CVE-2021-3696: Heap OOB R/W in GRUB2 grub_png_insert_huff_item

CVE-2021-3696: A heap out-of-bounds read/write vulnerability in GRUB2's PNG loader (grub-core/video/readers/png.c). The function grub_png_insert_huff_item() computes n = sum of maxval[len..max_length-1] (number of existing codes with lengths > len), then shifts ht->values entries and writes the new code at index ht->num_values - n. If n > ht->num_values, the index becomes negative, causing OOB heap access. This is triggered when processing DEFLATE dynamic Huffman blocks within crafted IDAT chunks in a PNG file. The fix adds a guard: if (n > ht->num_values) { error; return; }. The briefing references iCCP chunks as the trigger, but the actual vulnerability is in the DEFLATE Huffman table insertion path reachable via crafted IDAT data after any iCCP chunk.