--- libpng-1.0.12.orig/pngconf.h
+++ libpng-1.0.12/pngconf.h
@@ -243,8 +243,13 @@
 #      undef _BSD_SOURCE
 #    endif
 #    ifdef _SETJMP_H
-      __png.h__ already includes setjmp.h;
-      __dont__ include it again.;
+/* Explanation added by debian maintainer Philippe Troin <phil@fifi.org>.
+   There are two versions of setjmp, depending wether or not we compile for
+   BSD. They are incompatible and can cause crashes. The PNG people force
+   here a unique behavior for setjmp. It fou get the error below,
+   then include <png.h> before <setjmp.h>.
+*/
+#error png.h already includes setjmp.h with some additional fixup.
 #    endif
 #  endif /* __linux__ */
 
--- libpng-1.0.12.orig/pngget.c
+++ libpng-1.0.12/pngget.c
@@ -566,9 +566,9 @@
          channels++;
       pixel_depth = *bit_depth * channels;
       rowbytes_per_pixel = (pixel_depth + 7) >> 3;
-      if ((*width > PNG_MAX_UINT/rowbytes_per_pixel))
+      if ((*width > (PNG_MAX_UINT/rowbytes_per_pixel) - 64))
       {
-         png_warning(png_ptr,
+         png_error(png_ptr,
             "Width too large for libpng to process image data.");
       }
       return (1);
--- libpng-1.0.12.orig/pngpread.c
+++ libpng-1.0.12/pngpread.c
@@ -736,6 +736,13 @@
       }
       if (!(png_ptr->zstream.avail_out))
       {
+         if ((
+#if defined(PNG_READ_INTERLACING_SUPPORTED)
+             png_ptr->interlaced && png_ptr->pass > 6) ||
+             (!png_ptr->interlaced &&
+#endif
+             png_ptr->row_number == png_ptr->num_rows-1))
+           png_error(png_ptr, "Too much data in IDAT chunks");
          png_push_process_row(png_ptr);
          png_ptr->zstream.avail_out = (uInt)png_ptr->irowbytes;
          png_ptr->zstream.next_out = png_ptr->row_buf;
--- libpng-1.0.12.orig/pngrtran.c
+++ libpng-1.0.12/pngrtran.c
@@ -1924,8 +1924,8 @@
          /* This changes the data from RRGGBB to RRGGBBXX */
          if (flags & PNG_FLAG_FILLER_AFTER)
          {
-            png_bytep sp = row + (png_size_t)row_width * 3;
-            png_bytep dp = sp  + (png_size_t)row_width;
+            png_bytep sp = row + (png_size_t)row_width * 6;
+            png_bytep dp = sp  + (png_size_t)row_width * 2;
             for (i = 1; i < row_width; i++)
             {
                *(--dp) = hi_filler;
@@ -1946,8 +1946,8 @@
          /* This changes the data from RRGGBB to XXRRGGBB */
          else
          {
-            png_bytep sp = row + (png_size_t)row_width * 3;
-            png_bytep dp = sp  + (png_size_t)row_width;
+            png_bytep sp = row + (png_size_t)row_width * 6;
+            png_bytep dp = sp  + (png_size_t)row_width * 2;
             for (i = 0; i < row_width; i++)
             {
                *(--dp) = *(--sp);