CVE-2021-4214: A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with...

The analysis is primarily based on the information provided in GitHub issue #302, which is referenced by the CVE. The issue includes an ASAN (AddressSanitizer) trace that clearly identifies the function 'compare_read' in 'contrib/libtests/pngimage.c' as the location of the heap buffer overflow. The trace also shows the call stack leading to this function: 'main' -> 'do_test' -> 'test_one_file' -> 'compare_read'. The issue description further explains that the overflow occurs because the buffers 'orig' and 'row' might not have sufficient data for the specified bytes-per-pixel ('bpp'), leading to an out-of-bounds access. The CVE description also specifies that the flaw is in 'libpngs' pngimage.c program' (referring to the utility). The provided commit information (301f7a14295a3bdfaf406dbb5004d0784dc137ea) is related to a fuzzer update and not a direct fix for this vulnerability; the issue report indicates the vulnerability was present in the code at the time of that commit. Since no fixing patch was provided, the identification of vulnerable functions relies on the diagnostic information from the issue tracker.