From 8ec8e8fcd5542aa40b361983f285d6a8e954aab8 Mon Sep 17 00:00:00 2001
From: John Bowler <jbowler@acm.org>
Date: Thu, 17 Jan 2013 13:42:42 -0600
Subject: [PATCH] [libpng17] Corrected previous attempt at overflow detection
 in

png_set_unknown_chunks().
---
 ANNOUNCE | 5 +++--
 CHANGES  | 3 ++-
 pngset.c | 4 ++--
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index c9c3bcfdc..ca787ba81 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.7.0alpha08 - January 10, 2013
+Libpng 1.7.0alpha08 - January 17, 2013
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -110,7 +110,8 @@ Version 1.7.0alpha07 [January 10, 2013]
   Fixed conceivable but difficult to repro overflow. Also added two test
     programs to generate and test a PNG which should have the problem.
 
-Version 1.7.0alpha08 [January 10, 2013]
+Version 1.7.0alpha08 [January 17, 2013]
+  Corrected previous attempt at overflow detection in png_set_unknown_chunks().
 
   ===========================================================================
                        NOTICE November 17, 2012:
diff --git a/CHANGES b/CHANGES
index 320d9cec8..6b4f476d2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4396,7 +4396,8 @@ Version 1.7.0alpha07 [January 10, 2013]
   Fixed conceivable but difficult to repro overflow. Also added two test
     programs to generate and test a PNG which should have the problem.
 
-Version 1.7.0alpha08 [January 10, 2013]
+Version 1.7.0alpha08 [January 17, 2013]
+  Corrected previous attempt at overflow detection in png_set_unknown_chunks().
 
   ===========================================================================
                        NOTICE November 17, 2012:
diff --git a/pngset.c b/pngset.c
index 70d4aa56c..ea57bfaaa 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1169,7 +1169,7 @@ png_set_unknown_chunks(png_const_structrp png_ptr,
     * limit.
     */
    if (num_unknowns > PNG_UINT_32_MAX - info_ptr->unknown_chunks_num ||
-      num_unknowns > PNG_SIZE_MAX/(sizeof *np) - info_ptr->unknown_chunks_num)
+      num_unknowns + info_ptr->unknown_chunks_num > PNG_SIZE_MAX/(sizeof *np))
    {
       /* This is a benign read error (user limits are disabled and we are about
        * to overflow 2^32 chunks) and an application write error.
@@ -1180,7 +1180,7 @@ png_set_unknown_chunks(png_const_structrp png_ptr,
    }
 
    np = png_voidcast(png_unknown_chunkp, png_malloc(png_ptr,
-       (info_ptr->unknown_chunks_num + (unsigned int)num_unknowns) *
+       (info_ptr->unknown_chunks_num + num_unknowns) *
        (sizeof (png_unknown_chunk))));
 
    memcpy(np, info_ptr->unknown_chunks,