From 310ffb25f8f7bd92b4e27a9c06762ee856365ad5 Mon Sep 17 00:00:00 2001
From: John Bowler <jbowler@acm.org>
Date: Sun, 21 Dec 2014 19:33:02 -0600
Subject: [PATCH] [libpng17] Corrected the width limit calculation in
 png_check_IHDR().

---
 ANNOUNCE |  1 +
 CHANGES  |  1 +
 png.c    | 12 ++++++------
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index 25469f3b4..f98ed135a 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -669,6 +669,7 @@ Version 1.7.0beta44 [December 22, 2014]
   Restored a test on width that was removed from png.c at libpng-1.6.9
     (Bug report by Alex Eubanks).
   Fixed an overflow in png_combine_row with very wide interlaced images.
+  Corrected the width limit calculation in png_check_IHDR().
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 64471b2d8..02e0b661d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4958,6 +4958,7 @@ Version 1.7.0beta44 [December 22, 2014]
   Restored a test on width that was removed from png.c at libpng-1.6.9
     (Bug report by Alex Eubanks).
   Fixed an overflow in png_combine_row with very wide interlaced images.
+  Corrected the width limit calculation in png_check_IHDR().
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/png.c b/png.c
index 32a9c01a3..87a2e9a54 100644
--- a/png.c
+++ b/png.c
@@ -2387,12 +2387,12 @@ png_check_IHDR(png_const_structrp png_ptr,
       png_warning(png_ptr, "Invalid image width in IHDR");
       error = 1;
    }
-   else if (png_gt(width,
-                   (PNG_SIZE_MAX >> 3) /* 8-byte RGBA pixels */
-                   - 48                /* big_row_buf hack */
-                   - 1                 /* filter byte */
-                   - 7*8               /* rounding width to multiple of 8 pix */
-                   - 8))               /* extra max_pixel_depth pad */
+   else if (png_gt(((width + 7) & ~7),
+       ((PNG_SIZE_MAX
+           - 48        /* big_row_buf hack */
+           - 1)        /* filter byte */
+           / 8)        /* 8-byte RGBA pixels */
+           - 1))       /* extra max_pixel_depth pad */
    {
       /* The size of the row must be within the limits of this architecture.
        * Because the read code can perform arbitrary transformations the