openpkg-packages/qt/qt.patch

Index: configure
--- configure.orig	2004-06-14 11:18:55 +0200
+++ configure	2004-08-11 16:13:39 +0200
@@ -1782,21 +1782,6 @@
 	    CFG_FREETYPE=yes
 	fi
     fi
-    # add freetype2 include path
-    if [ "$CFG_FREETYPE" = "yes" ] && [ -f $outpath/config.tests/x11/xft.inc ];then
-	QMAKE_VARS="$QMAKE_VARS \"INCLUDEPATH+=`cat $outpath/config.tests/x11/xft.inc`\""
-    fi
-    rm -f $outpath/config.tests/x11/xft.inc
-    # add Xft specific libraries
-    if [ "$CFG_FREETYPE" = "yes" ] && [ -f $outpath/config.tests/x11/xft.lib ]; then
-	QMAKE_VARS="$QMAKE_VARS \"QMAKE_LIBS_X11=`cat $outpath/config.tests/x11/xft.lib` \$\$QMAKE_LIBS_X11\""
-    fi
-    rm -f $outpath/config.tests/x11/xft.lib
-    # add Xft specific config options
-    if [ "$CFG_FREETYPE" = "yes" ] && [ -f $outpath/config.tests/x11/xft.cfg ]; then
-	QMAKE_CONFIG="$QMAKE_CONFIG `cat $outpath/config.tests/x11/xft.cfg`"
-    fi
-    rm -f $outpath/config.tests/x11/xft.cfg
     # auto-detect Session Management support
     if [ "$CFG_SM" = "auto" ]; then
 	if $x11tests/sm.test $XQMAKESPEC $OPT_VERBOSE $L_FLAGS $I_FLAGS; then
@@ -2926,6 +2911,21 @@
     if [ "$CFG_XKB" = "yes" ]; then
         QMAKE_CONFIG="$QMAKE_CONFIG xkb"
     fi
+    # add freetype2 include path
+    if [ "$CFG_FREETYPE" = "yes" ] && [ -f $outpath/config.tests/x11/xft.inc ];then
+	QMAKE_VARS="$QMAKE_VARS \"INCLUDEPATH+=`cat $outpath/config.tests/x11/xft.inc`\""
+    fi
+    rm -f $outpath/config.tests/x11/xft.inc
+    # add Xft specific libraries
+    if [ "$CFG_FREETYPE" = "yes" ] && [ -f $outpath/config.tests/x11/xft.lib ]; then
+	QMAKE_VARS="$QMAKE_VARS \"QMAKE_LIBS_X11=`cat $outpath/config.tests/x11/xft.lib` \$\$QMAKE_LIBS_X11\""
+    fi
+    rm -f $outpath/config.tests/x11/xft.lib
+    # add Xft specific config options
+    if [ "$CFG_FREETYPE" = "yes" ] && [ -f $outpath/config.tests/x11/xft.cfg ]; then
+	QMAKE_CONFIG="$QMAKE_CONFIG `cat $outpath/config.tests/x11/xft.cfg`"
+    fi
+    rm -f $outpath/config.tests/x11/xft.cfg
 elif [ "$PLATFORM_MAC" = "yes" ]; then
     if [ "$CFG_TABLET" = "yes" ]; then
 	QMAKE_CONFIG="$QMAKE_CONFIG tablet"
Index: config.test/x11/xfreetype.test
--- config.tests/x11/xfreetype.test.orig	2003-12-08 10:04:06 +0100
+++ config.tests/x11/xfreetype.test	2004-08-11 16:14:43 +0200
@@ -56,7 +56,7 @@
     XFT=no
     [ "$VERBOSE" = "yes" ] && echo "  Could not find Xft lib anywhere in $LIBDIRS"
 fi
-LIBXFT="-l$F -lfreetype"
+LIBXFT="-l$F -lfontconfig -lexpat -lfreetype"
 
 # check for X11/Xft/Xft.h
 XFT_H=
@@ -90,7 +90,7 @@
     [ "$VERBOSE" = "yes" ] && echo "  Found Xft version $XFT_MAJOR.$XFT_MINOR.$XFT_REVISION"
     if [ "$XFT_MAJOR" = "2" ]; then
         XFT2=yes
-	LIBXFT="$LIBXFT -lfontconfig"
+	LIBXFT="$LIBXFT"
     fi
 fi
 
