diff -r -U 3 libpng-1.0.8/png.h libpng-1.0.8p/png.h
--- libpng-1.0.8/png.h	Tue Aug  3 21:30:27 2004
+++ libpng-1.0.8p/png.h	Mon Jul 24 06:34:08 2000
@@ -750,11 +750,7 @@
 typedef png_info FAR * FAR * png_infopp;
 
 /* Maximum positive integer used in PNG is (2^31)-1 */
-#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL)
-#define PNG_UINT_32_MAX (~((png_uint_32)0))
-#define PNG_SIZE_MAX (~((png_size_t)0))
-/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */
-#define PNG_MAX_UINT PNG_UINT_31_MAX
+#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
 
 /* These describe the color_type field in png_info. */
 /* color type masks */
@@ -2412,8 +2408,6 @@
 PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf));
 PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf));
 #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */
-PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr,
-  png_bytep buf));
 
 /* Initialize png_ptr struct for reading, and allocate any other memory.
  * (old interface - DEPRECATED).
diff -r -U 3 libpng-1.0.8/pngconf.h libpng-1.0.8p/pngconf.h
--- libpng-1.0.8/pngconf.h	Tue Aug  3 21:30:36 2004
+++ libpng-1.0.8p/pngconf.h	Mon Jul 24 06:34:08 2000
@@ -580,13 +580,6 @@
 #define PNG_ASSEMBLER_CODE_SUPPORTED
 #endif
 
-#ifndef PNG_USER_WIDTH_MAX
-#  define PNG_USER_WIDTH_MAX 1000000L
-#endif
-#ifndef PNG_USER_HEIGHT_MAX
-#  define PNG_USER_HEIGHT_MAX 1000000L
-#endif
-
 /* These are currently experimental features, define them if you want */
 
 /* very little testing */
diff -r -U 3 libpng-1.0.8/pngpread.c libpng-1.0.8p/pngpread.c
--- libpng-1.0.8/pngpread.c	Tue Aug  3 21:30:27 2004
+++ libpng-1.0.8p/pngpread.c	Mon Jul 24 06:34:10 2000
@@ -208,7 +208,7 @@
       }
 
       png_push_fill_buffer(png_ptr, chunk_length, 4);
-      png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
+      png_ptr->push_length = png_get_uint_32(chunk_length);
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
@@ -581,11 +581,6 @@
       png_size_t new_max;
       png_bytep old_buffer;
 
-      if (png_ptr->save_buffer_size > PNG_SIZE_MAX - 
-         (png_ptr->current_buffer_size + 256))
-      {
-        png_error(png_ptr, "Potential overflow of save_buffer");
-      }
       new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
       old_buffer = png_ptr->save_buffer;
       png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr,
@@ -632,7 +627,8 @@
       }
 
       png_push_fill_buffer(png_ptr, chunk_length, 4);
-      png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
+      png_ptr->push_length = png_get_uint_32(chunk_length);
+
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
diff -r -U 3 libpng-1.0.8/pngread.c libpng-1.0.8p/pngread.c
--- libpng-1.0.8/pngread.c	Tue Aug  3 21:30:27 2004
+++ libpng-1.0.8p/pngread.c	Mon Jul 24 06:34:10 2000
@@ -311,7 +311,7 @@
       png_uint_32 length;
 
       png_read_data(png_ptr, chunk_length, 4);
-      length = png_get_uint_31(png_ptr,chunk_length);
+      length = png_get_uint_32(chunk_length);
 
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
@@ -597,7 +597,7 @@
             png_crc_finish(png_ptr, 0);
 
             png_read_data(png_ptr, chunk_length, 4);
-            png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length);
+            png_ptr->idat_size = png_get_uint_32(chunk_length);
 
             png_reset_crc(png_ptr);
             png_crc_read(png_ptr, png_ptr->chunk_name, 4);
@@ -858,7 +858,7 @@
 #endif /* PNG_GLOBAL_ARRAYS */
 
       png_read_data(png_ptr, chunk_length, 4);
-      length = png_get_uint_31(png_ptr,chunk_length);
+      length = png_get_uint_32(chunk_length);
 
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
@@ -1198,9 +1198,6 @@
     * PNG file before the first IDAT (image data chunk).
     */
    png_read_info(png_ptr, info_ptr);
-
-   if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep))
-      png_error(png_ptr,"Image is too high to process with png_read_png()");
 
