From b2c2419b1bf03ec350b07fd2f122e7768252a30e Mon Sep 17 00:00:00 2001
From: Sean Barrett <sean@nothings.org>
Date: Mon, 29 Jan 2018 08:14:53 -0800
Subject: [PATCH] stb_image: avoid arithmetic overflow in png case

---
 stb_image.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/stb_image.h b/stb_image.h
index 2656def..ed456fd 100644
--- a/stb_image.h
+++ b/stb_image.h
@@ -4341,8 +4341,10 @@ static int stbi__create_png_image_raw(stbi__png *a, stbi_uc *raw, stbi__uint32 r
    a->out = (stbi_uc *) stbi__malloc_mad3(x, y, output_bytes, 0); // extra bytes to write off the end into
    if (!a->out) return stbi__err("outofmem", "Out of memory");
 
+   if (!stbi__mad3sizes_valid(img_n, x, depth, 7)) return stbi__err("too large", "Corrupt PNG");
    img_width_bytes = (((img_n * x * depth) + 7) >> 3);
    img_len = (img_width_bytes + 1) * y;
+
    // we used to check for exact match between raw_len and img_len on non-interlaced PNGs,
    // but issue #276 reported a PNG in the wild that had extra data at the end (all zeros),
    // so just check for raw_len < img_len always.