[libpng15] Check validity of "nentries" parameter of png_set_sPLT().

and check validity of "num_text" parameter of png_set_text_2().

ANNOUNCE

@@ -85,6 +85,7 @@ Version 1.5.14rc02 [January 17, 2013]
 
 Version 1.5.14rc03 [January 17, 2013]
   Check validity of "nentries" parameter of png_set_sPLT().
+  Check validity of "num_text" parameter of png_set_text_2().
 
   ===========================================================================
                        NOTICE November 17, 2012:

CHANGES

@@ -3978,6 +3978,7 @@ Version 1.5.14rc02 [January 17, 2013]
 
 Version 1.5.14rc03 [January 17, 2013]
   Check validity of "nentries" parameter of png_set_sPLT().
+  Check validity of "num_text" parameter of png_set_text_2().
 
   ===========================================================================
                        NOTICE November 17, 2012:

pnginfo.h

@@ -242,7 +242,7 @@ defined(PNG_READ_BACKGROUND_SUPPORTED)
 #ifdef PNG_sPLT_SUPPORTED
    /* Data on sPLT chunks (there may be more than one). */
    png_sPLT_tp splt_palettes;
-   png_uint_32 splt_palettes_num;
+   int splt_palettes_num;
 #endif
 
 #ifdef PNG_sCAL_SUPPORTED

pngset.c

@@ -690,6 +690,17 @@ png_set_text_2(png_structp png_ptr, png_infop info_ptr,
    /* Make sure we have enough space in the "text" array in info_struct
     * to hold all of the incoming text_ptr objects.
     */
+
+   if (num_text < 0 ||
+       num_text > INT_MAX - info_ptr->num_text - 8 ||
+       (unsigned int)/*SAFE*/(num_text +/*SAFE*/
+       info_ptr->num_text + 8) >=
+       PNG_SIZE_MAX/png_sizeof(png_text))
+   {
+      png_warning(png_ptr, "too many text chunks");
+      return(0);
+   }
+
    if (info_ptr->num_text + num_text > info_ptr->max_text)
    {
       int old_max_text = info_ptr->max_text;