diff --git a/ANNOUNCE b/ANNOUNCE
index 9a6a06c7f..4e1ed53d9 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.7.0beta76 - December 30, 2015
+Libpng 1.7.0beta76 - January 6, 2016
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -1139,7 +1139,7 @@ Version 1.7.0beta75 [December 21, 2015]
     struct; put the check that relies on pz->list being non-NULL
     second (David Drysdale).
 
-Version 1.7.0beta76 [December 30, 2015]
+Version 1.7.0beta76 [January 6, 2016]
   Corrected the options handling. Setting the new, higher, option
     bits triggered the byte check (which is no longer necessary).
   Added NULL pz->list test to png_zlib_compress_validate().  This seems
@@ -1165,6 +1165,10 @@ Version 1.7.0beta76 [December 30, 2015]
     to PNG_HAVE_PLTE|PNG_AFTER_IDAT.  When the chunk is written the
     position is set to the actual write location (effectively the position
     is frozen.)
+  Relocated assert() in contrib/tools/pngfix.c, bug found by American
+    Fuzzy Lop, reported by Brian Carpenter.
+  Marked 'limit' UNUSED in transform_range_check().  This only affects
+    release builds.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 6aedcf1e6..0d66a3f30 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5438,7 +5438,7 @@ Version 1.7.0beta75 [December 21, 2015]
     struct; put the check that relies on pz->list being non-NULL
     second (David Drysdale).
 
-Version 1.7.0beta76 [December 30, 2015]
+Version 1.7.0beta76 [January 6, 2016]
   Corrected the options handling. Setting the new, higher, option
     bits triggered the byte check (which is no longer necessary).
   Added NULL pz->list test to png_zlib_compress_validate().  This seems
@@ -5464,6 +5464,10 @@ Version 1.7.0beta76 [December 30, 2015]
     to PNG_HAVE_PLTE|PNG_AFTER_IDAT.  When the chunk is written the
     position is set to the actual write location (effectively the position
     is frozen.)
+  Relocated assert() in contrib/tools/pngfix.c, bug found by American
+    Fuzzy Lop, reported by Brian Carpenter.
+  Marked 'limit' UNUSED in transform_range_check().  This only affects
+    release builds.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/contrib/libtests/pngvalid.c b/contrib/libtests/pngvalid.c
index 8633a530e..407a0f66e 100644
--- a/contrib/libtests/pngvalid.c
+++ b/contrib/libtests/pngvalid.c
@@ -1,7 +1,7 @@
 
 /* pngvalid.c - validate libpng by constructing then reading png files.
  *
- * Last changed in libpng 1.5.27 [(PENDING RELEASE)]
+ * Last changed in libpng 1.6.21 [(PENDING RELEASE)]
  * Copyright (c) 2014-2016 Glenn Randers-Pehrson
  * Written by John Cunningham Bowler
  *
diff --git a/contrib/tools/pngfix.c b/contrib/tools/pngfix.c
index 5135fd391..bcf35b0f4 100644
--- a/contrib/tools/pngfix.c
+++ b/contrib/tools/pngfix.c
@@ -1,8 +1,8 @@
 /* pngfix.c
  *
- * Copyright (c) 2014-2015 John Cunningham Bowler
+ * Copyright (c) 2014-2016 John Cunningham Bowler
  *
- * Last changed in libpng 1.6.20 [(PENDING RELEASE)]
+ * Last changed in libpng 1.6.21 [(PENDING RELEASE)]
  *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
@@ -319,13 +319,13 @@ uarb_mult32(uarb acc, int a_digits, uarb num, int n_digits, png_uint_32 val)
       a_digits = uarb_mult_digit(acc, a_digits, num, n_digits,
          (png_uint_16)(val & 0xffff));
 
-      /* Because n_digits and val are >0 the following must be true: */
-      assert(a_digits > 0);
-
       val >>= 16;
       if (val > 0)
          a_digits = uarb_mult_digit(acc+1, a_digits-1, num, n_digits,
             (png_uint_16)val) + 1;
+
+      /* Because n_digits and val are >0 the following must be true: */
+      assert(a_digits > 0);
    }
 
    return a_digits;