diff --git a/ANNOUNCE b/ANNOUNCE
index eee9ad91d..5da64c9d3 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -28,6 +28,7 @@ Changes since the last public release (1.5.28):
 
 version 1.5.29beta01 [March 1, 2017]
   Suppress clang warnings about implicit sign changes in png.c
+  Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index ca78c608a..81174c700 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4533,6 +4533,7 @@ version 1.5.28 [December 29, 2016]
 
 version 1.5.29beta01 [March 1, 2017]
   Suppress clang warnings about implicit sign changes in png.c
+  Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngrtran.c b/pngrtran.c
index f27336261..05f34b1c8 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -1,8 +1,8 @@
 
 /* pngrtran.c - transforms the data in a row for PNG readers
  *
- * Last changed in libpng 1.5.24 [November 12, 2015]
- * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson
+ * Last changed in libpng 1.5.29 [(PENDING RELEASE)]
+ * Copyright (c) 1998-2002,2004,2006-2015,2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -4604,7 +4604,7 @@ png_do_expand_palette(png_row_infop row_info, png_bytep row,
             if (num_trans > 0)
             {
                sp = row + (png_size_t)row_width - 1;
-               dp = row + (png_size_t)(row_width << 2) - 1;
+               dp = row + ((png_size_t)row_width << 2) - 1;
 
                for (i = 0; i < row_width; i++)
                {
@@ -4767,7 +4767,7 @@ png_do_expand(png_row_infop row_info, png_bytep row,
                 * 'gray', however if those are set it is an error.
                 */
                sp = row + (png_size_t)row_width - 1;
-               dp = row + (png_size_t)(row_width << 1) - 1;
+               dp = row + ((png_size_t)row_width << 1) - 1;
 
                for (i = 0; i < row_width; i++)
                {
@@ -4821,7 +4821,7 @@ png_do_expand(png_row_infop row_info, png_bytep row,
             png_byte green = (png_byte)(trans_color->green & 0xff);
             png_byte blue = (png_byte)(trans_color->blue & 0xff);
             sp = row + (png_size_t)row_info->rowbytes - 1;
-            dp = row + (png_size_t)(row_width << 2) - 1;
+            dp = row + ((png_size_t)row_width << 2) - 1;
             for (i = 0; i < row_width; i++)
             {
                if (*(sp - 2) == red && *(sp - 1) == green && *(sp) == blue)
@@ -4844,7 +4844,7 @@ png_do_expand(png_row_infop row_info, png_bytep row,
             png_byte green_low = (png_byte)(trans_color->green & 0xff);
             png_byte blue_low = (png_byte)(trans_color->blue & 0xff);
             sp = row + row_info->rowbytes - 1;
-            dp = row + (png_size_t)(row_width << 3) - 1;
+            dp = row + ((png_size_t)row_width << 3) - 1;
             for (i = 0; i < row_width; i++)
             {
                if (*(sp - 5) == red_high &&