[master] Imported from libpng-1.6.32.tar
diff --git a/ANNOUNCE b/ANNOUNCE
index 94a3969..3cbe5a9 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,4 +1,4 @@
-Libpng 1.6.31 - July 27, 2017
+Libpng 1.6.32 - August 24, 2017
 
 This is a public release of libpng, intended for use in production codes.
 
@@ -7,51 +7,79 @@
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
 
-   libpng-1.6.31.tar.xz (LZMA-compressed, recommended)
-   libpng-1.6.31.tar.gz
+   libpng-1.6.32.tar.xz (LZMA-compressed, recommended)
+   libpng-1.6.32.tar.gz
 
 Source files with CRLF line endings (for Windows), without the
 "configure" script
 
-   lpng1631.7z  (LZMA-compressed, recommended)
-   lpng1631.zip
+   lpng1632.7z  (LZMA-compressed, recommended)
+   lpng1632.zip
 
 Other information:
 
-   libpng-1.6.31-README.txt
-   libpng-1.6.31-LICENSE.txt
-   libpng-1.6.31-*.asc (armored detached GPG signatures)
+   libpng-1.6.32-README.txt
+   libpng-1.6.32-LICENSE.txt
+   libpng-1.6.32-*.asc (armored detached GPG signatures)
 
-Changes since the last public release (1.6.30):
-
-  Guard the definition of _POSIX_SOURCE in pngpriv.h (AIX already defines it;
-    bug report by Michael Felt).
-  Revised pngpriv.h to work around failure to compile arm/filter_neon.S
-    ("typedef" directive is unrecognized by the assembler). The problem
-    was introduced in libpng-1.6.30beta01.
-  Added "Requires: zlib" to libpng.pc.in (Pieter Neerincx).
-  Added special case for FreeBSD in arm/filter_neon.S (Maya Rashish).
-  Added instructions for disabling hardware optimizations in INSTALL.
-  Added "--enable-hardware-optimizations" configuration flag to enable
-    or disable all hardware optimizations with one flag.
-  Updated CMakeLists.txt to add INTEL_SSE and MIPS_MSA platforms.
-  Changed "int" to "png_size_t" in intel/filter_sse2.c to prevent
-    possible integer overflow (Bug report by John Bowler).
-  Quieted "declaration after statement" warnings in intel/filter_sse2.c.
-  Added scripts/makefile-linux-opt, which has hardware optimizations enabled.
-  Removed one of the GCC-7.1.0 'strict-overflow' warnings that result when
-    integers appear on both sides of a compare.  Worked around the others by
-    forcing the strict-overflow setting in the relevant functions to a level
-    where they are not reported (John Bowler).
-  Changed "FALL THROUGH" comments to "FALLTHROUGH" because GCC doesn't like
-    the space.
-  Worked around some C-style casts from (void*) because g++ 5.4.0 objects
-    to them.
-  Increased the buffer size for 'sprint' to pass the gcc 7.1.0 'sprint
-    overflow' check that is on by default with -Wall -Wextra.
-  Added eXIf chunk support.
-  Added a minimal eXIf chunk (with Orientation and FocalLengthIn35mmFilm
-    tags) to pngtest.png.
+Changes since the last public release (1.6.31):
+  Avoid possible NULL dereference in png_handle_eXIf when benign_errors
+    are allowed. Avoid leaking the input buffer "eXIf_buf".
+  Eliminated png_ptr->num_exif member from pngstruct.h and added num_exif
+    to arguments for png_get_eXIf() and png_set_eXIf().
+  Added calls to png_handle_eXIf(() in pngread.c and png_write_eXIf() in
+    pngwrite.c, and made various other fixes to png_write_eXIf().
+  Changed name of png_get_eXIF and png_set_eXIf() to png_get_eXIf_1() and
+    png_set_eXIf_1(), respectively, to avoid breaking API compatibility
+    with libpng-1.6.31.
+  Updated contrib/libtests/pngunknown.c with eXIf chunk.
+  Initialized btoa[] in pngstest.c
+  Stop memory leak when returning from png_handle_eXIf() with an error
+    (Bug report from the OSS-fuzz project).
+  Replaced local eXIf_buf with info_ptr-eXIf_buf in png_handle_eXIf().
+  Update libpng.3 and libpng-manual.txt about eXIf functions.
+  Restored png_get_eXIf() and png_set_eXIf() to maintain API compatability.
+  Removed png_get_eXIf_1() and png_set_eXIf_1().
+  Check length of all chunks except IDAT against user limit to fix an
+    OSS-fuzz issue.
+  Check length of IDAT against maximum possible IDAT size, accounting
+    for height, rowbytes, interlacing and zlib/deflate overhead.
+  Restored png_get_eXIf_1() and png_set_eXIf_1(), because strlen(eXIf_buf)
+    does not work (the eXIf chunk data can contain zeroes).
+  Require cmake-2.8.8 in CMakeLists.txt. Revised symlink creation,
+    no longer using deprecated cmake LOCATION feature (Clifford Yapp).
+  Fixed five-byte error in the calculation of IDAT maximum possible size.
+  Moved chunk-length check into a png_check_chunk_length() private
+    function (Suggested by Max Stepin).
+  Moved bad pngs from tests to contrib/libtests/crashers
+  Moved testing of bad pngs into a separate tests/pngtest-badpngs script
+  Added the --xfail (expected FAIL) option to pngtest.c. It writes XFAIL
+    in the output but PASS for the libpng test.
+  Require cmake-3.0.2 in CMakeLists.txt (Clifford Yapp).
+  Fix "const" declaration info_ptr argument to png_get_eXIf_1() and the
+    num_exif argument to png_get_eXIf_1() (Github Issue 171).
+  Added "eXIf" to "chunks_to_ignore[]" in png_set_keep_unknown_chunks().
+  Added huge_IDAT.png and empty_ancillary_chunks.png to testpngs/crashers.
+  Make pngtest --strict, --relax, --xfail options imply -m (multiple).
+  Removed unused chunk_name parameter from png_check_chunk_length().
+  Relocated setting free_me for eXIf data, to stop an OSS-fuzz leak.
+  Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue.
+  Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR.
+  Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
+  Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account
+    for the minimum 'deflate' stream, and relocate the test to a point
+    after the keyword has been read.
+  Check that the eXIf chunk has at least 2 bytes and begins with "II" or "MM".
+  Added a set of "huge_xxxx_chunk.png" files to contrib/testpngs/crashers,
+    one for each known chunk type, with length = 2GB-1.
+  Check for 0 return from png_get_rowbytes() and added some (size_t) typecasts
+    in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706,
+    and 162707).
+  Renamed chunks in contrib/testpngs/crashers to avoid having files whose
+    names differ only in case; this causes problems with some platforms
+    (github issue #172).
+  Added contrib/oss-fuzz directory which contains files used by the oss-fuzz
+    project (https://github.com/google/oss-fuzz/tree/master/projects/libpng).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index a2f367a..14e60dd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5908,6 +5908,92 @@
 Version 1.6.31 [July 27, 2017]
   No changes.
 
