Libpng contains a vulnerability in the way element pointers are handled.
A vulnerability in the way libpng handles element pointers may result in uninitialized element pointers. This vulnerability is due to an off-by-one error introduced in multiple functions in libpng-0.89c. According to the PNG Development Group:
If the application runs out of memory during the loop, some of the element pointers will be uninitialized. Libpng will then longjmp to a cleanup process that attempts to free all of the elements in the array, including the uninitialized ones. This behavior could be forced by a malevolent input.
This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service.
This issue was reported by the PNG Development Group in libpng version 1.2.35.
This document was written by Chris Taschner.
|Date First Published:||2009-03-02|
|Date Last Updated:||2009-03-06 15:39 UTC|