Libpng security advisory 15 November 2006

Libpng versions 1.0.6 through 1.2.12 can crash while decoding
the sPLT chunk.  This is due to an incorrect calculation of
the buffer size for storing the palette entries.
This bug has been given the identifier CVE-2006-5793.

Libraries that are built with the default configuration are
vulnerable.

Libraries that are built with PNG_NO_READ_sPLT defined are not
vulnerable.  Neither are applications that use png_set_keep_unknown_chunks
with PNG_HANDLE_CHUNK_NEVER to ignore the sPLT chunk.

Here is the fix:

In pngset.c, in these statements around line 950

        to->entries = (png_sPLT_entryp)png_malloc(png_ptr,
            from->nentries * png_sizeof(png_sPLT_t));
        /* TODO: use png_malloc_warn */
        png_memcpy(to->entries, from->entries,
            from->nentries * png_sizeof(png_sPLT_t));

change
  png_sizeof(png_sPLT_t)
to
  png_sizeof(png_sPLT_entry)

Libpng versions 1.0.21, 1.2.13, and 1.4.0beta14 have been fixed.