From 1a3d6e3cf3082a0da998dbf402d384a589488859 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Thu, 10 Jan 2013 09:24:03 -0600
Subject: [PATCH] [libpng15] Check validity of "num_unknowns" parameter

of png_set_unknown_chunks().
---
 ANNOUNCE |  5 +++--
 CHANGES  |  3 ++-
 pngset.c | 13 ++++++++++---
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index 6d0e8f493..6a95c3eb2 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.5.14beta08 - January 7, 2013
+Libpng 1.5.14beta08 - January 10, 2013
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -73,7 +73,8 @@ Version 1.5.14beta07 [January 6, 2012]
     which provide more extensive testing.  Replaced pngtest.png because pngtest
     writes the ancillary chunks in a different order.
 
-Version 1.5.14beta08 [January 7, 2013]
+Version 1.5.14beta08 [January 10, 2013]
+  Check validity of "num_unknowns" parameter of png_set_unknown_chunks().
 
   ===========================================================================
                        NOTICE November 17, 2012:
diff --git a/CHANGES b/CHANGES
index 292d34e1f..1bc781992 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3966,7 +3966,8 @@ Version 1.5.14beta07 [January 6, 2012]
     which provide more extensive testing.  Replaced pngtest.png because pngtest
     writes the ancillary chunks in a different order.
 
-Version 1.5.14beta08 [January 7, 2013]
+Version 1.5.14beta08 [January 10, 2013]
+  Check validity of "num_unknowns" parameter of png_set_unknown_chunks().
 
   ===========================================================================
                        NOTICE November 17, 2012:
diff --git a/pngset.c b/pngset.c
index 95dbea836..6a1c10911 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1039,9 +1039,16 @@ png_set_unknown_chunks(png_structp png_ptr,
    if (png_ptr == NULL || info_ptr == NULL || num_unknowns == 0)
       return;
 
-   np = (png_unknown_chunkp)png_malloc_warn(png_ptr,
-       (png_size_t)(info_ptr->unknown_chunks_num + num_unknowns) *
-       png_sizeof(png_unknown_chunk));
+   if (num_unknowns < 0 ||
+       num_unknowns >= UINT_MAX-info_ptr->unknown_chunks_num ||
+       num_unknowns >= PNG_SIZE_MAX/png_sizeof(png_unknown_chunk)
+       - info_ptr->unknown_chunks_num)
+      np=NULL;
+
+   else
+      np = (png_unknown_chunkp)png_malloc_warn(png_ptr,
+          (png_size_t)(info_ptr->unknown_chunks_num + num_unknowns) *
+          png_sizeof(png_unknown_chunk));
 
    if (np == NULL)
    {