From c508081afc6ae045def733ac4c540b9964debed8 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Sat, 23 Oct 2010 08:26:26 -0500
Subject: [PATCH] [devel] Require 48 bytes, not 64 bytes, for big_row_buf in
 overflow checks.

Also removed two obsolete comments from png.c
---
 ANNOUNCE |  7 ++++---
 CHANGES  |  3 ++-
 png.c    | 12 ++++--------
 pngset.c |  2 +-
 4 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index 2a8157c64..b30d4f16e 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.5.0beta54 - October 18, 2010
+Libpng 1.5.0beta54 - October 23, 2010
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -226,7 +226,7 @@ version 1.5.0beta24 [May 7, 2010]
     offset of the png_ptr->rowbuf pointer into png_ptr->big_row_buf.
   Added more blank lines for readability.
 
-version 1.5.0beta25 [October 18, 2010]
+version 1.5.0beta25 [October 23, 2010]
   In pngpread.c: png_push_have_row() add check for new_row > height
   Removed the now-redundant check for out-of-bounds new_row from example.c
 
@@ -432,7 +432,8 @@ Version 1.5.0beta53 [October 18, 2010]
   Revised and renamed the typedef in png.h and png.c that was designed
     to catch library and header mismatch.
 
-Version 1.5.0beta54 [October 18, 2010]
+Version 1.5.0beta54 [October 23, 2010]
+  Require 48 bytes, not 64 bytes, for big_row_buf in overflow checks.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net:
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index aa3d3736d..692228859 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3070,7 +3070,8 @@ Version 1.5.0beta53 [October 18, 2010]
   Revised and renamed the typedef in png.h and png.c that was designed
     to catch library and header mismatch.
 
-Version 1.5.0beta54 [October 18, 2010]
+Version 1.5.0beta54 [October 23, 2010]
+  Require 48 bytes, not 64 bytes, for big_row_buf in overflow checks.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/png.c b/png.c
index 301ea7465..e4d14671a 100644
--- a/png.c
+++ b/png.c
@@ -16,10 +16,6 @@
 /* Generate a compiler error if there is an old png.h in the search path. */
 typedef png_libpng_version_1_5_0beta54 Your_png_h_is_not_version_1_5_0beta54;
 
-/* Version information for C files.  This had better match the version
- * string defined in png.h.
- */
-
 /* Tells libpng that we have already handled the first "num_bytes" bytes
  * of the PNG file signature.  If the PNG data is embedded into another
  * stream we can set num_bytes = 8 so that libpng will not attempt to read
@@ -72,7 +68,7 @@ png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check)
 #endif /* PNG_READ_SUPPORTED */
 
 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
-/* Function to allocate memory for zlib and clear it to 0. */
+/* Function to allocate memory for zlib */
 PNG_FUNCTION(voidpf /* PRIVATE */,
 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
 {
@@ -560,13 +556,13 @@ png_get_copyright(png_structp png_ptr)
 #else
 #  ifdef __STDC__
    return PNG_STRING_NEWLINE \
-     "libpng version 1.5.0beta54 - October 18, 2010" PNG_STRING_NEWLINE \
+     "libpng version 1.5.0beta54 - October 23, 2010" PNG_STRING_NEWLINE \
      "Copyright (c) 1998-2010 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
      "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
      "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
      PNG_STRING_NEWLINE;
 #  else
-      return "libpng version 1.5.0beta54 - October 18, 2010\
+      return "libpng version 1.5.0beta54 - October 23, 2010\
       Copyright (c) 1998-2010 Glenn Randers-Pehrson\
       Copyright (c) 1996-1997 Andreas Dilger\
       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
@@ -802,7 +798,7 @@ png_check_IHDR(png_structp png_ptr,
 
    if (width > (PNG_UINT_32_MAX
                  >> 3)      /* 8-byte RGBA pixels */
-                 - 64       /* bigrowbuf hack */
+                 - 48       /* bigrowbuf hack */
                  - 1        /* filter byte */
                  - 7*8      /* rounding of width to multiple of 8 pixels */
                  - 8)       /* extra max_pixel_depth pad */
diff --git a/pngset.c b/pngset.c
index 09687786c..18c090536 100644
--- a/pngset.c
+++ b/pngset.c
@@ -203,7 +203,7 @@ png_set_IHDR(png_structp png_ptr, png_infop info_ptr,
    /* Check for potential overflow */
    if (width > (PNG_UINT_32_MAX
                  >> 3)      /* 8-byte RRGGBBAA pixels */
-                 - 64       /* bigrowbuf hack */
+                 - 48       /* bigrowbuf hack */
                  - 1        /* filter byte */
                  - 7*8      /* rounding of width to multiple of 8 pixels */
                  - 8)       /* extra max_pixel_depth pad */