diff -r -U 3 libpng-0.90/pngconf.h libpng-0.90p/pngconf.h --- libpng-0.90/pngconf.h Thu Jan 16 20:39:48 1997 +++ libpng-0.90p/pngconf.h Wed Aug 4 06:54:25 2004 @@ -214,6 +214,13 @@ #define PNG_WRITE_FILLER_SUPPORTED #define PNG_WRITE_FLUSH_SUPPORTED +#ifndef PNG_USER_WIDTH_MAX +# define PNG_USER_WIDTH_MAX 1000000L +#endif +#ifndef PNG_USER_HEIGHT_MAX +# define PNG_USER_HEIGHT_MAX 1000000L +#endif + /* These functions are turned off by default, as they will be phased out. */ #undef PNG_USE_OWN_CRC #undef PNG_CORRECT_PALETTE_SUPPORTED diff -r -U 3 libpng-0.90/pngrcb.c libpng-0.90p/pngrcb.c --- libpng-0.90/pngrcb.c Mon Jan 6 20:26:39 1997 +++ libpng-0.90p/pngrcb.c Wed Aug 4 06:54:25 2004 @@ -18,6 +18,9 @@ if (!info) return; + if (width > PNG_USER_WIDTH_MAX || height > PNG_USER_HEIGHT_MAX) + png_error(png_ptr, "image size exceeds user limits in IHDR"); + info->width = width; info->height = height; info->bit_depth = (png_byte)bit_depth; diff -r -U 3 libpng-0.90/pngrutil.c libpng-0.90p/pngrutil.c --- libpng-0.90/pngrutil.c Thu Jan 16 20:57:19 1997 +++ libpng-0.90p/pngrutil.c Wed Aug 4 06:54:10 2004 @@ -637,7 +637,8 @@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - else if (length > png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > 256) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length);