A vulnerability was found in libpng before 1.6.32 does not properly check the length of chunks against the user limit. Reference: https://github.com/glennrp/libpng/blob/df7e9dae0c4aac63d55361e35709c864fa1b8363/ANNOUNCE
Upstream commit: https://github.com/glennrp/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55
Analysis: As per http://www.libpng.org/pub/png/libpng-manual.txt : "The PNG specification allows the width and height of an image to be as large as 2^31-1 (0x7fffffff), or about 2.147 billion rows and columns. For safety, libpng imposes a default limit of 1 million rows and columns. Larger images will be rejected immediately with a png_error() call. If you wish to change these limits, you can use png_set_user_limits(png_ptr, width_max, height_max); to set your own limits (libpng may reject some very wide images anyway because of potential buffer overflow conditions)." A flaw was found in libpng where this limit was not checked by the library. This could potentially result in bigger images to be parsed by the library, (bigger sizes than imposed by the user_limit set earlier), which could result in DoS via memory exhaustion. This seems difficult to exploit, mainly because the attacker needs to be allowed to parse large images via an application compiled against libpng on the affected system.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3901 https://access.redhat.com/errata/RHSA-2020:3901
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-12652