Posted by Hans Jerry Illikainen on Apr 04

An invalid write may occur in optipng before version 0.7.6 while
processing bitmap images due to `crt_row’ being (inc|dec)remented
without any boundary checking when encountering delta escapes.

optipng-0.7.5/src/pngxtern/pngxrbmp.c:
,—-
| 210 static size_t
| 211 bmp_read_rows(png_bytepp begin_row, png_bytepp end_row, size_t row_size,
| 212 unsigned int compression, FILE *stream)
| 213 {
| …
| 272 crt_row = begin_row;…