[libpng16] Still another attempt to fix oss-fuzz uninitialized value

png.c

@@ -2208,15 +2208,18 @@ png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
    png_uint_32 tag_count = png_get_uint_32(profile+128);
    png_uint_32 itag;
    png_const_bytep tag = profile+132; /* The first tag */
+   png_uint_32 tag_start = 0;
+   png_uint_32 tag_id = 0;
+   png_uint_32 tag_length = 0;
 
    /* First scan all the tags in the table and add bits to the icc_info value
     * (temporarily in 'tags').
     */
    for (itag=0; itag < tag_count; ++itag, tag += 12)
    {
-      png_uint_32 tag_id = png_get_uint_32(tag+0);
+      tag_id = png_get_uint_32(tag+0);
-      png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
+      tag_length = png_get_uint_32(tag+8);/* not padded */
-      png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
+      tag_start = png_get_uint_32(tag+4); /* must be aligned */
 
       /* The ICC specification does not exclude zero length tags, therefore the
        * start might actually be anywhere if there is no data, but this would be
@@ -2226,7 +2229,7 @@ png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
        */
 
       /* This is a hard error; potentially it can cause read outside the
-       * profile.  Oss-fuzz detects a potential UMR in tag_start reference.
+       * profile.
        */
       if (tag_start > profile_length || tag_length > profile_length - tag_start)
          return png_icc_profile_error(png_ptr, colorspace, name, tag_id,

pngset.c

@@ -881,7 +881,7 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
       }
 #  endif
 
-      /* oss-fuzz detects a potential UMR here */
+      /* oss-fuzz detects potential use of uninitialized value  here */
       if (text_ptr[i].text == NULL || text_ptr[i].text[0] == '\0')
       {
          text_length = 0;