Index: src/3rdparty/libpng/pngconf.h
--- src/3rdparty/libpng/pngconf.h.orig	2003-05-27 17:19:23 +0200
+++ src/3rdparty/libpng/pngconf.h	2004-08-11 16:18:06 +0200
@@ -251,10 +251,6 @@
 #      define PNG_SAVE_BSD_SOURCE
 #      undef _BSD_SOURCE
 #    endif
-#    ifdef _SETJMP_H
-      __png.h__ already includes setjmp.h;
-      __dont__ include it again.;
-#    endif
 #  endif /* __linux__ */
 
    /* include setjmp.h for error handling */
Index: src/3rdparty/libpng/pngerror.c
--- src/3rdparty/libpng/pngerror.c.orig	2003-05-27 17:19:23 +0200
+++ src/3rdparty/libpng/pngerror.c	2004-08-11 16:19:27 +0200
@@ -135,10 +135,13 @@
       buffer[iout] = 0;
    else
    {
+      png_size_t len;
+      if ((len = png_strlen(error_message)) > 63)
+          len = 63;
       buffer[iout++] = ':';
       buffer[iout++] = ' ';
-      png_memcpy(buffer+iout, error_message, 64);
-      buffer[iout+63] = 0;
+      png_memcpy(buffer+iout, error_message, len);
+      buffer[iout+len] = 0;
    }
 }
 
Index: src/3rdparty/libpng/pngrtran.c
--- src/3rdparty/libpng/pngrtran.c.orig	2003-05-27 17:19:23 +0200
+++ src/3rdparty/libpng/pngrtran.c	2004-08-11 16:26:04 +0200
@@ -1889,8 +1889,8 @@
          /* This changes the data from GG to GGXX */
          if (flags & PNG_FLAG_FILLER_AFTER)
          {
-            png_bytep sp = row + (png_size_t)row_width;
-            png_bytep dp = sp  + (png_size_t)row_width;
+            png_bytep sp = row + (png_size_t)row_width * 2;
+            png_bytep dp = sp  + (png_size_t)row_width * 2;
             for (i = 1; i < row_width; i++)
             {
                *(--dp) = hi_filler;
@@ -1907,8 +1907,8 @@
          /* This changes the data from GG to XXGG */
          else
          {
-            png_bytep sp = row + (png_size_t)row_width;
-            png_bytep dp = sp  + (png_size_t)row_width;
+            png_bytep sp = row + (png_size_t)row_width * 2;
+            png_bytep dp = sp  + (png_size_t)row_width * 2;
             for (i = 0; i < row_width; i++)
             {
                *(--dp) = *(--sp);
@@ -1965,8 +1965,8 @@
          /* This changes the data from RRGGBB to RRGGBBXX */
          if (flags & PNG_FLAG_FILLER_AFTER)
          {
-            png_bytep sp = row + (png_size_t)row_width * 3;
-            png_bytep dp = sp  + (png_size_t)row_width;
+            png_bytep sp = row + (png_size_t)row_width * 6;
+            png_bytep dp = sp  + (png_size_t)row_width * 2;
             for (i = 1; i < row_width; i++)
             {
                *(--dp) = hi_filler;
@@ -1987,8 +1987,8 @@
          /* This changes the data from RRGGBB to XXRRGGBB */
          else
          {
-            png_bytep sp = row + (png_size_t)row_width * 3;
-            png_bytep dp = sp  + (png_size_t)row_width;
+            png_bytep sp = row + (png_size_t)row_width * 6;
+            png_bytep dp = sp  + (png_size_t)row_width * 2;
             for (i = 0; i < row_width; i++)
             {
                *(--dp) = *(--sp);

http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt

> [Problems discovered and fixed by] Chris Evans
> 
> 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c)
> 2) Dangerous code in png_handle_sBIT (pngrutil.c)
CAN-2004-0597

> 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c)
>    this flaw is duplicated in multiple other locations.
CAN-2004-0598

> 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c)
> 5) Integer overflow in png_read_png (pngread.c)
> 6) Integer overflows during progressive reading.
> 7) Other flaws.  [integer overflows]
CAN-2004-0599

http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt
    Use to patch libpng-1.0.9 through 1.2.5
    This fixes the most dangerous of the newly reported vulnerabilities

