3 @@ -339,15 +339,18 @@ png_decompress_chunk(png_structp png_ptr
4 /* Now check the limits on this chunk - if the limit fails the
5 * compressed data will be removed, the prefix will remain.
7 + if (prefix_size >= (~(png_size_t)0) - 1 ||
8 + expanded_size >= (~(png_size_t)0) - 1 - prefix_size
9 #ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
10 - if (png_ptr->user_chunk_malloc_max &&
11 + || (png_ptr->user_chunk_malloc_max &&
12 (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1))
14 # ifdef PNG_USER_CHUNK_MALLOC_MAX
15 - if ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
16 + || ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
17 prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
21 png_warning(png_ptr, "Exceeded size limit while expanding chunk");
23 /* If the size is zero either there was an error and a message
24 @@ -355,14 +358,11 @@ png_decompress_chunk(png_structp png_ptr
25 * and we have nothing to do - the code will exit through the
28 -#if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \
29 - defined(PNG_USER_CHUNK_MALLOC_MAX)
32 - if (expanded_size > 0)
33 + else if (expanded_size > 0)
35 /* Success (maybe) - really uncompress the chunk. */
36 png_size_t new_size = 0;
38 png_charp text = png_malloc_warn(png_ptr,
39 prefix_size + expanded_size + 1);