From: http://comments.gmane.org/gmane.comp.graphics.png.devel/4564 From: John Bowler <jbowler@...> Subject: jdbaker@...: pkg/44940: links-gui crashes due to libpng fixed-point overflow] It's two bugs: one, the obvious one, in the two calls to png_set_rgb_to_gray() in dip.c; that should be *DIVIDED* by 256, not multiplied! The other is that there is *NO* error handling, no call to setjmp(); so when png_error is called the call stack ends up destroyed and, apparently, the program dies in create_read_struct_2, right after the comment that explains why libpng is about to call abort() ;-) The attached patch fixes both problems, but links will still error out on a png_error (just with an OOM message, not an abort()). --- linkx/dip.c.orig 2011-05-11 09:31:06.000000000 -0700 +++ linkx/dip.c 2011-05-11 09:34:07.000000000 -0700 @@ -1436,6 +1436,8 @@ png_ptr=png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, my_png_error, my_png_warning); + if (setjmp(png_jmpbuf(png_ptr))) + overalloc(); /* some error detected by libpng */ info_ptr=png_create_info_struct(png_ptr); png_set_read_fn(png_ptr,&work,(png_rw_ptr)&read_stored_data); png_read_info(png_ptr, info_ptr); @@ -1462,7 +1464,7 @@ if (color_type==PNG_COLOR_TYPE_PALETTE){ png_set_expand(png_ptr); #ifdef HAVE_PNG_SET_RGB_TO_GRAY - png_set_rgb_to_gray(png_ptr,1,54.0*256,183.0*256); + png_set_rgb_to_gray(png_ptr,1,54.0/256,183.0/256); #else goto end; #endif @@ -1473,7 +1475,7 @@ if (color_type==PNG_COLOR_TYPE_RGB || color_type==PNG_COLOR_TYPE_RGB_ALPHA){ #ifdef HAVE_PNG_SET_RGB_TO_GRAY - png_set_rgb_to_gray(png_ptr, 1, 54.0*256, 183.0*256); + png_set_rgb_to_gray(png_ptr, 1, 54.0/256, 183.0/256); #else goto end; #endif