diff --git a/ANNOUNCE b/ANNOUNCE
index edb3c7a61..ef795e29e 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.5.3rc03 - June 8, 2011
+Libpng 1.5.3rc03 - June 10, 2011
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -154,6 +154,9 @@ Version 1.5.3rc02 [June 8, 2011]
   Fixed uninitialized memory read in png_format_buffer() (Bug report by
     Frank Busse, related to CVE-2004-0421).
 
+Version 1.5.3rc03 [June 10, 2011]
+  Fixed png_handle_sCAL which is broken in 1.5; added sCAL to pngtest.png
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net:
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/CHANGES b/CHANGES
index 6398b26e9..755a2619e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3417,6 +3417,9 @@ Version 1.5.3rc02 [June 8, 2011]
   Fixed uninitialized memory read in png_format_buffer() (Bug report by
     Frank Busse, related to CVE-2004-0421).
 
+Version 1.5.3rc03 [June 10, 2011]
+  Fixed png_handle_sCAL which is broken in 1.5; added sCAL to pngtest.png
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/pngrutil.c b/pngrutil.c
index 08a6e6329..e1cc84747 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1992,6 +1992,14 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
       return;
    }
 
+   /* Need unit type, width, \0, height: minimum 4 bytes */
+   else if (length < 4)
+   {
+      png_warning(png_ptr, "sCAL chunk too short");
+      png_crc_finish(png_ptr, length);
+      return;
+   }
+
    png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
       length + 1);
 
@@ -2027,7 +2035,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
    /* Validate the ASCII numbers, need two ASCII numbers separated by
     * a '\0' and they need to fit exactly in the chunk data.
     */
-   i = 0;
+   i = 1;
    state = 0;
 
    if (png_ptr->chunkdata[1] == 45 /* negative width */ ||
@@ -2039,6 +2047,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
    {
       png_size_t heighti = i;
 
+      state = 0;
       if (png_ptr->chunkdata[i] == 45 /* negative height */ ||
           !png_check_fp_number(png_ptr->chunkdata, slength, &state, &i) ||
           i != slength)