Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libpng | Libpng | * | 1.5.13 (including) |
| Libpng | Libpng | 1.5.0-beta (including) | 1.5.0-beta (including) |
| Libpng | Libpng | 1.5.1 (including) | 1.5.1 (including) |
| Libpng | Libpng | 1.5.1-beta (including) | 1.5.1-beta (including) |
| Libpng | Libpng | 1.5.2 (including) | 1.5.2 (including) |
| Libpng | Libpng | 1.5.2-beta (including) | 1.5.2-beta (including) |
| Libpng | Libpng | 1.5.3-beta (including) | 1.5.3-beta (including) |
| Libpng | Libpng | 1.5.4 (including) | 1.5.4 (including) |
| Libpng | Libpng | 1.5.4-beta (including) | 1.5.4-beta (including) |
| Libpng | Libpng | 1.5.5 (including) | 1.5.5 (including) |
| Libpng | Libpng | 1.5.5-beta (including) | 1.5.5-beta (including) |
| Libpng | Libpng | 1.5.6 (including) | 1.5.6 (including) |
| Libpng | Libpng | 1.5.6-beta (including) | 1.5.6-beta (including) |
| Libpng | Libpng | 1.5.7 (including) | 1.5.7 (including) |
| Libpng | Libpng | 1.5.7-beta (including) | 1.5.7-beta (including) |
| Libpng | Libpng | 1.5.8 (including) | 1.5.8 (including) |
| Libpng | Libpng | 1.5.8-beta (including) | 1.5.8-beta (including) |
| Libpng | Libpng | 1.5.9 (including) | 1.5.9 (including) |
| Libpng | Libpng | 1.5.9-beta (including) | 1.5.9-beta (including) |
| Libpng | Libpng | 1.5.10-beta (including) | 1.5.10-beta (including) |
| Libpng | Libpng | 1.5.11 (including) | 1.5.11 (including) |
| Libpng | Libpng | 1.5.11-beta (including) | 1.5.11-beta (including) |
| Libpng | Libpng | 1.5.12 (including) | 1.5.12 (including) |
| Libpng | Libpng | 1.5.13-beta (including) | 1.5.13-beta (including) |