From e2138596ed17444e34d4aacc028486e200cad81f Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Wed, 23 Sep 2015 21:29:42 +0000
Subject: [c648c8dad1] Repair PNG reader buffer overflow protections that
 prevented read of valid PNG image.

---
 generic/tkImgPNG.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/generic/tkImgPNG.c b/generic/tkImgPNG.c
index 9d0fb30..2ee515b 100644
--- a/generic/tkImgPNG.c
+++ b/generic/tkImgPNG.c
@@ -1847,6 +1847,13 @@ DecodeLine(
     if (UnfilterLine(interp, pngPtr) == TCL_ERROR) {
 	return TCL_ERROR;
     }
+    if (pngPtr->currentLine >= pngPtr->block.height) {
+	Tcl_SetObjResult(interp, Tcl_ObjPrintf(
+		"PNG image data overflow"));
+	Tcl_SetErrorCode(interp, "TK", "IMAGE", "PNG", "DATA_OVERFLOW", NULL);
+	return TCL_ERROR;
+    }
+
 
     if (pngPtr->interlace) {
 	switch (pngPtr->phase) {
@@ -1881,8 +1888,6 @@ DecodeLine(
      * Calculate offset into pixelPtr for the first pixel of the line.
      */
 
-    assert(pngPtr->currentLine < pngPtr->block.height);
-
     offset = pngPtr->currentLine * pngPtr->block.pitch;
 
     /*
@@ -2092,8 +2097,7 @@ ReadIDAT(
      * Process IDAT contents until there is no more in this chunk.
      */
 
-    while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)
-	    && pngPtr->currentLine < pngPtr->block.height) {
+    while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)) {
 	int len1, len2;
 
 	/*
-- 
cgit v0.12