+Version 1.6.32beta01 [July 31, 2017]
+  Avoid possible NULL dereference in png_handle_eXIf when benign_errors
+    are allowed. Avoid leaking the input buffer "eXIf_buf".
+  Eliminated png_ptr->num_exif member from pngstruct.h and added num_exif
+    to arguments for png_get_eXIf() and png_set_eXIf().
+  Added calls to png_handle_eXIf(() in pngread.c and png_write_eXIf() in
+    pngwrite.c, and made various other fixes to png_write_eXIf().
+  Changed name of png_get_eXIF and png_set_eXIf() to png_get_eXIf_1() and
+    png_set_eXIf_1(), respectively, to avoid breaking API compatibility
+    with libpng-1.6.31.
+
+Version 1.6.32beta02 [August 1, 2017]
+  Updated contrib/libtests/pngunknown.c with eXIf chunk.
+
+Version 1.6.32beta03 [August 2, 2017]
+  Initialized btoa[] in pngstest.c
+  Stop memory leak when returning from png_handle_eXIf() with an error
+    (Bug report from the OSS-fuzz project).
+
+Version 1.6.32beta04 [August 2, 2017]
+  Replaced local eXIf_buf with info_ptr-eXIf_buf in png_handle_eXIf().
+  Update libpng.3 and libpng-manual.txt about eXIf functions.
+
+Version 1.6.32beta05 [August 2, 2017]
+  Restored png_get_eXIf() and png_set_eXIf() to maintain API compatability.
+
+Version 1.6.32beta06 [August 2, 2017]
+  Removed png_get_eXIf_1() and png_set_eXIf_1().
+
+Version 1.6.32beta07 [August 3, 2017]
+  Check length of all chunks except IDAT against user limit to fix an
+    OSS-fuzz issue.
+
+Version 1.6.32beta08 [August 3, 2017]
+  Check length of IDAT against maximum possible IDAT size, accounting
+    for height, rowbytes, interlacing and zlib/deflate overhead.
+  Restored png_get_eXIf_1() and png_set_eXIf_1(), because strlen(eXIf_buf)
+    does not work (the eXIf chunk data can contain zeroes).
+
+Version 1.6.32beta09 [August 3, 2017]
+  Require cmake-2.8.8 in CMakeLists.txt. Revised symlink creation,
+    no longer using deprecated cmake LOCATION feature (Clifford Yapp).
+  Fixed five-byte error in the calculation of IDAT maximum possible size.
+  
+Version 1.6.32beta10 [August 5, 2017]
+  Moved chunk-length check into a png_check_chunk_length() private
+    function (Suggested by Max Stepin).
+  Moved bad pngs from tests to contrib/libtests/crashers
+  Moved testing of bad pngs into a separate tests/pngtest-badpngs script
+  Added the --xfail (expected FAIL) option to pngtest.c. It writes XFAIL
+    in the output but PASS for the libpng test.
+  Require cmake-3.0.2 in CMakeLists.txt (Clifford Yapp).
+  Fix "const" declaration info_ptr argument to png_get_eXIf_1() and the
+    num_exif argument to png_get_eXIf_1() (Github Issue 171).
+
+Version 1.6.32beta11 [August 7, 2017]
+  Added "eXIf" to "chunks_to_ignore[]" in png_set_keep_unknown_chunks().
+  Added huge_IDAT.png and empty_ancillary_chunks.png to testpngs/crashers.
+  Make pngtest --strict, --relax, --xfail options imply -m (multiple).
+  Removed unused chunk_name parameter from png_check_chunk_length().
+  Relocated setting free_me for eXIf data, to stop an OSS-fuzz leak.
+  Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue.
+  Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR.
+  Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
+  Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account
+    for the minimum 'deflate' stream, and relocate the test to a point
+    after the keyword has been read.
+  Check that the eXIf chunk has at least 2 bytes and begins with "II" or "MM".
+
+Version 1.6.32rc01 [August 18, 2017]
+  Added a set of "huge_xxxx_chunk.png" files to contrib/testpngs/crashers,
+    one for each known chunk type, with length = 2GB-1.
+  Check for 0 return from png_get_rowbytes() and added some (size_t) typecasts
+    in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706,
+    and 162707).
+  Renamed chunks in contrib/testpngs/crashers to avoid having files whose
+    names differ only in case; this causes problems with some platforms
+    (github issue #172).
+
+Version 1.6.32rc02 [August 22, 2017]
+  Added contrib/oss-fuzz directory which contains files used by the oss-fuzz
+    project (https://github.com/google/oss-fuzz/tree/master/projects/libpng).
+
+Version 1.6.32 [August 24, 2017]
+  No changes.
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 0c72c36..7a51f00 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -11,8 +11,8 @@
 # For conditions of distribution and use, see the disclaimer
 # and license in png.h
 
-cmake_minimum_required(VERSION 2.8.3)
-cmake_policy(VERSION 2.8.3)
+cmake_minimum_required(VERSION 3.0.2)
+cmake_policy(VERSION 3.0.2)
 
 # Set MacOSX @rpath usage globally.
 if (POLICY CMP0020)
@@ -36,7 +36,7 @@
 
 set(PNGLIB_MAJOR 1)
 set(PNGLIB_MINOR 6)
-set(PNGLIB_RELEASE 31)
+set(PNGLIB_RELEASE 32)
 set(PNGLIB_NAME libpng${PNGLIB_MAJOR}${PNGLIB_MINOR})
 set(PNGLIB_VERSION ${PNGLIB_MAJOR}.${PNGLIB_MINOR}.${PNGLIB_RELEASE})
 
@@ -755,31 +755,58 @@
   list(APPEND PNG_BIN_TARGETS png-fix-itxt)
 endif()
 
-# Ensure the CMAKE_LIBRARY_OUTPUT_DIRECTORY is set
-IF(NOT CMAKE_LIBRARY_OUTPUT_DIRECTORY)
-  SET(CMAKE_LIBRARY_OUTPUT_DIRECTORY "lib")
-ENDIF(NOT CMAKE_LIBRARY_OUTPUT_DIRECTORY)
-
 # Set a variable with CMake code which:
 # Creates a symlink from src to dest (if possible) or alternatively
 # copies if different.
-macro(CREATE_SYMLINK SRC_FILE DEST_FILE)
-  FILE(REMOVE ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${DEST_FILE})
-  if(CMAKE_HOST_WIN32 AND NOT CYGWIN AND NOT MSYS)
-    ADD_CUSTOM_COMMAND(
-        OUTPUT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${DEST_FILE}   ${CMAKE_CURRENT_BINARY_DIR}/${DEST_FILE}
-        COMMAND ${CMAKE_COMMAND} -E copy_if_different  "${SRC_FILE}" ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${DEST_FILE}
-        COMMAND ${CMAKE_COMMAND} -E copy_if_different  "${SRC_FILE}" ${CMAKE_CURRENT_BINARY_DIR}/${DEST_FILE}
-        DEPENDS ${PNG_LIB_TARGETS}
-        )
-    ADD_CUSTOM_TARGET(${DEST_FILE}_COPY ALL DEPENDS ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${DEST_FILE})
-  else(CMAKE_HOST_WIN32 AND NOT CYGWIN AND NOT MSYS)
-    get_filename_component(LINK_TARGET "${SRC_FILE}" NAME)
-    execute_process(COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/${CMAKE_LIBRARY_OUTPUT_DIRECTORY})
-    execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink "${LINK_TARGET}" ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/${DEST_FILE} WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
-    execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink "${LINK_TARGET}" ${DEST_FILE} WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
-  endif(CMAKE_HOST_WIN32 AND NOT CYGWIN AND NOT MSYS)
-endmacro()
+include(CMakeParseArguments)
+
+function(CREATE_SYMLINK DEST_FILE)
+
+  cmake_parse_arguments(S "" "FILE;TARGET" "" ${ARGN})
+
+  if(NOT S_TARGET AND NOT S_FILE)
+    message(FATAL_ERROR "Specify either a TARGET or a FILE for CREATE_SYMLINK to link to.")
+  endif(NOT S_TARGET AND NOT S_FILE)
+
+  if(S_TARGET AND S_FILE)
+    message(FATAL_ERROR "CREATE_SYMLINK called with both source file ${S_FILE} and build target ${S_TARGET} arguments - can only handle 1 type per call.")
+  endif(S_TARGET AND S_FILE)
+
+  if(S_FILE)
+    # If we don't need to symlink something that's coming from a build target,
+    # we can go ahead and symlink/copy at configure time.
+
+    if(CMAKE_HOST_WIN32 AND NOT CYGWIN AND NOT MSYS)
+      execute_process(
+	COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${S_FILE} ${DEST_FILE}
+	WORKING_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}"
+	)
+    else(CMAKE_HOST_WIN32 AND NOT CYGWIN AND NOT MSYS)
+      execute_process(
+	COMMAND ${CMAKE_COMMAND} -E create_symlink ${S_FILE} ${DEST_FILE}
+	WORKING_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}"
+	)
+    endif(CMAKE_HOST_WIN32 AND NOT CYGWIN AND NOT MSYS)
+  endif(S_FILE)
+
+  if(S_TARGET)
+    # We need to use generator expressions, which can be a bit tricky, so for
+    # simplicity make the symlink a POST_BUILD step and use the TARGET
+    # signature of add_custom_command.
+
+    if(CMAKE_HOST_WIN32 AND NOT CYGWIN AND NOT MSYS)
+      add_custom_command(TARGET ${S_TARGET} POST_BUILD
+	COMMAND "${CMAKE_COMMAND}" -E copy_if_different $<TARGET_LINKER_FILE_NAME:${S_TARGET}> $<TARGET_LINKER_FILE_DIR:${S_TARGET}>/${DEST_FILE}
+	)
+    else(CMAKE_HOST_WIN32 AND NOT CYGWIN AND NOT MSYS)
+      add_custom_command(TARGET ${S_TARGET} POST_BUILD
+	COMMAND "${CMAKE_COMMAND}" -E create_symlink $<TARGET_LINKER_FILE_NAME:${S_TARGET}> $<TARGET_LINKER_FILE_DIR:${S_TARGET}>/${DEST_FILE}
+	)
+    endif(CMAKE_HOST_WIN32 AND NOT CYGWIN AND NOT MSYS)
+
+  endif(S_TARGET)
+
+endfunction()
 
