From 099558d1003c794049d65b3ea70275ec731ad77c Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Sun, 6 Aug 2017 08:25:56 -0500
Subject: [PATCH] [libpng16] Relocate the iCCP length test to a point after
 reading the keyword

---
 ANNOUNCE   |  3 ++-
 CHANGES    |  3 ++-
 pngrutil.c | 23 +++++++++++++----------
 3 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index 01fe0cc0d..563c71342 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -90,7 +90,8 @@ Version 1.6.32beta11 [August 6, 2017]
   Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR.
   Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
   Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account
-    for the minimum 'deflate' stream.
+    for the minimum 'deflate' stream, and relocate the test to a point
+    after the keyword has been read.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index d21659bb6..ac32d313f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5973,7 +5973,8 @@ Version 1.6.32beta11 [August 6, 2017]
   Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR.
   Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
   Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account
-    for the minimum 'deflate' stream.
+    for the minimum 'deflate' stream, and relocate the test to a point
+    after the keyword has been read.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngrutil.c b/pngrutil.c
index 8656fa5b5..d87484632 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1380,17 +1380,7 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
     * chunk is just ignored, so does not invalidate the color space.  An
     * alternative is to set the 'invalid' flags at the start of this routine
     * and only clear them in they were not set before and all the tests pass.
-    * The minimum 'zlib' stream is assumed to be just the 2 byte header,
-    * 5 bytes minimum 'deflate' stream, and the 4 byte checksum. The keyword
-    * must be at least one character and there is a terminator (0) byte and
-    * the compression method.
     */
-   if (length < 14)
-   {
-      png_crc_finish(png_ptr, length);
-      png_chunk_benign_error(png_ptr, "too short");
-      return;
-   }
 
    /* If a colorspace error has already been output skip this chunk */
    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
@@ -1417,6 +1407,19 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
       png_crc_read(png_ptr, (png_bytep)keyword, read_length);
       length -= read_length;
 
+   /* The minimum 'zlib' stream is assumed to be just the 2 byte header,
+    * 5 bytes minimum 'deflate' stream, and the 4 byte checksum. The keyword
+    * must be at least one character and there is a terminator (0) byte and
+    * the compression method.
+    */
+
+   if (length < 14)
+   {
+      png_crc_finish(png_ptr, length);
+      png_chunk_benign_error(png_ptr, "too short");
+      return;
+   }
+
       keyword_length = 0;
       while (keyword_length < 80 && keyword_length < read_length &&
          keyword[keyword_length] != 0)