A ray of light in the darkness of 2.0 (but don't get overexcited).
It seems that the netfront browser of the psp is vulnerable to the libpng 1.2.5 buffer overrun.
The following png image that exploits the bug has been reported by a psp user to crash the PSP browser: http://scary.beasts.org/misc/pngtest_bad.png
The following image (not tested in the psp) causes the pocket pc version of NetFront to quit(version 3.1 tested):
Feel free to report what it does in your psp 2.0
The last image redirects the address of the device (psp, pocket pc) to the memory address 0x00000000 (null pointer).
With this bug, we could apparently redirect the psp to whatever address we want. If we coud find the address of the png buffer, then execution of code would be possible.
However, it would be too difficult to find out what address the png buffer is, since we cannot apparently reverse engenire the netfront browser.
EDIT: ok, now it's unclear, since other user reported that it doens't crash.