CVE-2018-17073

wernsey/bitmap before 2018-08-18 allows a NULL pointer dereference via a 4-bit image.