[libpng15] Check validity of "num_unknowns" parameter

of png_set_unknown_chunks().

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.5.14beta08 - January 7, 2013
+Libpng 1.5.14beta08 - January 10, 2013
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -73,7 +73,8 @@ Version 1.5.14beta07 [January 6, 2012]
     which provide more extensive testing.  Replaced pngtest.png because pngtest
     writes the ancillary chunks in a different order.
 
-Version 1.5.14beta08 [January 7, 2013]
+Version 1.5.14beta08 [January 10, 2013]
+  Check validity of "num_unknowns" parameter of png_set_unknown_chunks().
 
   ===========================================================================
                        NOTICE November 17, 2012:

CHANGES

@@ -3966,7 +3966,8 @@ Version 1.5.14beta07 [January 6, 2012]
     which provide more extensive testing.  Replaced pngtest.png because pngtest
     writes the ancillary chunks in a different order.
 
-Version 1.5.14beta08 [January 7, 2013]
+Version 1.5.14beta08 [January 10, 2013]
+  Check validity of "num_unknowns" parameter of png_set_unknown_chunks().
 
   ===========================================================================
                        NOTICE November 17, 2012:

pngset.c

@@ -1039,6 +1039,13 @@ png_set_unknown_chunks(png_structp png_ptr,
    if (png_ptr == NULL || info_ptr == NULL || num_unknowns == 0)
       return;
 
+   if (num_unknowns < 0 ||
+       num_unknowns >= UINT_MAX-info_ptr->unknown_chunks_num ||
+       num_unknowns >= PNG_SIZE_MAX/png_sizeof(png_unknown_chunk)
+       - info_ptr->unknown_chunks_num)
+      np=NULL;
+
+   else
       np = (png_unknown_chunkp)png_malloc_warn(png_ptr,
           (png_size_t)(info_ptr->unknown_chunks_num + num_unknowns) *
           png_sizeof(png_unknown_chunk));