[libpng16] Added PNG_SAFE_LIMITS feature to pnglibconf.dfa, pngpriv.h, and new pngusr.dfa

to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined.
To enable, use CPPFLAGS=-DPNG_SAFE_LIMITS on the configure command
or put #define PNG_SAFE_LIMITS_SUPPORTED in pnglibconf.h.prebuilt.
(Reverted previous implementation of PNG_SECURE.)
diff --git a/ANNOUNCE b/ANNOUNCE
index 8c58b5d..81e3194 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -224,8 +224,10 @@
     pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c;
     now that png_ptr->buffer is inaccessible to applications, the special
     handling is no longer useful.
-  Added PNG_SECURE feature to pnglibconf.dfa and new pngusr.dfa file
-    to reset the user limits to safe ones if PNG_SECURE is defined.
+  Added PNG_SAFE_LIMITS feature to pnglibconf.dfa, pngpriv.h, and new pngusr.dfa
+    to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined.
+    To enable, use CPPFLAGS=-DPNG_SAFE_LIMITS on the configure command
+    or put #define PNG_SAFE_LIMITS_SUPPORTED in pnglibconf.h.prebuilt.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 90ccd4a..411f4a2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3976,8 +3976,10 @@
     pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c;
     now that png_ptr->buffer is inaccessible to applications, the special
     handling is no longer useful.
-  Added PNG_SECURE feature to pnglibconf.dfa and new pngusr.dfa file
-    to reset the user limits to safe ones if PNG_SECURE is defined.
+  Added PNG_SAFE_LIMITS feature to pnglibconf.dfa, pngpriv.h, and new pngusr.dfa
+    to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined.
+    To enable, use CPPFLAGS=-DPNG_SAFE_LIMITS on the configure command
+    or put #define PNG_SAFE_LIMITS_SUPPORTED in pnglibconf.h.prebuilt.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngconf.h b/pngconf.h
index afb0092..b3a93c8 100644
--- a/pngconf.h
+++ b/pngconf.h
@@ -1,7 +1,7 @@
 
 /* pngconf.h - machine configurable file for libpng
  *
- * libpng version 1.6.0beta13 - February 19, 2012
+ * libpng version 1.6.0beta13 - February 24, 2012
  *
  * Copyright (c) 1998-2012 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
@@ -22,6 +22,26 @@
 #ifndef PNGCONF_H
 #define PNGCONF_H
 
+/* To do: Do all of this in scripts/pnglibconf.dfa */
+#ifdef PNG_SAFE_LIMITS_SUPPORTED
+#  ifdef PNG_USER_WIDTH_MAX
+#    undef PNG_USER_WIDTH_MAX
+#    define PNG_USER_WIDTH_MAX 1000000L
+#  endif
+#  ifdef PNG_USER_HEIGHT_MAX
+#    undef PNG_USER_HEIGHT_MAX
+#    define PNG_USER_HEIGHT_MAX 1000000L
+#  endif
+#  ifdef PNG_USER_CHUNK_MALLOC_MAX
+#    undef PNG_USER_CHUNK_MALLOC_MAX
+#    define PNG_USER_CHUNK_MALLOC_MAX 4000000L
+#  endif
+#  ifdef PNG_USER_CHUNK_CACHE_MAX
+#    undef PNG_USER_CHUNK_CACHE_MAX
+#    define PNG_USER_CHUNK_CACHE_MAX 128
+#  endif
+#endif
+
 #ifndef PNG_BUILDING_SYMBOL_TABLE /* else includes may cause problems */
 
 /* From libpng 1.6.0 libpng requires an ANSI X3.159-1989 ("ISOC90") compliant C
diff --git a/pngpriv.h b/pngpriv.h
index 617e372..9062367 100644
--- a/pngpriv.h
+++ b/pngpriv.h
@@ -194,6 +194,45 @@
 #  define PNG_DLL_EXPORT
 #endif
 
