[legacy] Check for sCAL chunk too short.

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.2.45beta03 - June 8, 2011
+Libpng 1.2.45beta03 - June 18, 2011
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -113,8 +113,9 @@ version 1.2.45beta01 [June 7, 2011]
   Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image,
     always expand to RGBA if transparency is present.
 
-version 1.2.45beta02 [June 8, 2011]
+version 1.2.45beta02 [June 18, 2011]
   Check for integer overflow in png_set_rgb_to_gray().
+  Check for sCAL chunk too short.
 
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement

CHANGES

@@ -2714,8 +2714,9 @@ version 1.2.45beta01 [June 7, 2011]
   Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image,
     always expand to RGBA if transparency is present.
 
-version 1.2.45beta02 [June 8, 2011]
+version 1.2.45beta02 [June 18, 2011]
   Check for integer overflow in png_set_rgb_to_gray().
+  Check for sCAL chunk too short.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

pngrutil.c

@@ -1812,6 +1812,14 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
       return;
    }
 
+   /* Need unit type, width, \0, height: minimum 4 bytes */
+   else if (length < 4)
+   {
+      png_warning(png_ptr, "sCAL chunk too short");
+      png_crc_finish(png_ptr, length);
+      return;
+   }
+
    png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)",
       length + 1);
    png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);