http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660026
http://src.chromium.org/viewvc/chrome/branches/963/src/third_party/libpng/pngrutil.c?r1=121492&r2=121491&pathrev=121492

Check for both truncation (64-bit platforms) and integer overflow.

--- a/pngrutil.c	2012-02-01 16:00:34.000000000 +1100
+++ b/pngrutil.c	2012-02-16 09:05:45.000000000 +1100
@@ -457,8 +457,16 @@ png_decompress_chunk(png_structp png_ptr
       {
          /* Success (maybe) - really uncompress the chunk. */
          png_size_t new_size = 0;
-         png_charp text = (png_charp)png_malloc_warn(png_ptr,
-             prefix_size + expanded_size + 1);
+         png_charp text = NULL;
+         /* Need to check for both truncation (64-bit platforms) and integer
+          * overflow.
+          */
+         if (prefix_size + expanded_size > prefix_size &&
+             prefix_size + expanded_size < 0xffffffffU)
+         {
+            png_charp text = (png_charp)png_malloc_warn(png_ptr,
+                prefix_size + expanded_size + 1);
+         }
 
          if (text != NULL)
          {