diff -r -U 3 libpng-1.2.2/pngrutil.c libpng-1.2.2patch08a/pngrutil.c
--- libpng-1.2.2/pngrutil.c	Mon Apr 15 09:25:39 2002
+++ libpng-1.2.2patch08a/pngrutil.c	Fri Jul 23 20:07:38 2004
@@ -1132,8 +1132,18 @@
    }
 
    new_palette.nentries = data_length / entry_size;
+   if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry))
+   {
+       png_warning(png_ptr, "sPLT chunk too long");
+       return;
+   }
    new_palette.entries = (png_sPLT_entryp)png_malloc(
        png_ptr, new_palette.nentries * sizeof(png_sPLT_entry));
+   if (new_palette.entries == NULL)
+   {
+       png_warning(png_ptr, "sPLT chunk requires too much memory");
+       return;
+   }
 
 #ifndef PNG_NO_POINTER_INDEXING
    for (i = 0; i < new_palette.nentries; i++)