The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libpng | Libpng | 1.6.0 (including) | 1.6.0 (including) |
| Libpng | Libpng | 1.6.0-beta (including) | 1.6.0-beta (including) |
| Libpng | Libpng | 1.6.1 (including) | 1.6.1 (including) |
| Libpng | Libpng | 1.6.1-beta (including) | 1.6.1-beta (including) |
| Libpng | Libpng | 1.6.2 (including) | 1.6.2 (including) |
| Libpng | Libpng | 1.6.2-beta (including) | 1.6.2-beta (including) |
| Libpng | Libpng | 1.6.3 (including) | 1.6.3 (including) |
| Libpng | Libpng | 1.6.3-beta (including) | 1.6.3-beta (including) |
| Libpng | Libpng | 1.6.4 (including) | 1.6.4 (including) |
| Libpng | Libpng | 1.6.4-beta (including) | 1.6.4-beta (including) |
| Libpng | Libpng | 1.6.5 (including) | 1.6.5 (including) |
| Libpng | Libpng | 1.6.6 (including) | 1.6.6 (including) |
| Libpng | Libpng | 1.6.7 (including) | 1.6.7 (including) |
| Libpng | Libpng | 1.6.7-beta (including) | 1.6.7-beta (including) |
| Libpng | Libpng | 1.6.8 (including) | 1.6.8 (including) |
| Libpng | Libpng | 1.6.8-beta (including) | 1.6.8-beta (including) |
| Libpng | Libpng | 1.6.9 (including) | 1.6.9 (including) |
| Libpng | Libpng | 1.6.9-beta (including) | 1.6.9-beta (including) |