Mitre reports:
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21
and earlier may allow remote attackers to execute arbitrary code via
malformed image files that trigger the overflows due to improper
calls to the gdMalloc function, a different set of vulnerabilities
than CVE-2004-0990.
Buffer overflow in the gdImageStringFTEx function in gdft.c in GD
Graphics Library 2.0.33 and earlier allows remote attackers to cause
a denial of service (application crash) and possibly execute
arbitrary code via a crafted string with a JIS encoded font.
The gdPngReadData function in libgd 2.0.34 allows user-assisted
attackers to cause a denial of service (CPU consumption) via a
crafted PNG image with truncated data, which causes an infinite loop
in the png_read_info function in libpng.
Integer overflow in gdImageCreateTrueColor function in the GD
Graphics Library (libgd) before 2.0.35 allows user-assisted remote
attackers to have unspecified attack vectors and impact.
The gdImageCreateXbm function in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause a
denial of service (crash) via unspecified vectors involving a
gdImageCreate failure.
The (a) imagearc and (b) imagefilledarc functions in GD Graphics
Library (libgd) before 2.0.35 allow attackers to cause a denial of
service (CPU consumption) via a large (1) start or (2) end angle
degree value.
The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before
5.3.1, and the GD Graphics Library 2.x, does not properly verify a
certain colorsTotal structure member, which might allow remote
attackers to conduct buffer overflow or buffer over-read attacks via
a crafted GD file, a different vulnerability than CVE-2009-3293.
NOTE: some of these details are obtained from third party
information.
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote
attackers to cause a denial of service (crash) or possibly execute
arbitrary code via a crafted BMP image.
meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial
of service (out-of-bounds read) via a crafted WMF file.
Use-after-free vulnerability in libwmf 0.2.8.4 allows remote
attackers to cause a denial of service (crash) via a crafted WMF
file to the (1) wmf2gd or (2) wmf2eps command.
Heap-based buffer overflow in the DecodeImage function in libwmf
0.2.8.4 allows remote attackers to cause a denial of service (crash)
or possibly execute arbitrary code via a crafted "run-length count"
in an image in a WMF file.