--- camlimages-3.0.1.orig/src/pngread.c	2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1.oversized/src/pngread.c	2009-07-03 15:51:00.000000000 +0100
@@ -15,6 +15,8 @@
 #include "config.h"
 #endif
 
+#include <limits.h>
+
 #include <png.h>
 
 #include <caml/mlvalues.h>
@@ -26,6 +28,12 @@
 #define PNG_TAG_INDEX16 2
 #define PNG_TAG_INDEX4 3
 
+/* Test if x or y are negative, or if multiplying x * y would cause an
+ * arithmetic overflow.
+ */
+#define oversized(x, y)						\
+  ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
 value read_png_file_as_rgb24( name )
      value name;
 {
@@ -81,6 +89,9 @@
   png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
 	       &interlace_type, NULL, NULL);
 
+  if (oversized (width, height))
+    failwith ("png error: image contains oversized or bogus width and height");
+
   if ( color_type == PNG_COLOR_TYPE_GRAY ||
        color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
     png_set_gray_to_rgb(png_ptr); 
@@ -102,10 +113,16 @@
 
   rowbytes = png_get_rowbytes(png_ptr, info_ptr);
 
+  if (oversized (rowbytes, height))
+    failwith ("png error: image contains oversized or bogus rowbytes and height");
+
   {
     int i;
     png_bytep *row_pointers;
 
+    if (oversized (sizeof (png_bytep), height))
+      failwith ("png error: image contains oversized or bogus height");
+
     row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
 
     res = alloc_tuple(3);
@@ -235,6 +252,9 @@
   png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
 	       &interlace_type, NULL, NULL);
 
+  if (oversized (width, height))
+    failwith ("png error: image contains oversized or bogus width and height");
+
   if ( color_type == PNG_COLOR_TYPE_GRAY ||
        color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
     png_set_gray_to_rgb(png_ptr); 
@@ -251,6 +271,9 @@
 
   rowbytes = png_get_rowbytes(png_ptr, info_ptr);
 
+  if (oversized (rowbytes, height))
+    failwith ("png error: image contains oversized or bogus rowbytes and height");
+
 /*
 fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
 */
@@ -259,6 +282,9 @@
     png_bytep *row_pointers;
     char mesg[256];
  
+    if (oversized (sizeof (png_bytep), height))
+      failwith ("png error: image contains oversized or bogus height");
+
     row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
     res = alloc_tuple(3);