Jörgen Grahn

**Name of the Vulnerable Software and Affected Versions** xcftools version 1.0.4 **Description** The issue is related to a stack-based buffer overflow in the `flattenIncrementally` function, which can be triggered by crafted images that cause a conversion to a location outside the canvas boundaries. This can lead to a denial of service (crash) and potentially allow the execution of arbitrary code. The `flattenIncrementally` function is reachable through the `xcf2pnm` and `xcf2png` utilities. **Recommendations** For xcftools version 1.0.4, consider avoiding the use of crafted images that may cause conversions outside the canvas boundaries until a patch is available. As a temporary workaround, restrict the use of the `xcf2pnm` and `xcf2png` utilities to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.