Libpng-1.2.16-ADVISORY.txt:

Libpng Security Advisory
15 May 2007

A grayscale PNG image with a malformed (bad CRC) tRNS chunk
will crash some libpng applications.

This vulnerability could be used to crash a browser when a
user tries to view such a malformed PNG file.  It is not known
whether the vulnerability could be exploited otherwise.

The reason is that png_ptr->num_trans is set to 1 and then there is
an error return after checking the CRC, so the trans[] array is never
allocated.  Since png_ptr->num_trans is nonzero, libpng tries to use
the array later.

This bug was first introduced in libpng version 0.90, in 1996.  All
versions from libpng-0.90 through libpng-1.2.16 are vulnerable.

Here is the fix, thanks to Mats Palmgren:

--- pngrutil.c_1.2.16	2007-05-11 23:11:55.395466000 -0500
+++ pngrutil.c	2007-05-14 04:37:32.101297000 -0500
@@ -1314,7 +1314,10 @@
    }
 
    if (png_crc_finish(png_ptr, 0))
+   {
+      png_ptr->num_trans = 0;
       return;
+   }
 
    png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
       &(png_ptr->trans_values));

This patch can be applied to any vulnerable version of libpng.

Libpng version 1.0.25 and 1.2.17, which are being released concurrently
with this advisory, have been patched.

This vulnerability has been assigned the identifiers
CVE-2007-2445 and CERT VU#684664.

Glenn Randers-Pehrson
PNG Development Group