From: http://comments.gmane.org/gmane.comp.graphics.png.devel/4564

From: John Bowler <jbowler@...>
Subject: jdbaker@...: pkg/44940: links-gui crashes due to libpng fixed-point overflow]

It's two bugs: one, the obvious one, in the two calls to png_set_rgb_to_gray() in dip.c; that should be
*DIVIDED* by 256, not multiplied!

The other is that there is *NO* error handling, no call to setjmp(); so when png_error is called the call
stack ends up destroyed and, apparently, the program dies in create_read_struct_2, right after the
comment that explains why libpng is about to call abort() ;-)

The attached patch fixes both problems, but links will still error out on a png_error (just with an OOM
message, not an abort()).



--- linkx/dip.c.orig	2011-05-11 09:31:06.000000000 -0700
+++ linkx/dip.c	2011-05-11 09:34:07.000000000 -0700
@@ -1436,6 +1436,8 @@
 	
 	png_ptr=png_create_read_struct(PNG_LIBPNG_VER_STRING,
 			NULL, my_png_error, my_png_warning);
+	if (setjmp(png_jmpbuf(png_ptr)))
+	    overalloc(); /* some error detected by libpng */
 	info_ptr=png_create_info_struct(png_ptr);
 	png_set_read_fn(png_ptr,&work,(png_rw_ptr)&read_stored_data);
 	png_read_info(png_ptr, info_ptr);
@@ -1462,7 +1464,7 @@
 		if (color_type==PNG_COLOR_TYPE_PALETTE){
 			png_set_expand(png_ptr);
 #ifdef HAVE_PNG_SET_RGB_TO_GRAY
-			png_set_rgb_to_gray(png_ptr,1,54.0*256,183.0*256);
+			png_set_rgb_to_gray(png_ptr,1,54.0/256,183.0/256);
 #else
 			goto end;
 #endif
@@ -1473,7 +1475,7 @@
 		if (color_type==PNG_COLOR_TYPE_RGB ||
 			color_type==PNG_COLOR_TYPE_RGB_ALPHA){
 #ifdef HAVE_PNG_SET_RGB_TO_GRAY
-			png_set_rgb_to_gray(png_ptr, 1, 54.0*256, 183.0*256);
+			png_set_rgb_to_gray(png_ptr, 1, 54.0/256, 183.0/256);
 #else
 			goto end;
 #endif