png_image_free in png.c in libpng 1.6.36 has a use-after-free because png_image_free_function is called under png_safe_execute.
png_image_free in png.c in libpng 1.6.36 has a use-after-free because png_image_free_function is called under png_safe_execute.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803 https://github.com/glennrp/libpng/issues/275