[libpng16] Reject oversized iCCP profile length

The code now validates the ICC profile length against the user chunk limit
before the buffer is allocated, as opposed to doing it while the buffer is read.

This removes the potential to consume virtual address space with a carefully
crafted ICC profile; only an issue on 32-bit systems where a valid profile can
be up to 2^32-4 bytes in length.  libpng never writes beyond the application
supplied limit, but previously it did allocate a buffer of the size specified in
the profile header.  The exploitability of this is almost zero; the address
space is released as soon as the PNG read completes.

Also clean up PNG_DEBUG compile of pngtest.c.

Signed-off-by: John Bowler <jbowler@acm.org>

ANNOUNCE

@@ -1,4 +1,4 @@
-Libpng 1.6.25beta01 - August 4, 2016
+Libpng 1.6.25beta01 - August 10, 2016
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -25,7 +25,9 @@ Other information:
 
 Changes since the last public release (1.6.24):
 
-Version 1.6.25beta01 [August 4, 2016]
+Version 1.6.25beta01 [August 10, 2016]
+  Reject oversized iCCP profile immediately.
+  Clean up PNG_DEBUG compile of pngtest.c.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit