { /// void PngImg::InitStorage_() { rowPtrs_.resize(info_.height, nullptr); - data_ = new png_byte[info_.height * info_.rowbytes]; + // Extend height and rowbytes from uint32_t to size_t to avoid multiplication overflow when size_t is larger + size_t h = info_.height; + size_t rb = info_.rowbytes; + // We need to make sure that info_.height * info_.rowbytes will not overflow size_t + // Unfotunately, there's no simple and portable way to do this in C++ + // For integer division of positive numbers a * b > c <==> a > c / b holds + if (h > std::numeric_limits<size_t>::max() / rb) { + // TODO Propagate this exception to JS, and test it + throw std::runtime_error("Image is too large to allocate single buffer"); + } + data_ = new png_byte[h * rb]; for(size_t i = 0; i < info_.height; ++i) { - rowPtrs_[i] = data_ + i * info_.rowbytes; + rowPtrs_[i] = data_ + i * rb; } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-q5wr-fvpq-p67gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28248ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2020-142-gemini-png-imgghsax_refsource_MISCADVISORY
- github.com/gemini-testing/png-img/commit/14ac462a32ca4b3b78f56502ac976d5b0222ce3dghsax_refsource_MISCWEB
- github.com/gemini-testing/png-img/compare/v3.0.0...v3.1.0ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.