CVE-2022-3857: A flaw was found in libpng 1.6.38. A crafted PNG image can lead to a segmentation fault and denial of service in png_setup_paeth_row() function. Unclear if a real bug, upstream seems to think it might be a fuzzer bug. The backtrace doesn't involve the fuzzer, so I'm not so sure.
(In reply to John Helmert III from comment #0) > CVE-2022-3857: > > A flaw was found in libpng 1.6.38. A crafted PNG image can lead to a > segmentation fault and denial of service in png_setup_paeth_row() function. > > Unclear if a real bug, upstream seems to think it might be a fuzzer > bug. The backtrace doesn't involve the fuzzer, so I'm not so sure. The compiler is used is afl's which adds instrumentation, so it's a bug on that side (essentially miscompiled). So, based on https://github.com/AFLplusplus/AFLplusplus/issues/1602#issuecomment-1342281054, I'm not worried about it.
(The reporter says it's an afl issue too.)