 # Create source generation scripts.
 configure_file(${CMAKE_CURRENT_SOURCE_DIR}/scripts/genchk.cmake.in
@@ -807,17 +834,17 @@
   set(LIBS        "-lz -lm")
   configure_file(${CMAKE_CURRENT_SOURCE_DIR}/libpng.pc.in
     ${CMAKE_CURRENT_BINARY_DIR}/${PNGLIB_NAME}.pc @ONLY)
-  CREATE_SYMLINK(${PNGLIB_NAME}.pc libpng.pc)
+  CREATE_SYMLINK(libpng.pc FILE ${PNGLIB_NAME}.pc)
 
   configure_file(${CMAKE_CURRENT_SOURCE_DIR}/libpng-config.in
     ${CMAKE_CURRENT_BINARY_DIR}/${PNGLIB_NAME}-config @ONLY)
-  CREATE_SYMLINK(${PNGLIB_NAME}-config libpng-config)
+  CREATE_SYMLINK(libpng-config FILE ${PNGLIB_NAME}-config)
 endif(NOT WIN32 OR CYGWIN OR MINGW)
 
 # SET UP LINKS
 if(PNG_SHARED)
   set_target_properties(png PROPERTIES
-#   VERSION 16.${PNGLIB_RELEASE}.1.6.31
+#   VERSION 16.${PNGLIB_RELEASE}.1.6.32
     VERSION 16.${PNGLIB_RELEASE}.0
     SOVERSION 16
     CLEAN_DIRECT_OUTPUT 1)
@@ -844,26 +871,20 @@
   if(PNG_SHARED)
     # Create a symlink for libpng.dll.a => libpng16.dll.a on Cygwin
     if(CYGWIN OR MINGW)
-       get_target_property(BUILD_TARGET_LOCATION png LOCATION_${CMAKE_BUILD_TYPE})
-       CREATE_SYMLINK(${BUILD_TARGET_LOCATION} libpng${CMAKE_IMPORT_LIBRARY_SUFFIX})
-       install(FILES ${CMAKE_CURRENT_BINARY_DIR}/libpng${CMAKE_IMPORT_LIBRARY_SUFFIX}
-         DESTINATION ${CMAKE_INSTALL_LIBDIR})
+      CREATE_SYMLINK(libpng${CMAKE_IMPORT_LIBRARY_SUFFIX} TARGET png)
+      install(FILES $<TARGET_LINKER_FILE_DIR:png>/libpng${CMAKE_IMPORT_LIBRARY_SUFFIX} DESTINATION ${CMAKE_INSTALL_LIBDIR})
     endif(CYGWIN OR MINGW)
 
     if(NOT WIN32)
-      get_target_property(BUILD_TARGET_LOCATION png LOCATION_${CMAKE_BUILD_TYPE})
-      CREATE_SYMLINK(${BUILD_TARGET_LOCATION} libpng${CMAKE_SHARED_LIBRARY_SUFFIX})
-      install(FILES ${CMAKE_CURRENT_BINARY_DIR}/libpng${CMAKE_SHARED_LIBRARY_SUFFIX}
-         DESTINATION ${CMAKE_INSTALL_LIBDIR})
+      CREATE_SYMLINK(libpng${CMAKE_SHARED_LIBRARY_SUFFIX} TARGET png)
+      install(FILES $<TARGET_LINKER_FILE_DIR:png>/libpng${CMAKE_SHARED_LIBRARY_SUFFIX} DESTINATION ${CMAKE_INSTALL_LIBDIR})
     endif(NOT WIN32)
   endif(PNG_SHARED)
 
   if(PNG_STATIC)
     if(NOT WIN32 OR CYGWIN OR MINGW)
-      get_target_property(BUILD_TARGET_LOCATION png_static LOCATION_${CMAKE_BUILD_TYPE})
-      CREATE_SYMLINK(${BUILD_TARGET_LOCATION} libpng${CMAKE_STATIC_LIBRARY_SUFFIX})
-      install(FILES ${CMAKE_CURRENT_BINARY_DIR}/libpng${CMAKE_STATIC_LIBRARY_SUFFIX}
-         DESTINATION ${CMAKE_INSTALL_LIBDIR})
+      CREATE_SYMLINK( libpng${CMAKE_STATIC_LIBRARY_SUFFIX} TARGET png_static)
+      install(FILES $<TARGET_LINKER_FILE_DIR:png_static>/libpng${CMAKE_STATIC_LIBRARY_SUFFIX} DESTINATION ${CMAKE_INSTALL_LIBDIR})
     endif(NOT WIN32 OR CYGWIN OR MINGW)
  endif()
 endif()
diff --git a/LICENSE b/LICENSE
index 1df0cbb..e803911 100644
--- a/LICENSE
+++ b/LICENSE
@@ -10,7 +10,7 @@
 
 This code is released under the libpng license.
 
-libpng versions 1.0.7, July 1, 2000 through 1.6.31, July 27, 2017 are
+libpng versions 1.0.7, July 1, 2000 through 1.6.32, August 24, 2017 are
 Copyright (c) 2000-2002, 2004, 2006-2017 Glenn Randers-Pehrson, are
 derived from libpng-1.0.6, and are distributed according to the same
 disclaimer and license as libpng-1.0.6 with the following individuals
diff --git a/Makefile.am b/Makefile.am
index 18ac748..08db3e5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -60,6 +60,7 @@
 # set of parameters:
 TESTS =\
    tests/pngtest\
+   tests/pngtest-badpngs\
    tests/pngvalid-gamma-16-to-8 tests/pngvalid-gamma-alpha-mode\
    tests/pngvalid-gamma-background tests/pngvalid-gamma-expand16-alpha-mode\
    tests/pngvalid-gamma-expand16-background\
diff --git a/README b/README
index 1f68cfa..7129271 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-README for libpng version 1.6.31 - July 27, 2017 (shared library 16.0)
+README for libpng version 1.6.32 - August 24, 2017 (shared library 16.0)
 See the note about version numbers near the top of png.h
 
 See INSTALL for instructions on how to install libpng.
diff --git a/configure.ac b/configure.ac
index b1fd158..4f0eed4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -25,7 +25,7 @@
 
 dnl Version number stuff here:
 
-AC_INIT([libpng],[1.6.31],[png-mng-implement@lists.sourceforge.net])
+AC_INIT([libpng],[1.6.32],[png-mng-implement@lists.sourceforge.net])
 AC_CONFIG_MACRO_DIR([scripts])
 
 # libpng does not follow GNU file name conventions (hence 'foreign')
@@ -46,10 +46,10 @@
 dnl AM_PREREQ([1.11.2])
 dnl stop configure from automagically running automake
 
-PNGLIB_VERSION=1.6.31
+PNGLIB_VERSION=1.6.32
 PNGLIB_MAJOR=1
 PNGLIB_MINOR=6
-PNGLIB_RELEASE=31
+PNGLIB_RELEASE=32
 
 dnl End of version number stuff
 
diff --git a/contrib/libtests/pngstest.c b/contrib/libtests/pngstest.c
index 0617dbb..ab45089 100644
--- a/contrib/libtests/pngstest.c
+++ b/contrib/libtests/pngstest.c
@@ -2610,9 +2610,9 @@
    const unsigned int b_sample = PNG_IMAGE_SAMPLE_SIZE(formatb);
    int alpha_added, alpha_removed;
    int bchannels;
-   int btoa[4];
    png_uint_32 y;
    Transform tr;
+   int btoa[4]={0,0,0,0};
 