+/* SECURITY and SAFETY:
+ *
+ * By default libpng is built without any internal limits on image size,
+ * individual heap (png_malloc) allocations or the total amount of memory used.
+ * If PNG_SAFE_LIMITS_SUPPORTED is defined, however, the limits below are used
+ * (unless individually overridden).  These limits are believed to be fairly
+ * safe, but builders of secure systems should verify the values against the
+ * real system capabilities.
+ */
+#ifdef PNG_SAFE_LIMITS_SUPPORTED
+   /* 'safe' limits */
+#  ifndef PNG_USER_WIDTH_MAX
+#     define PNG_USER_WIDTH_MAX 1000000
+#  endif
+#  ifndef PNG_USER_HEIGHT_MAX
+#     define PNG_USER_HEIGHT_MAX 1000000
+#  endif
+#  ifndef PNG_USER_CHUNK_CACHE_MAX
+#     define PNG_USER_CHUNK_CACHE_MAX 128
+#  endif
+#  ifndef PNG_USER_CHUNK_MALLOC_MAX
+#     define PNG_USER_CHUNK_MALLOC_MAX 8000000
+#  endif
+#else
+   /* values for no limits */
+#  ifndef PNG_USER_WIDTH_MAX
+#     define PNG_USER_WIDTH_MAX 0x7fffffff
+#  endif
+#  ifndef PNG_USER_HEIGHT_MAX
+#     define PNG_USER_HEIGHT_MAX 0x7fffffff
+#  endif
+#  ifndef PNG_USER_CHUNK_CACHE_MAX
+#     define PNG_USER_CHUNK_CACHE_MAX 0
+#  endif
+#  ifndef PNG_USER_CHUNK_MALLOC_MAX
+#     define PNG_USER_CHUNK_MALLOC_MAX 0
+#  endif
+#endif
+
 /* This is used for 16 bit gamma tables -- only the top level pointers are
  * const; this could be changed:
  */
diff --git a/scripts/pnglibconf.dfa b/scripts/pnglibconf.dfa
index 9e4ea3e..594c890 100644
--- a/scripts/pnglibconf.dfa
+++ b/scripts/pnglibconf.dfa
@@ -27,7 +27,7 @@
 # The syntax is detailed in scripts/options.awk, this is a summary
 # only:
 #
-# setting <name> [requires ...] [default]
+# setting <name> [default]
 #    #define PNG_<name> <value>  /* value comes from current setting */
 # option <name> [requires ...] [if ...] [enables ...] [disabled]
 #    #define PNG_<name>_SUPPORTED if the requirements are met and
@@ -273,20 +273,22 @@
 
 option SET_USER_LIMITS enables SET_CHUNK_MALLOC_LIMIT
 
-# Added at libpng-1.0.16 and 1.2.6.  To accept all valid PNGs no matter
-# how large, set these two limits to 0x7fffffff
+# Libpng limits.
+#
+# If these settings are *not* set libpng will not limit the size of
+# images or the size of data in ancilliary chunks.  This does lead to
+# security issues if PNG files come from untrusted sources.
+setting USER_WIDTH_MAX
+setting USER_HEIGHT_MAX
+setting USER_CHUNK_CACHE_MAX
+setting USER_CHUNK_MALLOC_MAX
 
-setting USER_WIDTH_MAX default 0x7fffffff
-setting USER_HEIGHT_MAX default 0x7fffffff
-
-# Added at libpng-1.2.43.  To accept all valid PNGs no matter
-# how large, set these two limits to 0.
-
-setting USER_CHUNK_CACHE_MAX default 0
-
-# Added at libpng-1.2.43
-
-setting USER_CHUNK_MALLOC_MAX default 0
+# To default all these settings to values that are large but probably
+# safe turn the SAFE_LIMITS option on; this will cause the value in
+# pngpriv.h to be used.  Individual values can also be set, simply set
+# them in pngusr.dfa with '@#define PNG_setting value' lines.
+option SAFE_LIMITS enables USER_LIMITS disabled
+= SAFE_LIMITS SAFE_LIMITS
 
 # All of the following options relate to code capabilities for
 # processing image data before creating a PNG or after reading one.
diff --git a/scripts/pnglibconf.h.prebuilt b/scripts/pnglibconf.h.prebuilt
index a3e9cdd..f4079e2 100644
--- a/scripts/pnglibconf.h.prebuilt
+++ b/scripts/pnglibconf.h.prebuilt
@@ -31,10 +31,6 @@
 #define PNG_QUANTIZE_GREEN_BITS 5
 #define PNG_QUANTIZE_RED_BITS 5
 #define PNG_sCAL_PRECISION 5
-#define PNG_USER_CHUNK_CACHE_MAX 0
-#define PNG_USER_CHUNK_MALLOC_MAX 0
-#define PNG_USER_HEIGHT_MAX 0x7fffffff
-#define PNG_USER_WIDTH_MAX 0x7fffffff
 #define PNG_WEIGHT_SHIFT 8
 #define PNG_ZBUF_SIZE 8192
 /* end of settings */