A crash potentially leading to code execution was reported  and fixed  in pngcrush version 1.7.84.
Upstream commit that fixes this:
Created pngcrush tracking bugs for this issue:
Affects: fedora-all [bug 1198174]
Affects: epel-all [bug 1198175]
This is an off-by-one error in the "pngcrush_measure_idat()" function in pngcrush.c, introduced by commit http://sourceforge.net/p/pmt/code/ci/e1a36a9639e2db16494d90459c7c2b78677a20bf/ in version 1.7.83.
The code in pngcrush line 7405:
if (length < 28)
for (ib=27; ib >= length; ib--)
buff[ib] = 0;
If length is 0, the last iteration will set "ib" to -1, thus buff[ib] = 0; will write outside of the "buff" buffer. I doubt that this can be exploited for anything else than an application crash.
This issue did not affect the versions of pngcrush as shipped with Red Hat Enterprise Linux 7.