[libpng17] Corrected the width limit calculation in png_check_IHDR().

ANNOUNCE

@@ -669,6 +669,7 @@ Version 1.7.0beta44 [December 22, 2014]
   Restored a test on width that was removed from png.c at libpng-1.6.9
     (Bug report by Alex Eubanks).
   Fixed an overflow in png_combine_row with very wide interlaced images.
+  Corrected the width limit calculation in png_check_IHDR().
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -4958,6 +4958,7 @@ Version 1.7.0beta44 [December 22, 2014]
   Restored a test on width that was removed from png.c at libpng-1.6.9
     (Bug report by Alex Eubanks).
   Fixed an overflow in png_combine_row with very wide interlaced images.
+  Corrected the width limit calculation in png_check_IHDR().
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

png.c

@@ -2387,12 +2387,12 @@ png_check_IHDR(png_const_structrp png_ptr,
       png_warning(png_ptr, "Invalid image width in IHDR");
       error = 1;
    }
-   else if (png_gt(width,
+   else if (png_gt(((width + 7) & ~7),
-                   (PNG_SIZE_MAX >> 3) /* 8-byte RGBA pixels */
+       ((PNG_SIZE_MAX
-                   - 48                /* big_row_buf hack */
+           - 48        /* big_row_buf hack */
-                   - 1                 /* filter byte */
+           - 1)        /* filter byte */
-                   - 7*8               /* rounding width to multiple of 8 pix */
+           / 8)        /* 8-byte RGBA pixels */
-                   - 8))               /* extra max_pixel_depth pad */
+           - 1))       /* extra max_pixel_depth pad */
    {
       /* The size of the row must be within the limits of this architecture.
        * Because the read code can perform arbitrary transformations the