libpng-1.2.49.txt | 5 3 + 2 - 0 !
png.5 | 6 5 + 1 - 0 !
png.h | 8 5 + 3 - 0 !
3 files changed, 13 insertions(+), 6 deletions(-)

---

png.c | 7 4 + 3 - 0 !
pngset.c | 9 9 + 0 - 0 !
2 files changed, 13 insertions(+), 3 deletions(-)

 added a safety check in png_set_time()

pngrutil.c | 13 12 + 1 - 0 !
pngset.c | 11 8 + 3 - 0 !
pngwutil.c | 7 5 + 2 - 0 !
3 files changed, 25 insertions(+), 6 deletions(-)

 multiple buffer overflows in the png_set_plte and png_get_plte functions
 .
 Prevent writing over-length PLTE chunk. Silently truncate over-length
 PLTE chunk while reading
 .
 CVE-2015-8126

pngrutil.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fixed new bug with crc error after reading an over-length palette

pngrutil.c | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 [patch] [libpng12] avoid potential pointer overflow in
 png_handle_iTXt(),

png_handle_zTXt(), png_handle_sPLT(), and png_handle_pCAL() (Bug report
by John Regehr).

pngrutil.c | 11 6 + 5 - 0 !
1 file changed, 6 insertions(+), 5 deletions(-)

 [patch] [libpng12] use unsigned constants in buffer length
 comparisons

pngset.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] [libpng12] fixed bug recently introduced in png_set_plte()
 that uses png_ptr

not info_ptr.

pngwutil.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 cve-2015-8540: underflow read in png_check_keyword()