According to upstream this issue will be fixed in the next update of libpng. A fix with instructions for reproducing the issue can be found at [1]. 
After code review, it seems that all the versions from 1.5.7 and on are affected. Specifically, the vulnerable functionality was introduced with commit [2]. 
Thus regarding our packages:

libpng15 is affected (SLE12SP1)
libpng16 is affected (SLE15 and SLE12)

[1] https://github.com/glennrp/libpng/issues/275
[2] https://github.com/glennrp/libpng/commit/7875d534cb7967a737afdee090dd69e68661d4bf

For 1.6.36, I really get:

$ gcc -o png_uar png_uar.c -lasan -lz -lpng
$ ASAN_OPTIONS=detect_stack_use_after_return=1 ./png_uar
=================================================================
==32613==ERROR: AddressSanitizer: stack-use-after-return on address 0x7fc8292000b0 at pc 0x7fc82cd80a0f bp 0x7ffcd8b20370 sp 0x7ffcd8b20368
WRITE of size 8 at 0x7fc8292000b0 thread T0
    #0 0x7fc82cd80a0e in png_safe_execute /usr/src/debug/libpng16-1.6.36-0.x86_64/pngerror.c:954
    #1 0x7fc82cd7d929 in png_image_free /usr/src/debug/libpng16-1.6.36-0.x86_64/png.c:4592
    #2 0x7fc82cd7d929 in png_image_free /usr/src/debug/libpng16-1.6.36-0.x86_64/png.c:4582
    #3 0x7fc82cd809ff in png_safe_execute /usr/src/debug/libpng16-1.6.36-0.x86_64/pngerror.c:958
    #4 0x557e26654241 in main (/124211/png_uar+0x1241)
    #5 0x7fc82cbc301a in __libc_start_main (/lib64/libc.so.6+0x2401a)
    #6 0x557e26654089 in _start (/124211/png_uar+0x1089)

Address 0x7fc8292000b0 is located in stack of thread T0 at offset 48 in frame
    #0 0x7fc82cd7151f in png_image_free_function /usr/src/debug/libpng16-1.6.36-0.x86_64/png.c:4523

  This frame has 1 object(s):
    [32, 80) 'c' <== Memory access at offset 48 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return /usr/src/debug/libpng16-1.6.36-0.x86_64/pngerror.c:954 in png_safe_execute
Shadow bytes around the buggy address:
  0x0ff985237fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985237fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985237fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985237ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985238000: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
=>0x0ff985238010: f5 f5 f5 f5 f5 f5[f5]f5 f5 f5 f5 f5 00 00 00 00
  0x0ff985238020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985238030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985238040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985238050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff985238060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32613==ABORTING
$

15/libpng16: get the ASAN report
12/libpng16: do not get the ASAN report

As far as I can see, 12sp1/libpng15. According to CHANGES:

Version 1.5.7beta02 [November 11, 2011]
  Simplified read/write API initial version; basic read/write tested on
    a variety of images, limited documentation (in the header file.)
[..]
Version 1.5.7beta05 [November 25, 2011]
  Backed out 'simplified' API changes. The API seems too complex and there
    is a lack of consensus or enthusiasm for the proposals.  The API also
    reveals significant bugs inside libpng (double gamma correction and the
    known bug of being unable to retrieve a corrected palette). It seems
    better to wait until the bugs, at least, are corrected.

As far as I can see, they never get it into 1.5 anymore. So it seems it is 1.6 specific.

Even if Cosmin already posted a patch in the bug as a comment, I would rather wait a while for inclusion into code base.

(In reply to Petr Gajdos from comment #4)
> As far as I can see, 12sp1/libpng15. According to CHANGES:

As far as I can see, 12sp1/libpng15 is not affected.

I think asan has no detect_stack_use_after_return feature in 12.

(At least what strings say.)

AFTER

15/libpng16

$ ./png_uar
$

Packages submitted for 15,12/libpng16.

I believe all fixed.

SUSE-SU-2019:1398-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 1100687,1121624,1124211
CVE References: CVE-2018-13785,CVE-2019-7317
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    libpng16-1.6.34-3.9.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    libpng16-1.6.34-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2019:1530-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 1100687,1121624,1124211
CVE References: CVE-2018-13785,CVE-2019-7317
Sources used:
openSUSE Leap 15.1 (src):    libpng16-1.6.34-lp151.3.3.1
openSUSE Leap 15.0 (src):    libpng16-1.6.34-lp150.2.3.1

SUSE-SU-2019:1398-2: An update that solves two vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 1100687,1121624,1124211
CVE References: CVE-2018-13785,CVE-2019-7317
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libpng16-1.6.34-3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libpng16-1.6.34-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2019:3060-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1124211,1141493
CVE References: CVE-2017-12652,CVE-2019-7317
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP5 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP4 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    libpng16-1.6.8-15.5.2
SUSE CaaS Platform 3.0 (src):    libpng16-1.6.8-15.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2019:3060-2: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1124211,1141493
CVE References: CVE-2017-12652,CVE-2019-7317
Sources used:
SUSE OpenStack Cloud 8 (src):    libpng16-1.6.8-15.5.2
SUSE OpenStack Cloud 7 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libpng16-1.6.8-15.5.2
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    libpng16-1.6.8-15.5.2
SUSE Enterprise Storage 5 (src):    libpng16-1.6.8-15.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Done