diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c
--- libpng-1.2.5/pngrutil.c	Thu Oct  3 06:32:30 2002
+++ libpng-1.2.5patch08/pngrutil.c	Fri Jul 23 19:02:48 2004
@@ -1154,8 +1154,18 @@
    }
 
    new_palette.nentries = data_length / entry_size;
-   new_palette.entries = (png_sPLT_entryp)png_malloc(
+   if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry))
+   {
+       png_warning(png_ptr, "sPLT chunk too long");
+       return;
+   }
+   new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
        png_ptr, new_palette.nentries * sizeof(png_sPLT_entry));
+   if (new_palette.entries == NULL)
+   {
+       png_warning(png_ptr, "sPLT chunk requires too much memory");
+       return;
+   }
 
 #ifndef PNG_NO_POINTER_INDEXING
    for (i = 0; i < new_palette.nentries; i++)