From a7faf9f8a33c55adb9081e5a27a31d2eae249638 Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Fri, 15 May 2015 15:51:20 +0000
Subject: [dece631375] Prevent PNG Reader writing to memory beyond end of photo
 image block.

---
 generic/tkImgPNG.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/generic/tkImgPNG.c b/generic/tkImgPNG.c
index 8146e33..9d0fb30 100644
--- a/generic/tkImgPNG.c
+++ b/generic/tkImgPNG.c
@@ -2092,7 +2092,8 @@ ReadIDAT(
      * Process IDAT contents until there is no more in this chunk.
      */
 
-    while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)) {
+    while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)
+	    && pngPtr->currentLine < pngPtr->block.height) {
 	int len1, len2;
 
 	/*
@@ -2178,10 +2179,13 @@ ReadIDAT(
 
 	    /*
 	     * Try to read another line of pixels out of the buffer
-	     * immediately.
+	     * immediately, but don't allow write past end of block.
 	     */
 
-	    goto getNextLine;
+	    if (pngPtr->currentLine < pngPtr->block.height) {
+		goto getNextLine;
+	    }
+
 	}
 
 	/*
-- 
cgit v0.12