Index: src/3rdparty/libpng/pngrutil.c
--- src/3rdparty/libpng/pngrutil.c.orig	2004-08-11 16:29:37 +0200
+++ src/3rdparty/libpng/pngrutil.c	2004-08-11 16:30:11 +0200
@@ -1241,7 +1241,8 @@
          /* Should be an error, but we can cope with it */
          png_warning(png_ptr, "Missing PLTE before tRNS");
       }
-      if (length > (png_uint_32)png_ptr->num_palette)
+      if (length > (png_uint_32)png_ptr->num_palette ||
+          length > PNG_MAX_PALETTE_LENGTH)
       {
          png_warning(png_ptr, "Incorrect tRNS chunk length");
          png_crc_finish(png_ptr, length);

http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt
    Use to patch libpng-1.0.6 through 1.2.5
    This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX,
    and png_get_uint_31(), which are needed by patches 05-08.

Index: src/3rdparty/libpng/png.h
--- src/3rdparty/libpng/png.h.orig	2003-05-27 17:19:23 +0200
+++ src/3rdparty/libpng/png.h	2004-08-11 16:31:06 +0200
@@ -833,7 +833,11 @@
 typedef png_info FAR * FAR * png_infopp;
 
 /* Maximum positive integer used in PNG is (2^31)-1 */
-#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
+#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL)
+#define PNG_UINT_32_MAX (~((png_uint_32)0))
+#define PNG_SIZE_MAX (~((png_size_t)0))
+/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */
+#define PNG_MAX_UINT PNG_UINT_31_MAX
 
 /* These describe the color_type field in png_info. */
 /* color type masks */
@@ -2655,6 +2659,8 @@
 PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf));
 PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf));
 #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */
+PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr,
+  png_bytep buf));
 
 /* Initialize png_ptr struct for reading, and allocate any other memory.
  * (old interface - DEPRECATED - use png_create_read_struct instead).
Index: src/3rdparty/libpng/pngrutil.c
--- src/3rdparty/libpng/pngrutil.c.orig	2004-08-11 16:29:37 +0200
+++ src/3rdparty/libpng/pngrutil.c	2004-08-11 16:32:11 +0200
@@ -38,6 +38,14 @@
 #  endif
 #endif
 
+png_uint_32 /* PRIVATE */
+png_get_uint_31(png_structp png_ptr, png_bytep buf)
+{
+   png_uint_32 i = png_get_uint_32(buf);
+   if (i > PNG_UINT_31_MAX)
+     png_error(png_ptr, "PNG unsigned integer out of range.\n");
+   return (i);
+}
 #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED
 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
 png_uint_32 /* PRIVATE */

http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch05-pngpread-chunklength.txt
    Use to patch libpng-1.0.0 through 1.2.5
    Requires one of libpng-patch04*

Index: src/3rdparty/libpng/pngpread.c
--- src/3rdparty/libpng/pngpread.c.orig	2003-05-27 17:19:23 +0200
+++ src/3rdparty/libpng/pngpread.c	2004-08-11 16:34:45 +0200
@@ -208,7 +208,7 @@
       }
 
       png_push_fill_buffer(png_ptr, chunk_length, 4);
-      png_ptr->push_length = png_get_uint_32(chunk_length);
+      png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
@@ -591,6 +591,11 @@
       png_size_t new_max;
       png_bytep old_buffer;
 
+      if (png_ptr->save_buffer_size > PNG_SIZE_MAX - 
+         (png_ptr->current_buffer_size + 256))
+      {
+        png_error(png_ptr, "Potential overflow of save_buffer");
+      }
       new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
       old_buffer = png_ptr->save_buffer;
       png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr,
@@ -637,8 +642,7 @@
       }
 
       png_push_fill_buffer(png_ptr, chunk_length, 4);
-      png_ptr->push_length = png_get_uint_32(chunk_length);
-
+      png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;

http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt
    Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5.
    Requires libpng-patch04-*

Index: src/3rdparty/libpng/pngpread.c
--- src/3rdparty/libpng/pngread.c.orig	2003-05-27 17:19:23 +0200
+++ src/3rdparty/libpng/pngread.c	2004-08-11 16:36:04 +0200
@@ -384,7 +384,7 @@
       png_uint_32 length;
 
       png_read_data(png_ptr, chunk_length, 4);
-      length = png_get_uint_32(chunk_length);
+      length = png_get_uint_31(png_ptr,chunk_length);
 
