diff -r -U 3 libpng-0.90/pngconf.h libpng-0.90p/pngconf.h
--- libpng-0.90/pngconf.h	Thu Jan 16 20:39:48 1997
+++ libpng-0.90p/pngconf.h	Wed Aug  4 06:54:25 2004
@@ -214,6 +214,13 @@
 #define PNG_WRITE_FILLER_SUPPORTED
 #define PNG_WRITE_FLUSH_SUPPORTED
 
+#ifndef PNG_USER_WIDTH_MAX
+#  define PNG_USER_WIDTH_MAX 1000000L
+#endif
+#ifndef PNG_USER_HEIGHT_MAX
+#  define PNG_USER_HEIGHT_MAX 1000000L
+#endif
+
 /* These functions are turned off by default, as they will be phased out. */
 #undef  PNG_USE_OWN_CRC
 #undef  PNG_CORRECT_PALETTE_SUPPORTED
diff -r -U 3 libpng-0.90/pngrcb.c libpng-0.90p/pngrcb.c
--- libpng-0.90/pngrcb.c	Mon Jan  6 20:26:39 1997
+++ libpng-0.90p/pngrcb.c	Wed Aug  4 06:54:25 2004
@@ -18,6 +18,9 @@
    if (!info)
       return;
 
+  if (width > PNG_USER_WIDTH_MAX || height > PNG_USER_HEIGHT_MAX)
+     png_error(png_ptr, "image size exceeds user limits in IHDR");
+
    info->width = width;
    info->height = height;
    info->bit_depth = (png_byte)bit_depth;
diff -r -U 3 libpng-0.90/pngrutil.c libpng-0.90p/pngrutil.c
--- libpng-0.90/pngrutil.c	Thu Jan 16 20:57:19 1997
+++ libpng-0.90p/pngrutil.c	Wed Aug  4 06:54:10 2004
@@ -637,7 +637,8 @@
          /* Should be an error, but we can cope with it */
          png_warning(png_ptr, "Missing PLTE before tRNS");
       }
-      else if (length > png_ptr->num_palette)
+      if (length > (png_uint_32)png_ptr->num_palette ||
+          length > 256)
       {
          png_warning(png_ptr, "Incorrect tRNS chunk length");
          png_crc_finish(png_ptr, length);