From f14d5fcd1efec749d0137162efbee6013757494b Mon Sep 17 00:00:00 2001
From: John Bowler <jbowler@acm.org>
Date: Thu, 10 Oct 2024 08:40:41 -0700
Subject: [PATCH] [libpng16] fix: Correct the function `png_fp_sub` in png.c

The code erroneously evaluated `addend0+addend1` in the case where
`addend1` is less than zero.  The function is meant to subtract the
second argument from the first.

This is a cherry-pick of commit 79fd6d1edc8fe8c41ed58c6318bd57761d8f007e
from branch 'libpng18'.

Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
---
 png.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/png.c b/png.c
index 8a1e2a451..240db5ab9 100644
--- a/png.c
+++ b/png.c
@@ -1241,7 +1241,7 @@ png_fp_sub(png_int_32 addend0, png_int_32 addend1, int *error)
    else if (addend1 < 0)
    {
       if (0x7fffffff + addend1 >= addend0)
-         return addend0+addend1;
+         return addend0-addend1;
    }
    else
       return addend0;