Brian May <[email protected]> writes: > Test version now includes fixes for more CVEs. I did not patch > CVE-2017-14733, because I couldn't find the code that the patch applies > to.
Ok, understand CVE-2017-14733. Images can declare ncolor channels==1 (greyscale only) or ==2 (makes no sense). Trouble is, when alpha channel present and we are processing this, we assume we have at least 3 bytes per pixel: RGB, which just isn't going to work. At least that is my understanding reading the code. Will make fix for this also. -- Brian May <[email protected]>
