From e7ad104ac37da2c25d7eb278583f6b6495740274 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Tue, 22 Nov 2011 11:03:20 -0600
Subject: [PATCH] [libpng15] Reject invalid compression flag when reading the
 iTXt chunk.

---
 ANNOUNCE   | 7 ++++---
 CHANGES    | 5 +++--
 pngrutil.c | 8 ++++++++
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index 873397eae..6c2660b31 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.5.7beta05 - November 21, 2011
+Libpng 1.5.7beta05 - November 22, 2011
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -99,12 +99,13 @@ Version 1.5.7beta04 [November 17, 2011]
     Also removed a duplicate setting of this flag.
   Added files that were omitted from the libpng-1.5.7beta03 zip distribution.
 
-Version 1.5.7beta05 [November 21, 2011]
+Version 1.5.7beta05 [November 22, 2011]
   Removed "zTXt" from warning in generic chunk decompression function.
   Validate time settings passed to pngset() and png_convert_to_rfc1123()
     (Frank Busse).
-  Allow row_stride==0 to indicate default stride in simplified API
+  Allow row_stride==0 to indicate default stride in simplified API.
   Added MINGW support to CMakeLists.txt
+  Reject invalid compression flag when reading the iTXt chunk.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net:
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index f44c0f6f0..752961c6c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3744,12 +3744,13 @@ Version 1.5.7beta04 [November 17, 2011]
     Also removed a duplicate setting of this flag.
   Added files that were omitted from the libpng-1.5.7beta03 zip distribution.
 
-Version 1.5.7beta05 [November 21, 2011]
+Version 1.5.7beta05 [November 22, 2011]
   Removed "zTXt" from warning in generic chunk decompression function.
   Validate time settings passed to pngset() and png_convert_to_rfc1123()
     (Frank Busse).
-  Allow row_stride==0 to indicate default stride in simplified API
+  Allow row_stride==0 to indicate default stride in simplified API.
   Added MINGW support to CMakeLists.txt
+  Reject invalid compression flag when reading the iTXt chunk.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngrutil.c b/pngrutil.c
index 716600027..54b3771a7 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -2540,6 +2540,14 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
       comp_type = *lang++;
    }
 
+   if (comp_flag != PNG_TEXT_COMPRESSION_zTXt)
+   {
+      png_warning(png_ptr, "Unknown iTXt compression type");
+      png_free(png_ptr, png_ptr->chunkdata);
+      png_ptr->chunkdata = NULL;
+      return;
+   }
+
    for (lang_key = lang; *lang_key; lang_key++)
       /* Empty loop */ ;