From 0b4e7deab1c736273c2d57a19c1bd996576d93f8 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Fri, 13 Nov 2015 11:05:27 -0600
Subject: [PATCH] [libpng16] Avoid potential pointer overflow in
 png_handle_sPLT() and

png_handle_pCAL() (Bug report by John Regehr).
---
 ANNOUNCE   | 2 ++
 CHANGES    | 2 ++
 pngrutil.c | 6 +++---
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index b0bc5a329..3b22e33d6 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -26,6 +26,8 @@ Other information:
 Changes since the last public release (1.6.19):
 
 Version 1.6.20beta01 [(PENDING RELEASE)]
+  Avoid potential pointer overflow in png_handle_sPLT() and
+    png_handle_pCAL() (Bug report by John Regehr).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 1485a96a5..13058a91b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5415,6 +5415,8 @@ Version 1.6.19 [November 12, 2015]
   Cleaned up coding style in png_handle_PLTE().
 
 Version 1.6.20beta01 [(PENDING RELEASE)]
+  Avoid potential pointer overflow in png_handle_sPLT() and
+    png_handle_pCAL() (Bug report by John Regehr).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngrutil.c b/pngrutil.c
index ee584a8c4..03e65e3e3 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1,7 +1,7 @@
 
 /* pngrutil.c - utilities to read a PNG file
  *
- * Last changed in libpng 1.6.19 [November 12, 2015]
+ * Last changed in libpng 1.6.20 [(PENDING RELEASE)]
  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -1670,7 +1670,7 @@ png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
    ++entry_start;
 
    /* A sample depth should follow the separator, and we should be on it  */
-   if (entry_start > buffer + length - 2)
+   if (length < 2 || entry_start > buffer + length - 2)
    {
       png_warning(png_ptr, "malformed sPLT chunk");
       return;
@@ -2174,7 +2174,7 @@ png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
    /* We need to have at least 12 bytes after the purpose string
     * in order to get the parameter information.
     */
-   if (endptr <= buf + 12)
+   if (length < 12 || endptr <= buf + 12)
    {
       png_chunk_benign_error(png_ptr, "invalid");
       return;