fix our old libpng's security problems. 334110. r=me, sr=tor, patch by Glenn Randers-Pehrson <glennrp@gmail.com>.

modules/libimg/png/MOZCHANGES

@@ -4,3 +4,7 @@ Changes made to pristine png source by mozilla.org developers.
 2004/10/07  -- Synced with libpng-1.2.7 tree
 
 2004/10/07  -- add mozpngconf.h (bug 208607)
+
+2006/09/22  -- fix security problem with too-small error message buffer
+
+2006/09/22  -- fix security problem with too-small gamma-shift array.

modules/libimg/png/pngrtran.c

@@ -3895,7 +3895,7 @@ png_do_dither(png_row_infop row_info, png_bytep row,
 #ifdef PNG_FLOATING_POINT_SUPPORTED
 #if defined(PNG_READ_GAMMA_SUPPORTED)
 static int png_gamma_shift[] =
-   {0x10, 0x21, 0x42, 0x84, 0x110, 0x248, 0x550, 0xff0};
+   {0x10, 0x21, 0x42, 0x84, 0x110, 0x248, 0x550, 0xff0, 0x00};
 
 /* We build the 8- or 16-bit gamma tables here.  Note that for 16-bit
  * tables, we don't make a full table if we are reducing to 8-bit in

modules/libimg/png/pngrutil.c

@@ -275,7 +275,7 @@ png_decompress_chunk(png_structp png_ptr, int comp_type,
       if (ret != Z_STREAM_END)
       {
 #if !defined(PNG_NO_STDIO) && !defined(_WIN32_WCE)
-         char umsg[50];
+         char umsg[52];
 
          if (ret == Z_BUF_ERROR)
             sprintf(umsg,"Buffer error in compressed datastream in %s chunk",

modules/libpr0n/decoders/png/nsPNGDecoder.cpp

@@ -136,7 +136,7 @@ NS_IMETHODIMP nsPNGDecoder::Init(imgILoad *aLoad)
 
 #if defined(PNG_UNKNOWN_CHUNKS_SUPPORTED)
   /* Ignore unused chunks */
-  png_set_keep_unknown_chunks(mPNG, 0, unused_chunks,
+  png_set_keep_unknown_chunks(mPNG, 1, unused_chunks,
      (int)sizeof(unused_chunks)/5);   
 #endif