There is a NULL pointer dereference in the caseless_hash function in gxps-archive.c in libgxps 0.2.5. A crafted input will lead to a denial of service attack. Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1473167
Created libgxps tracking bugs for this issue: Affects: fedora-all [bug 1475738]