    /* This should never happen: */
    if (width != b->image.width || height != b->image.height)
diff --git a/contrib/libtests/pngunknown.c b/contrib/libtests/pngunknown.c
index 7bb33f8..12eab72 100644
--- a/contrib/libtests/pngunknown.c
+++ b/contrib/libtests/pngunknown.c
@@ -1,7 +1,7 @@
 
 /* pngunknown.c - test the read side unknown chunk handling
  *
- * Last changed in libpng 1.6.31 [July 27, 2017]
+ * Last changed in libpng 1.6.32 [August 24, 2017]
  * Copyright (c) 2015,2017 Glenn Randers-Pehrson
  * Written by John Cunningham Bowler
  *
@@ -114,6 +114,7 @@
 #define png_PLTE PNG_U32( 80,  76,  84,  69)
 #define png_bKGD PNG_U32( 98,  75,  71,  68)
 #define png_cHRM PNG_U32( 99,  72,  82,  77)
+#define png_eXIf PNG_U32(101,  88,  73, 102) /* registered July 2017 */
 #define png_fRAc PNG_U32(102,  82,  65,  99) /* registered, not defined */
 #define png_gAMA PNG_U32(103,  65,  77,  65)
 #define png_gIFg PNG_U32(103,  73,  70, 103)
@@ -210,6 +211,13 @@
          1,
 #     endif
       1,  START, 0 },
+   { "eXIf", PNG_INFO_eXIf, png_eXIf,
+#     ifdef PNG_READ_eXIf_SUPPORTED
+         0,
+#     else
+         1,
+#     endif
+      1,  END, 0 },
    { "gAMA", PNG_INFO_gAMA, png_gAMA,
 #     ifdef PNG_READ_gAMA_SUPPORTED
          0,
@@ -1090,7 +1098,7 @@
  "sTER", "sTER=if-safe", 0,
  "IDAT", "default=discard", "IDAT=save", 0,
  "sAPI", "bKGD=save", "cHRM=save", "gAMA=save", "all=discard", "iCCP=save",
-   "sBIT=save", "sRGB=save", 0,
+   "sBIT=save", "sRGB=save", "eXIf=save", 0,
  0/*end*/
 };
 
diff --git a/contrib/oss-fuzz/README.txt b/contrib/oss-fuzz/README.txt
new file mode 100644
index 0000000..a75cba4
--- /dev/null
+++ b/contrib/oss-fuzz/README.txt
@@ -0,0 +1,32 @@
+Last changed in libpng 1.6.32 [August 24, 2017]
+Copyright (c) 2017 Glenn Randers-Pehrson
+
+This code is released under the libpng license.
+For conditions of distribution and use, see the disclaimer
+and license in png.h
+
+Files in this directory are used by the oss-fuzz project
+(https://github.com/google/oss-fuzz/tree/master/projects/libpng).
+for "fuzzing" libpng.
+
+They were licensed by Google Inc, using the BSD-like Chromium license,
+which may be found at https://cs.chromium.org/chromium/src/LICENSE, or, if
+noted in the source, under the Apache-2.0 license, which may
+be found at http://www.apache.org/licenses/LICENSE-2.0 .
+If they have been modified, the derivatives are copyright Glenn Randers-Pehson
+and are released under the same licenses as the originals.  Several of
+the original files (libpng_read_fuzzer.options, png.dict, project.yaml)
+had no licensing information; we assumed that these were under the Chromium
+license. Any new files are released under the libpng license (see png.h).
+
+The files are
+                            Original
+ Filename                   or derived   Copyright          License
+ =========================  ==========   ================   ==========
+ build.sh                   derived      2017, Glenn R-P    Apache 2.0
+ libpng_read_fuzzer.cc      derived      2017, Glenn R-P    Chromium
+ libpng_read_fuzzer.options original     2015, Chrome Devs  Chromium
+ png.dict                   original     2015, Chrome Devs  Chromium
+ README.txt (this file)     original     2017, GLenn R-P    libpng
+
+To do: exercise the progressive reader.
diff --git a/contrib/oss-fuzz/build.sh b/contrib/oss-fuzz/build.sh
new file mode 100755
index 0000000..cf5a9da
--- /dev/null
+++ b/contrib/oss-fuzz/build.sh
@@ -0,0 +1,47 @@
+#!/bin/bash -eu
+# Copyright 2017 Glenn Randers-Pehrson
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Last changed in libpng 1.6.32 [August 24, 2017]
+#
+# Revisions by Glenn Randers-Pehson, 2017:
+# 1. Build only the library, not the tools (changed "make -j$(nproc) all" to
+#     "make -j$(nproc) libpng16.la").
+# 2. Disabled WARNING and WRITE options in pnglibconf.dfa.
+################################################################################
+
+# Disable logging via library build configuration control.
+cat scripts/pnglibconf.dfa | \
+  sed -e "s/option STDIO/option STDIO disabled/" \
+      -e "s/option WARNING /option WARNING disabled/" \
+      -e "s/option WRITE enables WRITE_INT_FUNCTIONS/option WRITE disabled/" \
+> scripts/pnglibconf.dfa.temp
+mv scripts/pnglibconf.dfa.temp scripts/pnglibconf.dfa
+
+# build the library.
+autoreconf -f -i
+./configure
+make -j$(nproc) clean
+make -j$(nproc) libpng16.la
+
+# build libpng_read_fuzzer.
+$CXX $CXXFLAGS -std=c++11 -I. \
+     $SRC/libpng_read_fuzzer.cc -o $OUT/libpng_read_fuzzer \
+     -lFuzzingEngine .libs/libpng16.a -lz
+
+# add seed corpus.
+find $SRC/libpng/contrib/pngsuite -name "*.png" | xargs zip $OUT/libpng_read_fuzzer_seed_corpus.zip
+
+cp $SRC/*.dict $SRC/*.options $OUT/
diff --git a/contrib/oss-fuzz/libpng_read_fuzzer.cc b/contrib/oss-fuzz/libpng_read_fuzzer.cc
new file mode 100644
index 0000000..c1b1624
--- /dev/null
+++ b/contrib/oss-fuzz/libpng_read_fuzzer.cc
@@ -0,0 +1,154 @@
+
+// libpng_read_fuzzer.cc
+// Copyright 2017 Glenn Randers-Pehrson
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that may
+// be found in the LICENSE file https://cs.chromium.org/chromium/src/LICENSE
+
+// Last changed in libpng 1.6.32 [August 24, 2017]
+
+// The modifications in 2017 by Glenn Randers-Pehrson include
+// 1. addition of a PNG_CLEANUP macro,
+// 2. setting the option to ignore ADLER32 checksums,
+// 3. adding "#include <string.h>" which is needed on some platforms
+//    to provide memcpy().
+
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+#include <vector>
+
+#define PNG_INTERNAL
+#include "png.h"
+
+#define PNG_CLEANUP \
+    if(png_handler.png_ptr) \
+    { \
+      if (png_handler.info_ptr) \
+        png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\
+          nullptr); \
+      else \
+        png_destroy_read_struct(&png_handler.png_ptr, nullptr, nullptr); \
+     }
+
+struct BufState {
+  const uint8_t* data;
+  size_t bytes_left;
+};
+
+struct PngObjectHandler {
+  png_infop info_ptr = nullptr;
+  png_structp png_ptr = nullptr;
+  png_voidp row_ptr = nullptr;
+  BufState* buf_state = nullptr;
+
+  ~PngObjectHandler() {
+    if (row_ptr && png_ptr) {
+      png_free(png_ptr, row_ptr);
+    }
+    if (png_ptr && info_ptr) {
+      png_destroy_read_struct(&png_ptr, &info_ptr, nullptr);
+    }
+    delete buf_state;
+  }
+};
+
+void user_read_data(png_structp png_ptr, png_bytep data, png_size_t length) {
+  BufState* buf_state = static_cast<BufState*>(png_get_io_ptr(png_ptr));
+  if (length > buf_state->bytes_left) {
+    png_error(png_ptr, "read error");
+  }
+  memcpy(data, buf_state->data, length);
+  buf_state->bytes_left -= length;
+  buf_state->data += length;
+}
+
+static const int kPngHeaderSize = 8;
+
+// Entry point for LibFuzzer.
+// Roughly follows the libpng book example:
+// http://www.libpng.org/pub/png/book/chapter13.html
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size < kPngHeaderSize) {
+    return 0;
+  }
+
+  std::vector<unsigned char> v(data, data + size);
+  if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) {
+    // not a PNG.
+    return 0;
+  }
+
+  PngObjectHandler png_handler;
+  png_handler.png_ptr = png_create_read_struct
+    (PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr);
+  if (!png_handler.png_ptr) {
+    return 0;
+  }
+
+  png_handler.info_ptr = png_create_info_struct(png_handler.png_ptr);
+  if (!png_handler.info_ptr) {
+    PNG_CLEANUP
+    return 0;
+  }
+
+  png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
+#ifdef PNG_IGNORE_ADLER32
+  png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON);
+#endif
+
+  // Setting up reading from buffer.
+  png_handler.buf_state = new BufState();
+  png_handler.buf_state->data = data + kPngHeaderSize;
+  png_handler.buf_state->bytes_left = size - kPngHeaderSize;
+  png_set_read_fn(png_handler.png_ptr, png_handler.buf_state, user_read_data);
+  png_set_sig_bytes(png_handler.png_ptr, kPngHeaderSize);
+
+  if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
+    PNG_CLEANUP
+    return 0;
+  }
+
+  // Reading.
+  png_read_info(png_handler.png_ptr, png_handler.info_ptr);
+  png_handler.row_ptr = png_malloc(
+      png_handler.png_ptr, png_get_rowbytes(png_handler.png_ptr,
+                                               png_handler.info_ptr));
+
+  // reset error handler to put png_deleter into scope.
+  if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
+    PNG_CLEANUP
+    return 0;
+  }
+
+  png_uint_32 width, height;
+  int bit_depth, color_type, interlace_type, compression_type;
+  int filter_type;
+
+  if (!png_get_IHDR(png_handler.png_ptr, png_handler.info_ptr, &width,
+                    &height, &bit_depth, &color_type, &interlace_type,
+                    &compression_type, &filter_type)) {
+    PNG_CLEANUP
+    return 0;
+  }
+
+  // This is going to be too slow.
+  if (width && height > 100000000 / width) {
+    PNG_CLEANUP
+    return 0;
+  }
+
+  int passes = png_set_interlace_handling(png_handler.png_ptr);
+  png_start_read_image(png_handler.png_ptr);
+
+  for (int pass = 0; pass < passes; ++pass) {
+    for (png_uint_32 y = 0; y < height; ++y) {
+      png_read_row(png_handler.png_ptr,
+                   static_cast<png_bytep>(png_handler.row_ptr), nullptr);
+    }
+  }
+
+  PNG_CLEANUP
+  return 0;
+}
diff --git a/contrib/oss-fuzz/libpng_read_fuzzer.options b/contrib/oss-fuzz/libpng_read_fuzzer.options
new file mode 100644
index 0000000..2005291
--- /dev/null
+++ b/contrib/oss-fuzz/libpng_read_fuzzer.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+dict = png.dict
diff --git a/contrib/oss-fuzz/png.dict b/contrib/oss-fuzz/png.dict
new file mode 100644
index 0000000..3a8a113
--- /dev/null
+++ b/contrib/oss-fuzz/png.dict
@@ -0,0 +1,39 @@
+#
+# AFL dictionary for PNG images
+# -----------------------------
+#
+# Just the basic, standard-originating sections; does not include vendor
+# extensions.
+#
+# Created by Michal Zalewski <lcamtuf@google.com>
+#
+
+header_png="\x89PNG\x0d\x0a\x1a\x0a"
+
+section_IDAT="IDAT"
+section_IEND="IEND"
+section_IHDR="IHDR"
+section_PLTE="PLTE"
+section_bKGD="bKGD"
+section_cHRM="cHRM"
+section_eXIf="eXIf"
+section_fRAc="fRAc"
+section_gAMA="gAMA"
+section_gIFg="gIFg"
+section_gIFt="gIFt"
+section_gIFx="gIFx"
+section_hIST="hIST"
+section_iCCP="iCCP"
+section_iTXt="iTXt"
+section_oFFs="oFFs"
+section_pCAL="pCAL"
+section_pHYs="pHYs"
+section_sBIT="sBIT"
+section_sCAL="sCAL"
+section_sPLT="sPLT"
+section_sRGB="sRGB"
+section_sTER="sTER"
+section_tEXt="tEXt"
+section_tIME="tIME"
+section_tRNS="tRNS"
+section_zTXt="zTXt"
diff --git a/contrib/pngminus/png2pnm.c b/contrib/pngminus/png2pnm.c
index c9f1623..39a9f46 100644
--- a/contrib/pngminus/png2pnm.c
+++ b/contrib/pngminus/png2pnm.c
@@ -1,9 +1,11 @@
 /*
  *  png2pnm.c --- conversion from PNG-file to PGM/PPM-file
- *  copyright (C) 1999 by Willem van Schaik <willem at schaik.com>
+ *  copyright (C) 1999,2017 by Willem van Schaik <willem at schaik.com>
  *
  *  version 1.0 - 1999.10.15 - First version.
  *          1.1 - 2017.04.22 - Add buffer-size check (Glenn Randers-Pehrson)
+ *          1.2 - 2017.08.24 - Fix potential overflow in buffer-size check
+                               (Glenn Randers-Pehrson)
  *
  *  Permission to use, copy, modify, and distribute this software and
  *  its documentation for any purpose and without fee is hereby granted,
@@ -321,18 +323,21 @@
   /* row_bytes is the width x number of channels x (bit-depth / 8) */
   row_bytes = png_get_rowbytes (png_ptr, info_ptr);
 
