[libpng16] Relocate the iCCP length test to a point after reading the keyword

1 files changed, 13 insertions, 10 deletions

diff --git a/pngrutil.c b/pngrutil.c
index 8656fa5b5..d87484632 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1380,17 +1380,7 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
     * chunk is just ignored, so does not invalidate the color space.  An
     * alternative is to set the 'invalid' flags at the start of this routine
     * and only clear them in they were not set before and all the tests pass.
-    * The minimum 'zlib' stream is assumed to be just the 2 byte header,
-    * 5 bytes minimum 'deflate' stream, and the 4 byte checksum. The keyword
-    * must be at least one character and there is a terminator (0) byte and
-    * the compression method.
     */
-   if (length < 14)
-   {
-      png_crc_finish(png_ptr, length);
-      png_chunk_benign_error(png_ptr, "too short");
-      return;
-   }
 
    /* If a colorspace error has already been output skip this chunk */
    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
@@ -1417,6 +1407,19 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
       png_crc_read(png_ptr, (png_bytep)keyword, read_length);
       length -= read_length;
 
+   /* The minimum 'zlib' stream is assumed to be just the 2 byte header,
+    * 5 bytes minimum 'deflate' stream, and the 4 byte checksum. The keyword
+    * must be at least one character and there is a terminator (0) byte and
+    * the compression method.
+    */
+
+   if (length < 14)
+   {
+      png_crc_finish(png_ptr, length);
+      png_chunk_benign_error(png_ptr, "too short");
+      return;
+   }
+
       keyword_length = 0;
       while (keyword_length < 80 && keyword_length < read_length &&
          keyword[keyword_length] != 0)