Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.
| Software | From | Fixed in |
|---|---|---|
| microsoft / msn_messenger | 6.1 | 6.1.x |
| greg_roelofs / libpng | - | 1.2.5.x |
| microsoft / msn_messenger | 6.2 | 6.2.x |
| microsoft / windows_messenger | 5.0 | 5.0.x |
| microsoft / windows_media_player | 9 | 9.x |
| microsoft / windows_me | - | - |
| microsoft / windows_98se | - | - |