The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libpng | Libpng | 1.0.0 (including) | 1.0.55 (excluding) |
| Libpng | Libpng | 1.2.0 (including) | 1.2.45 (excluding) |
| Libpng | Libpng | 1.4.0 (including) | 1.4.8 (excluding) |
| Libpng | Libpng | 1.5.0 (including) | 1.5.4 (excluding) |
| Chromium-browser | Ubuntu | lucid | * |
| Chromium-browser | Ubuntu | maverick | * |
| Chromium-browser | Ubuntu | natty | * |
| Chromium-browser | Ubuntu | oneiric | * |
| Firefox | Ubuntu | devel | * |
| Firefox | Ubuntu | hardy | * |
| Firefox | Ubuntu | lucid | * |
| Firefox | Ubuntu | maverick | * |
| Firefox | Ubuntu | natty | * |
| Firefox | Ubuntu | oneiric | * |
| Firefox | Ubuntu | precise | * |
| Libpng | Ubuntu | upstream | * |