-  if (height > ((size_t)(-1))/row_bytes) /* too big */ {
+  if ((row_bytes == 0 || (size_t)height > ((size_t)(-1))/(size_t)row_bytes))
+  {
+    /* too big */ 
     png_destroy_read_struct (&png_ptr, &info_ptr, NULL);
     return FALSE;
   }
   if ((png_pixels = (png_byte *)
-     malloc (row_bytes * height * sizeof (png_byte))) == NULL) {
+     malloc ((size_t)row_bytes * (size_t)height * sizeof (png_byte))) == NULL)
+  {
     png_destroy_read_struct (&png_ptr, &info_ptr, NULL);
     return FALSE;
   }
 
   if ((row_pointers = (png_byte **)
-     malloc (height * sizeof (png_bytep))) == NULL)
+     malloc ((size_t)height * sizeof (png_bytep))) == NULL)
   {
     png_destroy_read_struct (&png_ptr, &info_ptr, NULL);
     free (png_pixels);
@@ -413,7 +418,8 @@
           if (raw)
             fputc ((int) *pix_ptr++ , alpha_file);
           else
-            if (bit_depth == 16){
+            if (bit_depth == 16)
+            {
               dep_16 = (long) *pix_ptr++;
               fprintf (alpha_file, "%ld ", (dep_16 << 8) + (long) *pix_ptr++);
             }
@@ -437,6 +443,7 @@
   if (png_pixels != (unsigned char*) NULL)
     free (png_pixels);
 
+  PNG_UNUSED(raw) /* to quiet a Coverity defect */
   return TRUE;
 
 } /* end of source */
diff --git a/contrib/pngminus/pnm2png.c b/contrib/pngminus/pnm2png.c
index adc3206..1b550b8 100644
--- a/contrib/pngminus/pnm2png.c
+++ b/contrib/pngminus/pnm2png.c
@@ -1,10 +1,12 @@
 /*
  *  pnm2png.c --- conversion from PBM/PGM/PPM-file to PNG-file
- *  copyright (C) 1999 by Willem van Schaik <willem at schaik.com>
+ *  copyright (C) 1999,2015,2017 by Willem van Schaik <willem at schaik.com>
  *
  *  version 1.0 - 1999.10.15 - First version.
  *  version 1.1 - 2015.07.29 - Fixed leaks (Glenn Randers-Pehrson)
  *  version 1.2 - 2017.04.22 - Add buffer-size check
+ *          1.3 - 2017.08.24 - Fix potential overflow in buffer-size check
+ *                             (Glenn Randers-Pehrson)
  *
  *  Permission to use, copy, modify, and distribute this software and
  *  its documentation for any purpose and without fee is hereby granted,
@@ -371,10 +373,12 @@
     row_bytes = (width * channels * bit_depth + 7) / 8;
   else
 #endif
-    /* row_bytes is the width x number of channels x (bit-depth / 8) */
+  /* row_bytes is the width x number of channels x (bit-depth / 8) */
     row_bytes = width * channels * ((bit_depth <= 8) ? 1 : 2);
 
