The findnext function in decompose.c in potrace 1.13 allows remote attackers to cause a denial of service via a crafted BMP image.