--- libpng-1.2.1/pngget.c	2001-12-12 17:37:21.000000000 -0600
+++ libpng-1.2.5/pngget.c	2002-10-03 06:32:28.000000000 -0500
@@ -547,7 +547,11 @@
       *width = info_ptr->width;
       *height = info_ptr->height;
       *bit_depth = info_ptr->bit_depth;
+      if (info_ptr->bit_depth < 1 || info_ptr->bit_depth > 16)
+        png_error(png_ptr, "Invalid bit depth");
       *color_type = info_ptr->color_type;
+      if (info_ptr->color_type > 6)
+        png_error(png_ptr, "Invalid color type");
       if (compression_type != NULL)
          *compression_type = info_ptr->compression_type;
       if (filter_type != NULL)
@@ -566,9 +570,13 @@
          channels++;
       pixel_depth = *bit_depth * channels;
       rowbytes_per_pixel = (pixel_depth + 7) >> 3;
-      if ((*width > PNG_MAX_UINT/rowbytes_per_pixel))
+      if (width == 0 || *width > PNG_MAX_UINT)
+        png_error(png_ptr, "Invalid image width");
+      if (height == 0 || *height > PNG_MAX_UINT)
+        png_error(png_ptr, "Invalid image height");
+      if (*width > PNG_MAX_UINT/rowbytes_per_pixel - 64)
       {
-         png_warning(png_ptr,
+         png_error(png_ptr,
             "Width too large for libpng to process image data.");
       }
       return (1);