From 019a561261746073864f193e4ad79731d799f887 Mon Sep 17 00:00:00 2001
From: Benjamin Smedberg <benjamin@smedbergs.us>
Date: Wed, 15 Feb 2012 19:01:21 -0800
Subject: [PATCH] Bug 727401 - import libpng overflow patch from
 http://codereview.chromium.org/9363013 r=joe, a=akeybl CLOSED TREE

--HG--
branch : GECKO1001_2012020805_RELBRANCH
extra : transplant_source : %BDa%1A1%15%B0%D1%D2J%CF-j%C2%9D%84%7C%18%AF%B5%C4
---
 media/libpng/pngrutil.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/media/libpng/pngrutil.c b/media/libpng/pngrutil.c
index 85386f2ad560..1f7af96df6dd 100644
--- a/media/libpng/pngrutil.c
+++ b/media/libpng/pngrutil.c
@@ -401,8 +401,15 @@ png_decompress_chunk(png_structp png_ptr, int comp_type,
       {
          /* Success (maybe) - really uncompress the chunk. */
          png_size_t new_size = 0;
-         png_charp text = png_malloc_warn(png_ptr,
-                        prefix_size + expanded_size + 1);
+         png_charp text = NULL;
+         /* Need to check for both truncation (64-bit platforms) and integer
+          * overflow.
+          */
+         if (prefix_size + expanded_size > prefix_size &&
+             prefix_size + expanded_size < 0xffffffffU)
+         {
+            text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
+         }
 
          if (text != NULL)
          {