From d13542a3ee9e782c58940cd5b0d375cc6bab55a2 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Tue, 7 Jun 2011 15:35:48 -0500
Subject: [PATCH] [legacy] Check for up->location !PNG_AFTER_IDAT when writing
 unknown chunks

before IDAT.
---
 ANNOUNCE   | 2 ++
 CHANGES    | 2 ++
 pngwrite.c | 1 +
 3 files changed, 5 insertions(+)

diff --git a/ANNOUNCE b/ANNOUNCE
index 38e1efa1..ba2ff6f5 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -108,6 +108,8 @@ version 1.2.45beta01 [June 7, 2011]
     report by Frank Busse, related to CVE-2004-0421).
   Pass "" instead of '\0' to png_default_error() in png_err().  This mistake
     was introduced in libpng-1.2.20beta01.
+  Check for up->location !PNG_AFTER_IDAT when writing unknown chunks
+    before IDAT.
 
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/CHANGES b/CHANGES
index b083de6b..545fe26f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2709,6 +2709,8 @@ version 1.2.45beta01 [June 7, 2011]
     report by Frank Busse, related to CVE-2004-0421).
   Pass "" instead of '\0' to png_default_error() in png_err().  This mistake
     was introduced in libpng-1.2.20beta01.
+  Check for up->location !PNG_AFTER_IDAT when writing unknown chunks
+    before IDAT.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngwrite.c b/pngwrite.c
index e411e816..ec7f5b29 100644
--- a/pngwrite.c
+++ b/pngwrite.c
@@ -295,6 +295,7 @@ png_write_info(png_structp png_ptr, png_infop info_ptr)
          if (keep != PNG_HANDLE_CHUNK_NEVER &&
             up->location && (up->location & PNG_HAVE_PLTE) &&
             !(up->location & PNG_HAVE_IDAT) &&
+            !(up->location & PNG_AFTER_IDAT) &&
             ((up->name[3] & 0x20) || keep == PNG_HANDLE_CHUNK_ALWAYS ||
             (png_ptr->flags & PNG_FLAG_KEEP_UNSAFE_CHUNKS)))
          {