-  if (height > ((size_t)(-1))/row_bytes) /* too big */ {
+  if ((row_bytes == 0 || (size_t)height > ((size_t)(-1))/(size_t)row_bytes)
+  {
+    /* too big */ 
     return FALSE;
   }
   if ((png_pixels = (png_byte *)
@@ -387,7 +391,8 @@
   for (row = 0; row < (int) height; row++)
   {
 #if defined(PNG_WRITE_INVERT_SUPPORTED) || defined(PNG_WRITE_PACK_SUPPORTED)
-    if (packed_bitmap) {
+    if (packed_bitmap)
+    {
       for (i = 0; i < (int) row_bytes; i++)
         /* png supports this format natively so no conversion is needed */
         *pix_ptr++ = get_data (pnm_file, 8);
@@ -508,6 +513,8 @@
   if (png_pixels != (unsigned char*) NULL)
     free (png_pixels);
 
+  PNG_UNUSED(raw) /* Quiet a Coverity defect */
+
   return TRUE;
 } /* end of pnm2png */
 
@@ -524,7 +531,8 @@
   do
   {
     ret = fgetc(pnm_file);
-    if (ret == '#') {
+    if (ret == '#')
+    {
       /* the rest of this line is a comment */
       do
       {
diff --git a/contrib/testpngs/crashers/bad_iCCP.png b/contrib/testpngs/crashers/bad_iCCP.png
new file mode 100644
index 0000000..0b7b863
--- /dev/null
+++ b/contrib/testpngs/crashers/bad_iCCP.png
Binary files differ
diff --git a/tests/badadler.png b/contrib/testpngs/crashers/badadler.png
similarity index 100%
rename from tests/badadler.png
rename to contrib/testpngs/crashers/badadler.png
Binary files differ
diff --git a/tests/badcrc.png b/contrib/testpngs/crashers/badcrc.png
similarity index 100%
rename from tests/badcrc.png
rename to contrib/testpngs/crashers/badcrc.png
Binary files differ
diff --git a/contrib/testpngs/crashers/empty_ancillary_chunks.png b/contrib/testpngs/crashers/empty_ancillary_chunks.png
new file mode 100644
index 0000000..d76477c
--- /dev/null
+++ b/contrib/testpngs/crashers/empty_ancillary_chunks.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_IDAT.png b/contrib/testpngs/crashers/huge_IDAT.png
new file mode 100644
index 0000000..efee66c
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_IDAT.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_bKGD_chunk.png b/contrib/testpngs/crashers/huge_bKGD_chunk.png
new file mode 100644
index 0000000..fd571fd
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_bKGD_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_cHRM_chunk.png b/contrib/testpngs/crashers/huge_cHRM_chunk.png
new file mode 100644
index 0000000..698e7c4
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_cHRM_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_eXIf_chunk.png b/contrib/testpngs/crashers/huge_eXIf_chunk.png
new file mode 100644
index 0000000..7d41601
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_eXIf_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_gAMA_chunk.png b/contrib/testpngs/crashers/huge_gAMA_chunk.png
new file mode 100644
index 0000000..b089c18
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_gAMA_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_hIST_chunk.png b/contrib/testpngs/crashers/huge_hIST_chunk.png
new file mode 100644
index 0000000..6d6fcb5
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_hIST_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_iCCP_chunk.png b/contrib/testpngs/crashers/huge_iCCP_chunk.png
new file mode 100644
index 0000000..fbcb761
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_iCCP_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_iTXt_chunk.png b/contrib/testpngs/crashers/huge_iTXt_chunk.png
new file mode 100644
index 0000000..0982620
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_iTXt_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_juNK_unsafe_to_copy.png b/contrib/testpngs/crashers/huge_juNK_unsafe_to_copy.png
new file mode 100644
index 0000000..0cb106f
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_juNK_unsafe_to_copy.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_juNk_safe_to_copy.png b/contrib/testpngs/crashers/huge_juNk_safe_to_copy.png
new file mode 100644
index 0000000..85252b7
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_juNk_safe_to_copy.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_pCAL_chunk.png b/contrib/testpngs/crashers/huge_pCAL_chunk.png
new file mode 100644
index 0000000..bc12a8f
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_pCAL_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_pHYs_chunk.png b/contrib/testpngs/crashers/huge_pHYs_chunk.png
new file mode 100644
index 0000000..343b977
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_pHYs_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_sCAL_chunk.png b/contrib/testpngs/crashers/huge_sCAL_chunk.png
new file mode 100644
index 0000000..61f2f82
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_sCAL_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_sPLT_chunk.png b/contrib/testpngs/crashers/huge_sPLT_chunk.png
new file mode 100644
index 0000000..75d383a
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_sPLT_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_sRGB_chunk.png b/contrib/testpngs/crashers/huge_sRGB_chunk.png
new file mode 100644
index 0000000..bc1db33
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_sRGB_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_sTER_chunk.png b/contrib/testpngs/crashers/huge_sTER_chunk.png
new file mode 100644
index 0000000..39219fe
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_sTER_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_tEXt_chunk.png b/contrib/testpngs/crashers/huge_tEXt_chunk.png
new file mode 100644
index 0000000..947fc37
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_tEXt_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_tIME_chunk.png b/contrib/testpngs/crashers/huge_tIME_chunk.png
new file mode 100644
index 0000000..16452fb
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_tIME_chunk.png
Binary files differ
diff --git a/contrib/testpngs/crashers/huge_zTXt_chunk.png b/contrib/testpngs/crashers/huge_zTXt_chunk.png
new file mode 100644
index 0000000..52f0953
--- /dev/null
+++ b/contrib/testpngs/crashers/huge_zTXt_chunk.png
Binary files differ
diff --git a/libpng-manual.txt b/libpng-manual.txt
index b81d2a6..e34b143 100644
--- a/libpng-manual.txt
+++ b/libpng-manual.txt
@@ -1,6 +1,6 @@
 libpng-manual.txt - A description on how to use and modify libpng
 
- libpng version 1.6.31 - July 27, 2017
+ libpng version 1.6.32 - August 24, 2017
  Updated and distributed by Glenn Randers-Pehrson
  <glennrp at users.sourceforge.net>
  Copyright (c) 1998-2017 Glenn Randers-Pehrson
@@ -11,7 +11,7 @@
 
  Based on:
 
- libpng versions 0.97, January 1998, through 1.6.31 - July 27, 2017
+ libpng versions 0.97, January 1998, through 1.6.32 - August 24, 2017
  Updated and distributed by Glenn Randers-Pehrson
  Copyright (c) 1998-2017 Glenn Randers-Pehrson
 
@@ -688,8 +688,9 @@
    chunk_cache_max = png_get_chunk_cache_max(png_ptr);
 
 Libpng imposes a limit of 8 Megabytes (8,000,000 bytes) on the amount of
-memory that a compressed chunk other than IDAT can occupy, when decompressed.
-You can change this limit with
+memory that any chunk other than IDAT can occupy, originally or when
+decompressed (prior to libpng-1.6.32 the limit was only applied to compressed
+chunks after decompression). You can change this limit with
 
    png_set_chunk_malloc_max(png_ptr, user_chunk_malloc_max);
 
@@ -1453,7 +1454,7 @@
                      the single transparent color for
                      non-paletted images (PNG_INFO_tRNS)
 
-    png_get_eXIf(png_ptr, info_ptr, &exif);
+    png_get_eXIf_1(png_ptr, info_ptr, &num_exif, &exif);
                      (PNG_INFO_eXIf)
 
     exif           - Exif profile (array of png_byte)
@@ -3103,9 +3104,9 @@
                      single transparent color for
                      non-paletted images (PNG_INFO_tRNS)
 
-    png_set_eXIf(png_ptr, info_ptr, exif);
+    png_set_eXIf_1(png_ptr, info_ptr, num_exif, exif);
 
-    hist           - Exif profile (array of
+    exif           - Exif profile (array of
                      png_byte) (PNG_INFO_eXIf)
 
     png_set_hIST(png_ptr, info_ptr, hist);
@@ -5404,7 +5405,7 @@
 an official declaration.
 
 This is your unofficial assurance that libpng from version 0.71 and
-upward through 1.6.31 are Y2K compliant.  It is my belief that earlier
+upward through 1.6.32 are Y2K compliant.  It is my belief that earlier
 versions were also Y2K compliant.
 
