diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c --- libpng-1.2.5/pngrutil.c Thu Oct 3 06:32:30 2002 +++ libpng-1.2.5patch08/pngrutil.c Fri Jul 23 19:02:48 2004 @@ -1154,8 +1154,18 @@ } new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++)