Merge 121019 - Fix integer issues in a way that caters for both 32-bit and 64-bit.

BUG=112822

Review URL: http://codereview.chromium.org/9363013

TBR=cevans@chromium.org
Review URL: https://chromiumcodereview.appspot.com/9381014

git-svn-id: svn://svn.chromium.org/chrome/branches/1025/src@121493 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 11 insertions, 2 deletions

diff --git a/third_party/libpng/README.chromium b/third_party/libpng/README.chromium
index 6266800..656d046 100644
--- a/third_party/libpng/README.chromium
+++ b/third_party/libpng/README.chromium
@@ -10,3 +10,5 @@ the wk_* names).
 
 Updated to 1.2.45, no changes to the source files but all unneeded files
 stripped.
+
+- One custom patch for bug 112822, to be sent upstream.
diff --git a/third_party/libpng/pngrutil.c b/third_party/libpng/pngrutil.c
index 45e7ddd..bf64644 100644
--- a/third_party/libpng/pngrutil.c
+++ b/third_party/libpng/pngrutil.c
@@ -363,8 +363,15 @@ png_decompress_chunk(png_structp png_ptr, int comp_type,
       {
          /* Success (maybe) - really uncompress the chunk. */
          png_size_t new_size = 0;
-         png_charp text = png_malloc_warn(png_ptr,
-                        prefix_size + expanded_size + 1);
+         png_charp text = NULL;
+         /* Need to check for both truncation (64-bit platforms) and integer
+          * overflow.
+          */
+         if (prefix_size + expanded_size > prefix_size &&
+             prefix_size + expanded_size < 0xffffffffU)
+         {
+            text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
+         }
 
          if (text != NULL)
          {