CVE-2014-9495

Name of the Vulnerable Software and Affected Versions libpng versions prior to 1.5.21 libpng versions 1.6.x prior to 1.6.16

Description The issue is caused by a heap-based buffer overflow in the png combine row function of the libpng library. This can be exploited by a remote attacker using a specially crafted PNG image, potentially allowing the execution of arbitrary code. The vulnerability is specific to 64-bit systems and can be triggered by a "very wide interlaced" PNG image.

Recommendations For libpng versions prior to 1.5.21, update to version 1.5.21 or later. For libpng versions 1.6.x prior to 1.6.16, update to version 1.6.16 or later. As a temporary workaround, consider restricting the use of the png combine row function until a patch is available. Avoid processing "very wide interlaced" PNG images with vulnerable versions of libpng.