LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, png set tRNS and png set PLTE each alias a heap-allocated buffer between png struct and png info, sharing a single allocation across two structs with independent lifetimes. The trans alpha aliasing has been present since at least libpng 1.0, and the palette aliasing since at least 1.2.1. Both affect all prior release lines png set tRNS sets png ptr->trans alpha = info ptr->trans alpha (256-byte buffer) and png set PLTE sets info ptr->palette = png ptr->palette (768-byte buffer). In both cases, calling png free data (with PNG FREE TRNS or PNG FREE PLTE) frees the buffer through info ptr while the corresponding png ptr pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to png set tRNS or png set PLTE has the same effect, because both functions call png free data internally before reallocating the info ptr buffer. Version 1.6.56 fixes the issue.