From ca76407b75e648a1d62fa65dd39a2d165a487a56 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Thu, 29 Dec 2016 07:48:30 -0600
Subject: [PATCH] [libpng15] Fixed a potential null pointer dereference in
 png_set_text_2()

(bug report and patch by Patrick Keshishian)
---
 ANNOUNCE | 2 ++
 CHANGES  | 2 ++
 png.c    | 1 +
 3 files changed, 5 insertions(+)

diff --git a/ANNOUNCE b/ANNOUNCE
index 569c60c6d..a16412ee2 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -49,6 +49,8 @@ Changes since the last public release (1.5.27):
     Since signed overflow is undefined in C90 the code has been modified to
     correctly calculate a signed result.  This requires changing the 'hi'
     result parameter to a signed value.
+  Fixed a potential null pointer dereference in png_set_text_2() (bug report
+    and patch by Patrick Keshishian)
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 877e07f5f..dfb660a8b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4528,6 +4528,8 @@ version 1.5.28rc01 [December 27, 2016]
     ensure that it is correct.
 
 version 1.5.28 [December 29, 2016]
+  Fixed a potential null pointer dereference in png_set_text_2() (bug report
+    and patch by Patrick Keshishian).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/png.c b/png.c
index 916eab4c8..26c455640 100644
--- a/png.c
+++ b/png.c
@@ -369,6 +369,7 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
          png_free(png_ptr, info_ptr->text);
          info_ptr->text = NULL;
          info_ptr->num_text = 0;
+         info_ptr->max_text = 0;
       }
    }
 #endif