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
@@ -392,9 +392,6 @@
       png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name,
          length);
 
-      if (length > PNG_MAX_UINT)
-         png_error(png_ptr, "Invalid chunk length.");
-
       /* This should be a binary subdivision search or a hash for
        * matching the chunk name rather than a linear search.
        */
@@ -673,10 +670,7 @@
             png_crc_finish(png_ptr, 0);
 
             png_read_data(png_ptr, chunk_length, 4);
-            png_ptr->idat_size = png_get_uint_32(chunk_length);
-
-            if (png_ptr->idat_size > PNG_MAX_UINT)
-              png_error(png_ptr, "Invalid chunk length.");
+            png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length);
 
             png_reset_crc(png_ptr);
             png_crc_read(png_ptr, png_ptr->chunk_name, 4);
@@ -946,16 +940,13 @@
 #endif /* PNG_GLOBAL_ARRAYS */
 
       png_read_data(png_ptr, chunk_length, 4);
-      length = png_get_uint_32(chunk_length);
+      length = png_get_uint_31(png_ptr,chunk_length);
 
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
 
       png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name);
 
-      if (length > PNG_MAX_UINT)
-         png_error(png_ptr, "Invalid chunk length.");
-
       if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4))
          png_handle_IHDR(png_ptr, info_ptr, length);
       else if (!png_memcmp(png_ptr->chunk_name, png_IEND, 4))

http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt
    Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png().
    Requires libpng-patch04-*

Index: src/3rdparty/libpng/pngread.c
--- src/3rdparty/libpng/pngread.c.orig	2004-08-11 16:36:04 +0200
+++ src/3rdparty/libpng/pngread.c	2004-08-11 16:37:39 +0200
@@ -1290,6 +1290,9 @@
     */
    png_read_info(png_ptr, info_ptr);
 
+   if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep))
+      png_error(png_ptr,"Image is too high to process with png_read_png()");
+
    /* -------------- image transformations start here ------------------- */
 
 #if defined(PNG_READ_16_TO_8_SUPPORTED)

http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt
    Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png().
    Requires libpng-patch04-*

The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer)

Index: src/3rdparty/libpng/pngrutil.c
--- src/3rdparty/libpng/pngrutil.c.orig	2004-08-05 15:27:41 +0200
+++ src/3rdparty/libpng/pngrutil.c	2004-08-11 16:38:53 +0200
@@ -1154,8 +1162,18 @@
    }
 
    new_palette.nentries = data_length / entry_size;
-   new_palette.entries = (png_sPLT_entryp)png_malloc(
+   if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry))
+   {
+       png_warning(png_ptr, "sPLT chunk too long");
+       return;
+   }
+   new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
        png_ptr, new_palette.nentries * sizeof(png_sPLT_entry));
+   if (new_palette.entries == NULL)
+   {
+       png_warning(png_ptr, "sPLT chunk requires too much memory");
+       return;
+   }
 
 #ifndef PNG_NO_POINTER_INDEXING
    for (i = 0; i < new_palette.nentries; i++)

http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt
    Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8.
    Libpng-1.0.5 and earlier didn't implement iCCP chunk reading.

Index: src/3rdparty/libpng/pngrutil.c
--- src/3rdparty/libpng/pngrutil.c.orig	2004-08-05 15:27:41 +0200
+++ src/3rdparty/libpng/pngrutil.c	2004-08-11 16:40:46 +0200
@@ -977,8 +985,7 @@
    png_bytep pC;
    png_charp profile;
    png_uint_32 skip = 0;
-   png_uint_32 profile_size = 0;
-   png_uint_32 profile_length = 0;
+   png_uint_32 profile_size, profile_length;
    png_size_t slength, prefix_length, data_length;
 
    png_debug(1, "in png_handle_iCCP\n");

http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt
    Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier.
    No security problem. The bugs are similar to the one fixed in patch
    03, but the only effect is that libpng will fail to detect misplaced
    harmless duplicate chunks.

