+++ This bug was initially created as a clone of Bug #215405 +++

Tavis Ormandy told vendor-sec about a OOB memory read flaw in libpng.  This flaw
is a denial of service flaw.

quoting the mail from Tavis:

    Hello, there's a typo in the sPLT chunk handling code in libpng,
    potentially resulting in an OOB read. AFAICT, the extent of the
    vulnerability is denial of service, but would appreciate a second pair
    of eyes to verify.

    Around line ~983 of pngset.c, in png_set_sPLT()

    to->entries =3D (png_sPLT_entryp)png_malloc(png_ptr,=20
        from->nentries * png_sizeof(png_sPLT_t));

    should be `png_sizeof(png_sPLT_entry)`

    and the same on this line:

    png_memcpy(to->entries, from->entries,
        from->nentries * png_sizeof(png_sPLT_t));

This issue also affects RHEL2.1 and RHEL3

-- Additional comment from bressers on 2006-11-14 16:28 EST --
This issue is now public:
http://bugs.gentoo.org/show_bug.cgi?id=154380

---

Possibly affected: libpng in FC5, FC6, and devel, and libpng10 in FC5. 
(libpng10 in Extras has been updated, see bug 216263)