http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660026 http://src.chromium.org/viewvc/chrome/branches/963/src/third_party/libpng/pngrutil.c?r1=121492&r2=121491&pathrev=121492 Check for both truncation (64-bit platforms) and integer overflow. --- a/pngrutil.c 2012-02-01 16:00:34.000000000 +1100 +++ b/pngrutil.c 2012-02-16 09:05:45.000000000 +1100 @@ -457,8 +457,16 @@ png_decompress_chunk(png_structp png_ptr { /* Success (maybe) - really uncompress the chunk. */ png_size_t new_size = 0; - png_charp text = (png_charp)png_malloc_warn(png_ptr, - prefix_size + expanded_size + 1); + png_charp text = NULL; + /* Need to check for both truncation (64-bit platforms) and integer + * overflow. + */ + if (prefix_size + expanded_size > prefix_size && + prefix_size + expanded_size < 0xffffffffU) + { + png_charp text = (png_charp)png_malloc_warn(png_ptr, + prefix_size + expanded_size + 1); + } if (text != NULL) {