http://sourceforge.net/p/libpng/bugs/199/ Use CVE-2013-7353 for "png_set_unknown_chunks in libpng/pngset.c ... Fixed in libpng-1.5.14beta08" ("has four integer overflow bugs" is apparently a typo of "has one integer overflow bug") Use CVE-2013-7354 for "The png_set_sPLT() and png_set_text_2() functions have a similar bug, which is fixed in libpng-1.5.14rc03" -- this has a different discoverer. The vendor mentions that internal calls use safe values. These issues could potentially affect applications that use the libpng API. Apparently no such applications were identified as part of the work on bug 199. Through applying testing to the libpng 1.5.13, I found that libpng has four integer overflow bugs in png_set_unknown_chunks in libpng/pngset.c in png_set_unknown_chunks The bug is in line 1037. If the function parameter num_unknowns or info_ptr->unknown_chunks_num is very large, then info_ptr->unknown_chunks_num + num_unknowns) * png_sizeof(png_unknown_chunk)) is larger than UINT_MAX. It becomes smaller due to integer overflow. Thus np = png_malloc_warn in line 1036 will get a smaller memory than expected. Then png_memcpy in line 1047 may access invalid memory address, which causes segmentation fault,or unexpected results. 1036 np = (png_unknown_chunkp)png_malloc_warn(png_ptr, 1037 (png_size_t)(info_ptr->unknown_chunks_num + num_unknowns) 1038 png_sizeof(png_unknown_chunk)); 1039 1040 if (np == NULL) 1041 { 1042 png_warning(png_ptr, 1043 "Out of memory while processing unknown chunk"); 1044 return; 1045 } 1046 1047 png_memcpy(np, info_ptr->unknown_chunks, 1048 (png_size_t)info_ptr->unknown_chunks_num 1049 png_sizeof(png_unknown_chunk));