pngimagefree in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because pngimagefreefunction is called under pngsafe_execute.
{ "vanir_signatures": [ { "deprecated": false, "digest": { "line_hashes": [ "241838778844194275048866028647484350554" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line", "source": "https://github.com/glennrp/libpng/commit/a40189cf881e9f0db80511c382292a5604c3c3d1", "id": "CVE-2019-7317-1adc9370", "target": { "file": "pngtest.c" } }, { "deprecated": false, "digest": { "line_hashes": [ "166375070723291529406421301066248769034", "275647010778297936193963675511576832388", "256826767335212246520616614652191899280", "279336807821086835335477021495116274772", "99841383750098798180616484435499546727", "159302944862349488787630211743777147289", "331742628729745467196492355602919503505", "120425966103587571923372910432028590987" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line", "source": "https://github.com/glennrp/libpng/commit/a40189cf881e9f0db80511c382292a5604c3c3d1", "id": "CVE-2019-7317-40ec0e87", "target": { "file": "png.h" } }, { "deprecated": false, "digest": { "line_hashes": [ "4483812120425865394765832017743841760", "295930966388919334935205960237712292835", "117419540564145513858588339867436813964", "150157320390828655074241172061404527079", "15219066793749250240221192274865703159", "256432711195399036927642262353737110687" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line", "source": "https://github.com/glennrp/libpng/commit/a40189cf881e9f0db80511c382292a5604c3c3d1", "id": "CVE-2019-7317-62df7d76", "target": { "file": "png.c" } }, { "deprecated": false, "digest": { "length": 481.0, "function_hash": "182119414766575611561000861233124297530" }, "signature_version": "v1", "signature_type": "Function", "source": "https://github.com/glennrp/libpng/commit/a40189cf881e9f0db80511c382292a5604c3c3d1", "id": "CVE-2019-7317-693aebdc", "target": { "function": "png_get_copyright", "file": "png.c" } } ] }