 Libpng only has two year fields.  One is a 2-byte unsigned integer
diff --git a/libpng.3 b/libpng.3
index 345aba1..899d8ea 100644
--- a/libpng.3
+++ b/libpng.3
@@ -1,6 +1,6 @@
-.TH LIBPNG 3 "July 27, 2017"
+.TH LIBPNG 3 "August 24, 2017"
 .SH NAME
-libpng \- Portable Network Graphics (PNG) Reference Library 1.6.31
+libpng \- Portable Network Graphics (PNG) Reference Library 1.6.32
 .SH SYNOPSIS
 \fB
 #include <png.h>\fP
@@ -99,6 +99,8 @@
 
 \fBpng_uint_32 png_get_eXIf (png_const_structp \fP\fIpng_ptr\fP\fB, png_const_infop \fP\fIinfo_ptr\fP\fB, png_bytep \fI*exif\fP\fB);\fP
 
+\fBpng_uint_32 png_get_eXIf_1 (png_const_structp \fP\fIpng_ptr\fP\fB, png_const_infop \fP\fIinfo_ptr\fP\fB, png_unit_32 \fP\fI*num_exif\fP\fB, png_bytep \fI*exif\fP\fB);\fP
+
 \fBpng_uint_32 png_get_hIST (png_const_structp \fP\fIpng_ptr\fP\fB, png_const_infop \fP\fIinfo_ptr\fP\fB, png_uint_16p \fI*hist\fP\fB);\fP
 
 \fBpng_uint_32 png_get_iCCP (png_const_structp \fP\fIpng_ptr\fP\fB, png_const_infop \fP\fIinfo_ptr\fP\fB, png_charpp \fP\fIname\fP\fB, int \fP\fI*compression_type\fP\fB, png_bytepp \fP\fIprofile\fP\fB, png_uint_32 \fI*proflen\fP\fB);\fP
@@ -351,6 +353,8 @@
 
 \fBvoid png_set_eXIf (png_structp \fP\fIpng_ptr\fP\fB, png_infop \fP\fIinfo_ptr\fP\fB, png_bytep \fIexif\fP\fB);\fP
 
+\fBvoid png_set_eXIf_1 (png_structp \fP\fIpng_ptr\fP\fB, png_infop \fP\fIinfo_ptr\fP\fB, const png_uint_32 \fP\fInum_exif\fP\fB, png_bytep \fIexif\fP\fB);\fP
+
 \fBvoid png_set_hIST (png_structp \fP\fIpng_ptr\fP\fB, png_infop \fP\fIinfo_ptr\fP\fB, png_uint_16p \fIhist\fP\fB);\fP
 
 \fBvoid png_set_iCCP (png_structp \fP\fIpng_ptr\fP\fB, png_infop \fP\fIinfo_ptr\fP\fB, png_const_charp \fP\fIname\fP\fB, int \fP\fIcompression_type\fP\fB, png_const_bytep \fP\fIprofile\fP\fB, png_uint_32 \fIproflen\fP\fB);\fP
@@ -514,7 +518,7 @@
 .SH LIBPNG.TXT
 libpng-manual.txt - A description on how to use and modify libpng
 
- libpng version 1.6.31 - July 27, 2017
+ libpng version 1.6.32 - August 24, 2017
  Updated and distributed by Glenn Randers-Pehrson
  <glennrp at users.sourceforge.net>
  Copyright (c) 1998-2017 Glenn Randers-Pehrson
@@ -525,7 +529,7 @@
 
  Based on:
 
- libpng versions 0.97, January 1998, through 1.6.31 - July 27, 2017
+ libpng versions 0.97, January 1998, through 1.6.32 - August 24, 2017
  Updated and distributed by Glenn Randers-Pehrson
  Copyright (c) 1998-2017 Glenn Randers-Pehrson
 
@@ -1202,8 +1206,9 @@
    chunk_cache_max = png_get_chunk_cache_max(png_ptr);
 
 Libpng imposes a limit of 8 Megabytes (8,000,000 bytes) on the amount of
-memory that a compressed chunk other than IDAT can occupy, when decompressed.
-You can change this limit with
+memory that any chunk other than IDAT can occupy, originally or when
+decompressed (prior to libpng-1.6.32 the limit was only applied to compressed
+chunks after decompression). You can change this limit with
 
    png_set_chunk_malloc_max(png_ptr, user_chunk_malloc_max);
 
@@ -1967,7 +1972,7 @@
                      the single transparent color for
                      non-paletted images (PNG_INFO_tRNS)
 
-    png_get_eXIf(png_ptr, info_ptr, &exif);
+    png_get_eXIf_1(png_ptr, info_ptr, &num_exif, &exif);
                      (PNG_INFO_eXIf)
 
     exif           - Exif profile (array of png_byte)
@@ -3617,9 +3622,9 @@
                      single transparent color for
                      non-paletted images (PNG_INFO_tRNS)
 
-    png_set_eXIf(png_ptr, info_ptr, exif);
+    png_set_eXIf_1(png_ptr, info_ptr, num_exif, exif);
 
-    hist           - Exif profile (array of
+    exif           - Exif profile (array of
                      png_byte) (PNG_INFO_eXIf)
 
     png_set_hIST(png_ptr, info_ptr, hist);
@@ -5918,7 +5923,7 @@
 an official declaration.
 
 This is your unofficial assurance that libpng from version 0.71 and
-upward through 1.6.31 are Y2K compliant.  It is my belief that earlier
+upward through 1.6.32 are Y2K compliant.  It is my belief that earlier
 versions were also Y2K compliant.
 
 Libpng only has two year fields.  One is a 2-byte unsigned integer
@@ -6020,7 +6025,7 @@
  ...
  1.5.28                  15    10528  15.so.15.28[.0]
  ...
- 1.6.31                  16    10631  16.so.16.31[.0]
+ 1.6.32                  16    10632  16.so.16.32[.0]
 
 Henceforth the source version will match the shared-library minor
 and patch numbers; the shared-library major version number will be
@@ -6076,7 +6081,7 @@
 
 Thanks to Frank J. T. Wojcik for helping with the documentation.
 
-Libpng version 1.6.31 - July 27, 2017:
+Libpng version 1.6.32 - August 24, 2017:
 Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc.
 Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net).
 
@@ -6101,7 +6106,7 @@
 
 This code is released under the libpng license.
 
-libpng versions 1.0.7, July 1, 2000 through 1.6.31, July 27, 2017 are
+libpng versions 1.0.7, July 1, 2000 through 1.6.32, August 24, 2017 are
 Copyright (c) 2000-2002, 2004, 2006-2017 Glenn Randers-Pehrson, are
 derived from libpng-1.0.6, and are distributed according to the same
 disclaimer and license as libpng-1.0.6 with the following individuals
@@ -6229,7 +6234,7 @@
 
 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-July 27, 2017
+August 24, 2017
 
 .\" end of man page
 
diff --git a/libpngpf.3 b/libpngpf.3
index 70992ab..ab84577 100644
--- a/libpngpf.3
+++ b/libpngpf.3
@@ -1,6 +1,6 @@
 .TH LIBPNGPF 3 "April 1, 2017"
 .SH NAME
-libpng \- Portable Network Graphics (PNG) Reference Library 1.6.31
+libpng \- Portable Network Graphics (PNG) Reference Library 1.6.32
 (private functions)
 .SH SYNOPSIS
 \fB\fB#include \fI\fI"pngpriv.h"
diff --git a/png.c b/png.c
index ae5e1d9..2352df1 100644
--- a/png.c
+++ b/png.c
@@ -1,7 +1,7 @@
 
 /* png.c - location for general purpose libpng functions
  *
- * Last changed in libpng 1.6.31 [July 27, 2017]
+ * Last changed in libpng 1.6.32 [August 24, 2017]
  * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -14,7 +14,7 @@
 #include "pngpriv.h"
 
 /* Generate a compiler error if there is an old png.h in the search path. */
-typedef png_libpng_version_1_6_31 Your_png_h_is_not_version_1_6_31;
+typedef png_libpng_version_1_6_32 Your_png_h_is_not_version_1_6_32;
 
