A flaw was found in Netpbm through 10.81.03. The pm_mallocarray2 function in lib/util/mallocvar.c allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.
Created netpbm tracking bugs for this issue:
Affects: fedora-all [bug 1561207]
indicates this to be the upstream commit: