diff -r -U 3 libpng-0.89c/pngconf.h libpng-0.89cp/pngconf.h
--- libpng-0.89c/pngconf.h	Wed Jun  5 15:01:59 1996
+++ libpng-0.89cp/pngconf.h	Wed Aug  4 06:55:54 2004
@@ -164,6 +164,13 @@
    to compile.
    */
 
+#ifndef PNG_USER_WIDTH_MAX
+#  define PNG_USER_WIDTH_MAX 1000000L
+#endif
+#ifndef PNG_USER_HEIGHT_MAX
+#  define PNG_USER_HEIGHT_MAX 1000000L
+#endif
+
 /* Any transformations you will not be using can be undef'ed here */
 #define PNG_PROGRESSIVE_READ_SUPPORTED
 #define PNG_READ_INTERLACING_SUPPORTED
diff -r -U 3 libpng-0.89c/pngrcb.c libpng-0.89cp/pngrcb.c
--- libpng-0.89c/pngrcb.c	Wed Jun  5 14:43:50 1996
+++ libpng-0.89cp/pngrcb.c	Wed Aug  4 06:55:54 2004
@@ -18,6 +18,9 @@
    if (!png_ptr || !info)
       return;
 
+  if (width > PNG_USER_WIDTH_MAX || height > PNG_USER_HEIGHT_MAX)
+     png_error(png_ptr, "image size exceeds user limits in IHDR");
+
    info->width = width;
    info->height = height;
    info->bit_depth = (png_byte)bit_depth;
diff -r -U 3 libpng-0.89c/pngrutil.c libpng-0.89cp/pngrutil.c
--- libpng-0.89c/pngrutil.c	Fri Jun  7 18:20:56 1996
+++ libpng-0.89cp/pngrutil.c	Wed Aug  4 06:55:44 2004
@@ -360,7 +360,8 @@
          /* Should be an error, but we can cope with it */
          png_warning(png_ptr, "Missing PLTE before tRNS");
       }
-      else if (length > png_ptr->num_palette)
+      if (length > (png_uint_32)png_ptr->num_palette ||
+          length > 256)
       {
          png_warning(png_ptr, "Incorrect tRNS chunk length");
          png_crc_skip(png_ptr, length);