From ee86f1c969627a384a9e20d99a4b5e4d007def05 Mon Sep 17 00:00:00 2001
From: Vincent Rabaud <vrabaud@google.com>
Date: Fri, 10 Jan 2025 14:57:39 +0100
Subject: [PATCH] Fix remaining bugs in PNG reader

- free chunk before a potential longjmp
- do not try to allocate when the chunk is > PNG_USER_CHUNK_MALLOC_MAX
---
 modules/imgcodecs/src/grfmt_png.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/imgcodecs/src/grfmt_png.cpp b/modules/imgcodecs/src/grfmt_png.cpp
index 744f244a20..1ecc01f17f 100644
--- a/modules/imgcodecs/src/grfmt_png.cpp
+++ b/modules/imgcodecs/src/grfmt_png.cpp
@@ -339,6 +339,10 @@ bool  PngDecoder::readHeader()
             png_bytep trans;
             png_color_16p trans_values;
 
+            // Free chunk in case png_read_info uses longjmp.
+            chunk.p.clear();
+            chunk.p.shrink_to_fit();
+
             png_read_info( png_ptr, info_ptr );
             png_get_IHDR(png_ptr, info_ptr, &wdth, &hght,
                 &bit_depth, &color_type, 0, 0, 0);
@@ -703,6 +707,7 @@ uint32_t PngDecoder::read_chunk(Chunk& chunk)
         if (size > PNG_USER_CHUNK_MALLOC_MAX)
         {
             CV_LOG_WARNING(NULL, "chunk data is too large");
+            return 0;
         }
         chunk.p.resize(size);
         memcpy(chunk.p.data(), len, 4);