[libpng16] Avoid potential pointer overflow in png_handle_sPLT() and

png_handle_pCAL() (Bug report by John Regehr).

ANNOUNCE

@@ -26,6 +26,8 @@ Other information:
 Changes since the last public release (1.6.19):
 
 Version 1.6.20beta01 [(PENDING RELEASE)]
+  Avoid potential pointer overflow in png_handle_sPLT() and
+    png_handle_pCAL() (Bug report by John Regehr).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -5415,6 +5415,8 @@ Version 1.6.19 [November 12, 2015]
   Cleaned up coding style in png_handle_PLTE().
 
 Version 1.6.20beta01 [(PENDING RELEASE)]
+  Avoid potential pointer overflow in png_handle_sPLT() and
+    png_handle_pCAL() (Bug report by John Regehr).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

pngrutil.c

@@ -1,7 +1,7 @@
 
 /* pngrutil.c - utilities to read a PNG file
  *
- * Last changed in libpng 1.6.19 [November 12, 2015]
+ * Last changed in libpng 1.6.20 [(PENDING RELEASE)]
  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -1670,7 +1670,7 @@ png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
    ++entry_start;
 
    /* A sample depth should follow the separator, and we should be on it  */
-   if (entry_start > buffer + length - 2)
+   if (length < 2 || entry_start > buffer + length - 2)
    {
       png_warning(png_ptr, "malformed sPLT chunk");
       return;
@@ -2174,7 +2174,7 @@ png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
    /* We need to have at least 12 bytes after the purpose string
     * in order to get the parameter information.
     */
-   if (endptr <= buf + 12)
+   if (length < 12 || endptr <= buf + 12)
    {
       png_chunk_benign_error(png_ptr, "invalid");
       return;