libpng before 1.6.32 does not properly check the length of chunks against the user limit.
{ "vanir_signatures": [ { "source": "https://github.com/pnggroup/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55", "signature_version": "v1", "signature_type": "Function", "deprecated": false, "target": { "file": "pngrutil.c", "function": "png_read_chunk_header" }, "digest": { "function_hash": "220617196658382277969629707551327307163", "length": 595.0 }, "id": "CVE-2017-12652-2063d2b3" }, { "source": "https://github.com/glennrp/libpng/commit/df7e9dae0c4aac63d55361e35709c864fa1b8363", "signature_version": "v1", "signature_type": "Function", "deprecated": false, "target": { "file": "png.c", "function": "png_get_copyright" }, "digest": { "function_hash": "321243645164949362734223223326571417411", "length": 701.0 }, "id": "CVE-2017-12652-2e72d456" }, { "source": "https://github.com/pnggroup/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55", "signature_version": "v1", "signature_type": "Line", "deprecated": false, "target": { "file": "pngrutil.c" }, "digest": { "line_hashes": [ "70841776614568275697156037000077820510", "311830874481362638713482939715761376903", "152655163359775584842543908644023560646" ], "threshold": 0.9 }, "id": "CVE-2017-12652-3273aec1" }, { "source": "https://github.com/pnggroup/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55", "signature_version": "v1", "signature_type": "Function", "deprecated": false, "target": { "file": "pngpread.c", "function": "png_push_read_chunk" }, "digest": { "function_hash": "66915345587845022605725109661872264623", "length": 4418.0 }, "id": "CVE-2017-12652-3e72406e" }, { "source": "https://github.com/glennrp/libpng/commit/df7e9dae0c4aac63d55361e35709c864fa1b8363", "signature_version": "v1", "signature_type": "Line", "deprecated": false, "target": { "file": "scripts/def.c" }, "digest": { "line_hashes": [ "156096222207606892409097036230274271614" ], "threshold": 0.9 }, "id": "CVE-2017-12652-6f2c80eb" }, { "source": "https://github.com/glennrp/libpng/commit/df7e9dae0c4aac63d55361e35709c864fa1b8363", "signature_version": "v1", "signature_type": "Line", "deprecated": false, "target": { "file": "pngtest.c" }, "digest": { "line_hashes": [ "103641275533327891742404614660718038032", "271143897051010054212464945345969092213" ], "threshold": 0.9 }, "id": "CVE-2017-12652-ae859b89" }, { "source": "https://github.com/glennrp/libpng/commit/df7e9dae0c4aac63d55361e35709c864fa1b8363", "signature_version": "v1", "signature_type": "Line", "deprecated": false, "target": { "file": "png.h" }, "digest": { "line_hashes": [ "166375070723291529406421301066248769034", "275647010778297936193963675511576832388", "256826767335212246520616614652191899280", "279336807821086835335477021495116274772", "232553263840887526940445566239193742547", "321322115793091064233440181206811421137", "323552466813114586079008333209838520779", "300030530416012691729079676676498442978" ], "threshold": 0.9 }, "id": "CVE-2017-12652-c5388709" }, { "source": "https://github.com/glennrp/libpng/commit/df7e9dae0c4aac63d55361e35709c864fa1b8363", "signature_version": "v1", "signature_type": "Line", "deprecated": false, "target": { "file": "png.c" }, "digest": { "line_hashes": [ "291172681311936543452919953550618310022", "250674858440680139373891068715663130286", "221801185142243840488717981785402640645", "239949336393341476172637021320931282744", "99450591993684622810251403669010929588", "294119101941747485427512800103613317330", "224584778708134352092963753103576720243", "49707240273346183902828160227258670924", "136955984917707785624811019298884841478", "266414924338399166079106214687877099441", "154003624319932963894097861280013836461", "273359500251677714011861558135970490822", "312337992988782757618391295584407989224" ], "threshold": 0.9 }, "id": "CVE-2017-12652-f73b433b" } ] }