libpng reads uninitialized memory when processing invalid sCAL chunks.
When libpng encounters a sCAL chunk that is empty it will read uninitialized memory. libpng also does not properly handle a sCAL chunk that lacks the terminating zero between the two strings conveyed.
Additional details can be found on the png-mng-implement mailing list archives.
By tricking a user into opening a specifically crafted PNG file within an application that uses libpng, an attacker may be able to cause a denial of service crash.
Apply an Update
Thanks to Glenn Randers-Pehrson for reporting this vulnerability.
This document was written by Jared Allar.
|Date First Published:||2011-07-07|
|Date Last Updated:||2011-07-07 18:39 UTC|