From 0ff5150f913dc86f5393b9a9aa631ba5bb33c641 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Fri, 9 Mar 2012 22:38:06 -0600
Subject: [PATCH] [libpng15] Reject all iCCP chunks after the first,

even if the first one is invalid.
---
 ANNOUNCE   | 1 +
 CHANGES    | 1 +
 pngpriv.h  | 1 +
 pngrutil.c | 5 ++++-
 4 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index 426c46994..bc38faf13 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -56,6 +56,7 @@ Version 1.5.10beta04 [March 10, 2012]
     libpng-1.5.4.  It sometimes produced too small of a window.
 
 Version 1.5.10beta05 [March 10, 2012]
+  Reject all iCCP chunks after the first, even if the first one is invalid.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net:
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 27c8fe22d..78857d80b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3841,6 +3841,7 @@ Version 1.5.10beta04 [March 10, 2012]
     libpng-1.5.4.  It sometimes produced too small of a window.
 
 Version 1.5.10beta05 [March 10, 2012]
+  Reject all iCCP chunks after the first, even if the first one is invalid.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngpriv.h b/pngpriv.h
index 42ec4c219..0ceb6b85a 100644
--- a/pngpriv.h
+++ b/pngpriv.h
@@ -466,6 +466,7 @@ typedef PNG_CONST png_uint_16p FAR * png_const_uint_16pp;
 #define PNG_BACKGROUND_IS_GRAY     0x800
 #define PNG_HAVE_PNG_SIGNATURE    0x1000
 #define PNG_HAVE_CHUNK_AFTER_IDAT 0x2000 /* Have another chunk after IDAT */
+#define PNG_HAVE_iCCP             0x4000
 
 /* Flags for the transformations the PNG library does on the image data */
 #define PNG_BGR                 0x0001
diff --git a/pngrutil.c b/pngrutil.c
index 74822a92b..fe6585ed2 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1257,13 +1257,16 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
       /* Should be an error, but we can cope with it */
       png_warning(png_ptr, "Out of place iCCP chunk");
 
-   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
+   if ((png_ptr->mode & PNG_HAVE_iCCP) || (info_ptr != NULL &&
+      (info_ptr->valid & (PNG_INFO_iCCP|PNG_INFO_sRGB))))
    {
       png_warning(png_ptr, "Duplicate iCCP chunk");
       png_crc_finish(png_ptr, length);
       return;
    }
 
+   png_ptr->mode |= PNG_HAVE_iCCP;
+
 #ifdef PNG_MAX_MALLOC_64K
    if (length > (png_uint_32)65535L)
    {