[libpng16] Return NULL from png_malloc_array() with a warning instead of calling

png_error() on failure.  Reject oversized iCCP profile immediately.

ANNOUNCE

@@ -1,4 +1,4 @@
-Libpng 1.6.25beta01 - August 4, 2016
+Libpng 1.6.25beta01 - August 10, 2016
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -25,7 +25,10 @@ Other information:
 
 Changes since the last public release (1.6.24):
 
-Version 1.6.25beta01 [August 4, 2016]
+Version 1.6.25beta01 [August 10, 2016]
+  Return NULL from png_malloc_array() with a warning instead of calling
+    png_error() on failure.
+  Reject oversized iCCP profile immediately.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -5675,7 +5675,10 @@ Version 1.6.24rc03 [August 2, 2016]
 Version 1.6.24[August 4, 2016]
   No changes.
 
-Version 1.6.24[August 4, 2016]
+Version 1.6.25beta01 [August 10, 2016]
+  Return NULL from png_malloc_array() with a warning instead of calling
+    png_error() on failure.
+  Reject oversized iCCP profile immediately.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

pngmem.c

@@ -1,7 +1,7 @@
 
 /* pngmem.c - stub functions for memory allocation
  *
- * Last changed in libpng 1.6.24 [August 4, 2016]
+ * Last changed in libpng 1.6.25 [(PENDING RELEASE)]
  * Copyright (c) 1998-2002,2004,2006-2014,2016 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -123,7 +123,10 @@ png_malloc_array,(png_const_structrp png_ptr, int nelements,
     size_t element_size),PNG_ALLOCATED)
 {
    if (nelements <= 0 || element_size == 0)
-      png_error(png_ptr, "internal error: array alloc");
+   {
+      png_warning(png_ptr, "internal error: array alloc");
+      return NULL;
+   }
 
    return png_malloc_array_checked(png_ptr, nelements, element_size);
 }

pngrutil.c

@@ -1,7 +1,7 @@
 
 /* pngrutil.c - utilities to read a PNG file
  *
- * Last changed in libpng 1.6.24 [August 4, 2016]
+ * Last changed in libpng 1.6.25 [(PENDING RELEASE)]
  * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -307,7 +307,7 @@ png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
 
    if (buffer == NULL)
    {
-      buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
+      buffer = png_voidcast(png_bytep, png_malloc_array(png_ptr, 1, new_size));
 
       if (buffer != NULL)
       {
@@ -1462,7 +1462,7 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
                         const png_uint_32 tag_count = png_get_uint_32(
                             profile_header+128);
                         png_bytep profile = png_read_buffer(png_ptr,
-                            profile_length, 2/*silent*/);
+                            profile_length, 1/*warn*/);
 
                         if (profile != NULL)
                         {
@@ -1528,8 +1528,8 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
                                            PNG_FREE_ICCP, 0);
 
                                        info_ptr->iccp_name = png_voidcast(char*,
-                                           png_malloc_base(png_ptr,
+                                           png_malloc_array(png_ptr,
-                                           keyword_length+1));
+                                           keyword_length+1, 1));
                                        if (info_ptr->iccp_name != NULL)
                                        {
                                           memcpy(info_ptr->iccp_name, keyword,