From 3f46c67c6989f480bd932428aa1705f6625dbabf Mon Sep 17 00:00:00 2001
From: Timothy Nikkel <tnikkel@gmail.com>
Date: Sun, 29 May 2016 09:31:48 -0500
Subject: [PATCH] [libpng16] Fixed the progressive reader to handle empty first
 IDAT chunk

properly (patch by Timothy Nikkel).
---
 ANNOUNCE   |  7 +++++--
 CHANGES    |  5 ++++-
 pngpread.c | 14 ++++++++------
 3 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index 1f3edd760..3dd2c49a5 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,4 +1,4 @@
-Libpng 1.6.23beta01 - May 28, 2016
+Libpng 1.6.23beta01 - May 29, 2016
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -25,8 +25,11 @@ Other information:
 
 Changes since the last public release (1.6.22):
 
-Version 1.6.23beta01 [May 28, 2016]
+Version 1.6.23beta01 [May 29, 2016]
   Stop a potential memory leak in png_set_tRNS() (Bug report by Ted Ying).
+  Fixed the progressive reader to handle empty first IDAT chunk properly
+    (patch by Timothy Nikkel).  This bug was introduced in libpng-1.6.0 and
+    only affected the libpng16 branch.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index d31a5b398..8c725c2a9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5573,8 +5573,11 @@ Version 1.6.22rc03 [May 17, 2016]
 Version 1.6.22 [May 26, 2016]
   No changes.
 
-Version 1.6.23beta01 [May 28, 2016]
+Version 1.6.23beta01 [May 29, 2016]
   Stop a potential memory leak in png_set_tRNS() (Bug report by Ted Ying).
+  Fixed the progressive reader to handle empty first IDAT chunk properly
+    (patch by Timothy Nikkel).  This bug was introduced in libpng-1.6.0 and
+    only affected the libpng16 branch.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngpread.c b/pngpread.c
index 0dc1e53c2..2e0208813 100644
--- a/pngpread.c
+++ b/pngpread.c
@@ -1,8 +1,8 @@
 
 /* pngpread.c - read a png file in push mode
  *
- * Last changed in libpng 1.6.18 [July 23, 2015]
- * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson
+ * Last changed in libpng 1.6.23 [(PENDING RELEASE)]
+ * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -210,12 +210,14 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
           (png_ptr->mode & PNG_HAVE_PLTE) == 0)
          png_error(png_ptr, "Missing PLTE before IDAT");
 
-      png_ptr->mode |= PNG_HAVE_IDAT;
       png_ptr->process_mode = PNG_READ_IDAT_MODE;
 
-      if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0)
-         if (png_ptr->push_length == 0)
-            return;
+      if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
+         if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0)
+            if (png_ptr->push_length == 0)
+               return;
+
+      png_ptr->mode |= PNG_HAVE_IDAT;
 
       if ((png_ptr->mode & PNG_AFTER_IDAT) != 0)
          png_benign_error(png_ptr, "Too many IDATs found");