diff --git a/ANNOUNCE b/ANNOUNCE
index d16bf333b..501a7a510 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -85,6 +85,7 @@ Version 1.5.14rc02 [January 17, 2013]
 
 Version 1.5.14rc03 [January 17, 2013]
   Check validity of "nentries" parameter of png_set_sPLT().
+  Check validity of "num_text" parameter of png_set_text_2().
 
   ===========================================================================
                        NOTICE November 17, 2012:
diff --git a/CHANGES b/CHANGES
index 4c2d767a8..1fc47ded3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3978,6 +3978,7 @@ Version 1.5.14rc02 [January 17, 2013]
 
 Version 1.5.14rc03 [January 17, 2013]
   Check validity of "nentries" parameter of png_set_sPLT().
+  Check validity of "num_text" parameter of png_set_text_2().
 
   ===========================================================================
                        NOTICE November 17, 2012:
diff --git a/pnginfo.h b/pnginfo.h
index a33bfab06..0e5c977dd 100644
--- a/pnginfo.h
+++ b/pnginfo.h
@@ -242,7 +242,7 @@ defined(PNG_READ_BACKGROUND_SUPPORTED)
 #ifdef PNG_sPLT_SUPPORTED
    /* Data on sPLT chunks (there may be more than one). */
    png_sPLT_tp splt_palettes;
-   png_uint_32 splt_palettes_num;
+   int splt_palettes_num;
 #endif
 
 #ifdef PNG_sCAL_SUPPORTED
diff --git a/pngset.c b/pngset.c
index 1467690a7..cb14fbf46 100644
--- a/pngset.c
+++ b/pngset.c
@@ -690,6 +690,17 @@ png_set_text_2(png_structp png_ptr, png_infop info_ptr,
    /* Make sure we have enough space in the "text" array in info_struct
     * to hold all of the incoming text_ptr objects.
     */
+
+   if (num_text < 0 ||
+       num_text > INT_MAX - info_ptr->num_text - 8 ||
+       (unsigned int)/*SAFE*/(num_text +/*SAFE*/
+       info_ptr->num_text + 8) >=
+       PNG_SIZE_MAX/png_sizeof(png_text))
+   {
+      png_warning(png_ptr, "too many text chunks");
+      return(0);
+   }
+
    if (info_ptr->num_text + num_text > info_ptr->max_text)
    {
       int old_max_text = info_ptr->max_text;