Index: src/3rdparty/libpng/pngrutil.c
--- src/3rdparty/libpng/pngrutil.c.orig	2004-08-11 16:40:46 +0200
+++ src/3rdparty/libpng/pngrutil.c	2004-08-11 16:42:31 +0200
@@ -587,7 +587,7 @@
       /* Should be an error, but we can cope with it */
       png_warning(png_ptr, "Out of place gAMA chunk");
 
-   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
+   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
 #if defined(PNG_READ_sRGB_SUPPORTED)
       && !(info_ptr->valid & PNG_INFO_sRGB)
 #endif
@@ -668,7 +668,7 @@
       /* Should be an error, but we can cope with it */
       png_warning(png_ptr, "Out of place sBIT chunk");
    }
-   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
+   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
    {
       png_warning(png_ptr, "Duplicate sBIT chunk");
       png_crc_finish(png_ptr, length);
@@ -737,7 +737,7 @@
       /* Should be an error, but we can cope with it */
       png_warning(png_ptr, "Missing PLTE before cHRM");
 
-   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
+   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
 #if defined(PNG_READ_sRGB_SUPPORTED)
       && !(info_ptr->valid & PNG_INFO_sRGB)
 #endif
@@ -899,7 +899,7 @@
       /* Should be an error, but we can cope with it */
       png_warning(png_ptr, "Out of place sRGB chunk");
 
-   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
+   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
    {
       png_warning(png_ptr, "Duplicate sRGB chunk");
       png_crc_finish(png_ptr, length);
@@ -1002,7 +1002,7 @@
       /* Should be an error, but we can cope with it */
       png_warning(png_ptr, "Out of place iCCP chunk");
 
-   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
+   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
    {
       png_warning(png_ptr, "Duplicate iCCP chunk");
       png_crc_finish(png_ptr, length);

This patch from Chris Evans avoids a host of security problems related
to buffer overflows that might occur when processing very large images.
It causes the reader to reject any images claiming to have more rows or
columns the png format supports.

Index: src/3rdparty/libpng/png.h
--- src/3rdparty/libpng/png.h.orig	2004-08-11 16:31:06 +0200
+++ src/3rdparty/libpng/png.h	2004-08-11 16:44:14 +0200
@@ -839,6 +839,9 @@
 /* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */
 #define PNG_MAX_UINT PNG_UINT_31_MAX
 
+/* Constraints on width, height, (2 ^ 24) - 1*/
+#define PNG_MAX_DIMENSION 16777215
+
 /* These describe the color_type field in png_info. */
 /* color type masks */
 #define PNG_COLOR_MASK_PALETTE    1
Index: src/3rdparty/libpng/pngrutil.c
--- src/3rdparty/libpng/pngrutil.c.orig	2004-08-11 16:42:31 +0200
+++ src/3rdparty/libpng/pngrutil.c	2004-08-11 16:45:38 +0200
@@ -355,7 +355,11 @@
    png_crc_finish(png_ptr, 0);
 
    width = png_get_uint_32(buf);
+   if (width > PNG_MAX_DIMENSION)
+      png_error(png_ptr, "Width is too large");
    height = png_get_uint_32(buf + 4);
+   if (height > PNG_MAX_DIMENSION)
+      png_error(png_ptr, "Height is too large");
    bit_depth = buf[8];
    color_type = buf[9];
    compression_type = buf[10];
@@ -680,7 +684,7 @@
    else
       truelen = (png_size_t)png_ptr->channels;
 
-   if (length != truelen)
+   if (length != truelen || length > 4)
    {
       png_warning(png_ptr, "Incorrect sBIT chunk length");
       png_crc_finish(png_ptr, length);
@@ -1415,7 +1419,7 @@
 void /* PRIVATE */
 png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
 {
-   int num, i;
+   unsigned int num, i;
    png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
 
    png_debug(1, "in png_handle_hIST\n");
@@ -1441,8 +1445,8 @@
       return;
    }
 
-   num = (int)length / 2 ;
-   if (num != png_ptr->num_palette)
+   num = length / 2 ;
+   if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH)
    {
       png_warning(png_ptr, "Incorrect hIST chunk length");
       png_crc_finish(png_ptr, length);
@@ -2883,6 +2887,9 @@
                png_read_data(png_ptr, chunk_length, 4);
                png_ptr->idat_size = png_get_uint_32(chunk_length);
 
+               if (png_ptr->idat_size > PNG_MAX_UINT)
+                  png_error(png_ptr, "Invalid chunk length.");
+
                png_reset_crc(png_ptr);
                png_crc_read(png_ptr, png_ptr->chunk_name, 4);
                if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4))