[libpng12] Issue a png_error() instead of a png_warning() when width is

potentially too large for the architecture, in case the calling
application has overridden the default 1,000,000-column limit
(fixes CVE-2014-9495 and CVE-2015-0973).

ANNOUNCE

@@ -44,6 +44,10 @@ Other information:
 Changes since the last public release (1.2.52):
 
 version 1.2.53beta01 [RDATE%]
+  Issue a png_error() instead of a png_warning() when width is
+    potentially too large for the architecture, in case the calling
+    application has overridden the default 1,000,000-column limit
+    (fixes CVE-2014-9495 and CVE-2015-0973).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -2829,6 +2829,10 @@ version 1.0.62 and 1.2.52 [November 20, 2014]
   No changes.
 
 version 1.2.53beta01 [RDATE%]
+  Issue a png_error() instead of a png_warning() when width is
+    potentially too large for the architecture, in case the calling
+    application has overridden the default 1,000,000-column limit
+    (fixes CVE-2014-9495 and CVE-2015-0973).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

pngset.c

@@ -263,7 +263,10 @@ png_set_IHDR(png_structp png_ptr, png_infop info_ptr,
                  - 1        /* filter byte */
                  - 7*8      /* rounding of width to multiple of 8 pixels */
                  - 8)       /* extra max_pixel_depth pad */
+   {
       info_ptr->rowbytes = (png_size_t)0;
+      png_error(png_ptr, "Image width is too large for this architecture");
+   }
    else
       info_ptr->rowbytes = PNG_ROWBYTES(info_ptr->pixel_depth, width);
 }