Original Chromium patch for CVE-2011-3026.


diff -Naur libpng-1.2.46.orig/pngrutil.c libpng-1.2.46/pngrutil.c
--- libpng-1.2.46.orig/pngrutil.c	2011-07-09 06:30:23.000000000 -0400
+++ libpng-1.2.46/pngrutil.c	2012-02-16 10:28:14.433079740 -0500
@@ -363,8 +363,15 @@
       {
          /* Success (maybe) - really uncompress the chunk. */
          png_size_t new_size = 0;
-         png_charp text = png_malloc_warn(png_ptr,
-                        prefix_size + expanded_size + 1);
+         png_charp text = NULL;
+         /* Need to check for both truncation (64-bit platforms) and integer
+          * overflow.
+          */
+         if (prefix_size + expanded_size > prefix_size &&
+             prefix_size + expanded_size < 0xffffffffU)
+         {
+            text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
+         }
 
          if (text != NULL)
          {