From 60d78aa08c50177f52778b0d0323cd13024574c6 Mon Sep 17 00:00:00 2001
From: Sam Lantinga <[EMAIL REDACTED]>
Date: Thu, 30 Apr 2026 20:55:12 -0700
Subject: [PATCH] Prevent memory overflow with corrupt PNG file (thanks
@GHYoungKyun!)
Closes https://github.com/libsdl-org/SDL_image/pull/736
(cherry picked from commit 0b665d0bff1550b62e1de08725fad28c870b85d1)
---
src/IMG_libpng.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/IMG_libpng.c b/src/IMG_libpng.c
index 08ac6a12f..7a5e710b3 100644
--- a/src/IMG_libpng.c
+++ b/src/IMG_libpng.c
@@ -1009,6 +1009,9 @@ static bool read_png_chunk(SDL_IOStream *stream, png_bytep *chunk, Uint32 *chunk
SDL_memcpy(chunk_type, header+4, 4);
// Allocate memory for chunk
+ if (*data_length > (SDL_MAX_UINT32 - (sizeof(header) + 4))) {
+ return SDL_SetError("Corrupt PNG");
+ }
*chunk_size = sizeof(header) + *data_length + 4;
*chunk = (png_bytep)SDL_malloc(*chunk_size);
if (!*chunk) {