fix: png_write_iCCP check on profile length

This is a regression of commit a8242dd947
"PNGv3 colourspace precedence rules conformance".

Previously, `png_write_iCCP` used the length from the first four bytes
of the profile set by `png_set_iCCP`, rather than the actual data length
recorded by `png_set_iCCP`.

If the profile data were less than 4 bytes long, it would have caused
a read-beyond-end-of-malloc error.  This bug was in the libpng code even
before the changes introduced in the above-mentioned commit, but it was
inaccessible.  It became accessible when we removed the pre-PNGv3 colour
space checks in `png_set_iCCP`.

Reported-by: Bob Friesenhahn <bobjfriesenhahn@gmail.com>
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

pngwrite.c

@@ -196,7 +196,7 @@ png_write_info_before_PLTE(png_structrp png_ptr, png_const_inforp info_ptr)
          if ((info_ptr->valid & PNG_INFO_iCCP) != 0)
          {
             png_write_iCCP(png_ptr, info_ptr->iccp_name,
-                info_ptr->iccp_profile);
+                info_ptr->iccp_profile, info_ptr->iccp_proflen);
          }
 #  endif