    /* -------------- image transformations start here ------------------- */
 
diff -r -U 3 libpng-1.0.8/pngrtran.c libpng-1.0.8p/pngrtran.c
--- libpng-1.0.8/pngrtran.c	Tue Aug  3 21:30:27 2004
+++ libpng-1.0.8p/pngrtran.c	Mon Jul 24 06:34:11 2000
@@ -1843,8 +1843,8 @@
          /* This changes the data from GG to GGXX */
          if (flags & PNG_FLAG_FILLER_AFTER)
          {
-            png_bytep sp = row + (png_size_t)row_width * 2;
-            png_bytep dp = sp  + (png_size_t)row_width * 2;
+            png_bytep sp = row + (png_size_t)row_width;
+            png_bytep dp = sp  + (png_size_t)row_width;
             for (i = 1; i < row_width; i++)
             {
                *(--dp) = hi_filler;
@@ -1861,8 +1861,8 @@
          /* This changes the data from GG to XXGG */
          else
          {
-            png_bytep sp = row + (png_size_t)row_width * 2;
-            png_bytep dp = sp  + (png_size_t)row_width * 2;
+            png_bytep sp = row + (png_size_t)row_width;
+            png_bytep dp = sp  + (png_size_t)row_width;
             for (i = 0; i < row_width; i++)
             {
                *(--dp) = *(--sp);
@@ -1919,8 +1919,8 @@
          /* This changes the data from RRGGBB to RRGGBBXX */
          if (flags & PNG_FLAG_FILLER_AFTER)
          {
-            png_bytep sp = row + (png_size_t)row_width * 6;
-            png_bytep dp = sp  + (png_size_t)row_width * 2;
+            png_bytep sp = row + (png_size_t)row_width * 3;
+            png_bytep dp = sp  + (png_size_t)row_width;
             for (i = 1; i < row_width; i++)
             {
                *(--dp) = hi_filler;
@@ -1941,8 +1941,8 @@
          /* This changes the data from RRGGBB to XXRRGGBB */
          else
          {
-            png_bytep sp = row + (png_size_t)row_width * 6;
-            png_bytep dp = sp  + (png_size_t)row_width * 2;
+            png_bytep sp = row + (png_size_t)row_width * 3;
+            png_bytep dp = sp  + (png_size_t)row_width;
             for (i = 0; i < row_width; i++)
             {
                *(--dp) = *(--sp);
diff -r -U 3 libpng-1.0.8/pngrutil.c libpng-1.0.8p/pngrutil.c
--- libpng-1.0.8/pngrutil.c	Tue Aug  3 21:30:27 2004
+++ libpng-1.0.8p/pngrutil.c	Mon Jul 24 06:34:11 2000
@@ -38,14 +38,6 @@
 #  endif
 #endif
 
-png_uint_32 /* PRIVATE */
-png_get_uint_31(png_structp png_ptr, png_bytep buf)
-{
-   png_uint_32 i = png_get_uint_32(buf);
-   if (i > PNG_UINT_31_MAX)
-     png_error(png_ptr, "PNG unsigned integer out of range.\n");
-   return (i);
-}
 #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED
 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
 png_uint_32 /* PRIVATE */
@@ -591,7 +583,7 @@
       /* Should be an error, but we can cope with it */
       png_warning(png_ptr, "Out of place gAMA chunk");
 
-   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
+   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
 #if defined(PNG_READ_sRGB_SUPPORTED)
       && !(info_ptr->valid & PNG_INFO_sRGB)
 #endif
@@ -668,7 +660,7 @@
       /* Should be an error, but we can cope with it */
       png_warning(png_ptr, "Out of place sBIT chunk");
    }
-   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
+   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
    {
       png_warning(png_ptr, "Duplicate sBIT chunk");
       png_crc_finish(png_ptr, length);
@@ -735,7 +727,7 @@
       /* Should be an error, but we can cope with it */
       png_warning(png_ptr, "Missing PLTE before cHRM");
 
-   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
+   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
 #if defined(PNG_READ_sRGB_SUPPORTED)
       && !(info_ptr->valid & PNG_INFO_sRGB)
 #endif
@@ -888,7 +880,7 @@
       /* Should be an error, but we can cope with it */
       png_warning(png_ptr, "Out of place sRGB chunk");
 
-   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
+   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
    {
       png_warning(png_ptr, "Duplicate sRGB chunk");
       png_crc_finish(png_ptr, length);
@@ -1000,7 +992,7 @@
       /* Should be an error, but we can cope with it */
       png_warning(png_ptr, "Out of place iCCP chunk");
 
-   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
+   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
    {
       png_warning(png_ptr, "Duplicate iCCP chunk");
       png_crc_finish(png_ptr, length);
@@ -1126,18 +1118,8 @@
    }
 
    new_palette.nentries = data_length / entry_size;
-   if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry))
-   {
-       png_warning(png_ptr, "sPLT chunk too long");
-       return;
-   }
    new_palette.entries = (png_sPLT_entryp)png_malloc(
        png_ptr, new_palette.nentries * sizeof(png_sPLT_entry));
-   if (new_palette.entries == NULL)
-   {
-       png_warning(png_ptr, "sPLT chunk requires too much memory");
-       return;
-   }
 
 #ifndef PNG_NO_POINTER_INDEXING
    for (i = 0; i < new_palette.nentries; i++)
@@ -1221,8 +1203,7 @@
          /* Should be an error, but we can cope with it */
          png_warning(png_ptr, "Missing PLTE before tRNS");
       }
-      if (length > (png_uint_32)png_ptr->num_palette ||
-          length > 256)
+      else if (length > (png_uint_32)png_ptr->num_palette)
       {
          png_warning(png_ptr, "Incorrect tRNS chunk length");
          png_crc_finish(png_ptr, length);
diff -r -U 3 libpng-1.0.8/pngset.c libpng-1.0.8p/pngset.c
--- libpng-1.0.8/pngset.c	Tue Aug  3 21:30:36 2004
+++ libpng-1.0.8p/pngset.c	Mon Jul 24 06:34:11 2000
@@ -153,9 +153,6 @@
    if (png_ptr == NULL || info_ptr == NULL)
       return;
 
-   if (width > PNG_USER_WIDTH_MAX || height > PNG_USER_HEIGHT_MAX)
-      png_error(png_ptr, "image size exceeds user limits in IHDR");
-
    info_ptr->width = width;
    info_ptr->height = height;
    info_ptr->bit_depth = (png_byte)bit_depth;