 #ifdef __GNUC__
 /* The version tests may need to be added to, but the problem warning has
@@ -619,8 +619,18 @@
    /* Free any eXIf entry */
    if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0)
    {
-      png_free(png_ptr, info_ptr->exif);
-      info_ptr->exif = NULL;
+# ifdef PNG_READ_eXIf_SUPPORTED
+      if (info_ptr->eXIf_buf)
+      {
+         png_free(png_ptr, info_ptr->eXIf_buf);
+         info_ptr->eXIf_buf = NULL;
+      }
+# endif
+      if (info_ptr->exif)
+      {
+         png_free(png_ptr, info_ptr->exif);
+         info_ptr->exif = NULL;
+      }
       info_ptr->valid &= ~PNG_INFO_eXIf;
    }
 #endif
@@ -806,14 +816,14 @@
 #else
 #  ifdef __STDC__
    return PNG_STRING_NEWLINE \
-      "libpng version 1.6.31 - July 27, 2017" PNG_STRING_NEWLINE \
+      "libpng version 1.6.32 - August 24, 2017" PNG_STRING_NEWLINE \
       "Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson" \
       PNG_STRING_NEWLINE \
       "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
       "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
       PNG_STRING_NEWLINE;
 #  else
-   return "libpng version 1.6.31 - July 27, 2017\
+   return "libpng version 1.6.32 - August 24, 2017\
       Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson\
       Copyright (c) 1996-1997 Andreas Dilger\
       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
diff --git a/png.h b/png.h
index 4321416..51ac8ab 100644
--- a/png.h
+++ b/png.h
@@ -1,7 +1,7 @@
 
 /* png.h - header file for PNG reference library
  *
- * libpng version 1.6.31, July 27, 2017
+ * libpng version 1.6.32, August 24, 2017
  *
  * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
@@ -12,7 +12,7 @@
  * Authors and maintainers:
  *   libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
  *   libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger
- *   libpng versions 0.97, January 1998, through 1.6.31, July 27, 2017:
+ *   libpng versions 0.97, January 1998, through 1.6.32, August 24, 2017:
  *     Glenn Randers-Pehrson.
  *   See also "Contributing Authors", below.
  */
@@ -25,7 +25,7 @@
  *
  * This code is released under the libpng license.
  *
- * libpng versions 1.0.7, July 1, 2000 through 1.6.31, July 27, 2017 are
+ * libpng versions 1.0.7, July 1, 2000 through 1.6.32, August 24, 2017 are
  * Copyright (c) 2000-2002, 2004, 2006-2017 Glenn Randers-Pehrson, are
  * derived from libpng-1.0.6, and are distributed according to the same
  * disclaimer and license as libpng-1.0.6 with the following individuals
@@ -213,7 +213,7 @@
  *    ...
  *    1.5.28                  15    10527  15.so.15.28[.0]
  *    ...
- *    1.6.31                  16    10631  16.so.16.31[.0]
+ *    1.6.32                  16    10632  16.so.16.32[.0]
  *
  *    Henceforth the source version will match the shared-library major
  *    and minor numbers; the shared-library major version number will be
@@ -241,13 +241,13 @@
  * Y2K compliance in libpng:
  * =========================
  *
- *    July 27, 2017
+ *    August 24, 2017
  *
  *    Since the PNG Development group is an ad-hoc body, we can't make
  *    an official declaration.
  *
  *    This is your unofficial assurance that libpng from version 0.71 and
- *    upward through 1.6.31 are Y2K compliant.  It is my belief that
+ *    upward through 1.6.32 are Y2K compliant.  It is my belief that
  *    earlier versions were also Y2K compliant.
  *
  *    Libpng only has two year fields.  One is a 2-byte unsigned integer
@@ -309,8 +309,8 @@
  */
 
 /* Version information for png.h - this should match the version in png.c */
-#define PNG_LIBPNG_VER_STRING "1.6.31"
-#define PNG_HEADER_VERSION_STRING " libpng version 1.6.31 - July 27, 2017\n"
+#define PNG_LIBPNG_VER_STRING "1.6.32"
+#define PNG_HEADER_VERSION_STRING " libpng version 1.6.32 - August 24, 2017\n"
 
 #define PNG_LIBPNG_VER_SONUM   16
 #define PNG_LIBPNG_VER_DLLNUM  16
@@ -318,7 +318,7 @@
 /* These should match the first 3 components of PNG_LIBPNG_VER_STRING: */
 #define PNG_LIBPNG_VER_MAJOR   1
 #define PNG_LIBPNG_VER_MINOR   6
-#define PNG_LIBPNG_VER_RELEASE 31
+#define PNG_LIBPNG_VER_RELEASE 32
 
 /* This should match the numeric part of the final component of
  * PNG_LIBPNG_VER_STRING, omitting any leading zero:
@@ -349,7 +349,7 @@
  * version 1.0.0 was mis-numbered 100 instead of 10000).  From
  * version 1.0.1 it's    xxyyzz, where x=major, y=minor, z=release
  */
-#define PNG_LIBPNG_VER 10631 /* 1.6.31 */
+#define PNG_LIBPNG_VER 10632 /* 1.6.32 */
 
 /* Library configuration: these options cannot be changed after
  * the library has been built.
@@ -459,7 +459,7 @@
 /* This triggers a compiler error in png.c, if png.c and png.h
  * do not agree upon the version number.
  */
-typedef char* png_libpng_version_1_6_31;
+typedef char* png_libpng_version_1_6_32;
 
 /* Basic control structions.  Read libpng-manual.txt or libpng.3 for more info.
  *
@@ -2014,6 +2014,11 @@
     png_inforp info_ptr, png_bytep *exif));
 PNG_EXPORT(247, void, png_set_eXIf, (png_const_structrp png_ptr,
     png_inforp info_ptr, const png_bytep exif));
+
+PNG_EXPORT(248, png_uint_32, png_get_eXIf_1, (png_const_structrp png_ptr,
+    png_const_inforp info_ptr, png_uint_32 *num_exif, png_bytep *exif));
+PNG_EXPORT(249, void, png_set_eXIf_1, (png_const_structrp png_ptr,
+    png_inforp info_ptr, const png_uint_32 num_exif, const png_bytep exif));
 #endif
 
 #ifdef PNG_gAMA_SUPPORTED
@@ -3259,7 +3264,7 @@
  * one to use is one more than this.)
  */
 #ifdef PNG_EXPORT_LAST_ORDINAL
-  PNG_EXPORT_LAST_ORDINAL(247);
+  PNG_EXPORT_LAST_ORDINAL(249);
 #endif
 
 #ifdef __cplusplus
diff --git a/pngconf.h b/pngconf.h
index af6e80c..c0f1554 100644
--- a/pngconf.h
+++ b/pngconf.h
@@ -1,7 +1,7 @@
 
 /* pngconf.h - machine configurable file for libpng
  *
- * libpng version 1.6.31, July 27, 2017
+ * libpng version 1.6.32, August 24, 2017
  *
  * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
diff --git a/pngget.c b/pngget.c
index ace9e63..26e9fb1 100644
--- a/pngget.c
+++ b/pngget.c
@@ -1,8 +1,8 @@
 
 /* pngget.c - retrieval of values from info struct
  *
- * Last changed in libpng 1.6.26 [October 20, 2016]
- * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
+ * Last changed in libpng 1.6.32 [August 24, 2017]
+ * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -778,11 +778,22 @@
 png_get_eXIf(png_const_structrp png_ptr, png_inforp info_ptr,
     png_bytep *exif)
 {
+  png_warning(png_ptr, "png_get_eXIf does not work; use png_get_eXIf_1");
+  PNG_UNUSED(info_ptr)
+  PNG_UNUSED(exif)
+  return 0;
+}
+
+png_uint_32 PNGAPI
+png_get_eXIf_1(png_const_structrp png_ptr, png_const_inforp info_ptr,
+    png_uint_32 *num_exif, png_bytep *exif)
+{
    png_debug1(1, "in %s retrieval function", "eXIf");
 
    if (png_ptr != NULL && info_ptr != NULL &&
        (info_ptr->valid & PNG_INFO_eXIf) != 0 && exif != NULL)
    {
+      *num_exif = info_ptr->num_exif;
       *exif = info_ptr->exif;
       return (PNG_INFO_eXIf);
    }
diff --git a/pnginfo.h b/pnginfo.h
index 6e6d46a..d5f6149 100644
--- a/pnginfo.h
+++ b/pnginfo.h
@@ -186,8 +186,11 @@
 #endif
 
 #ifdef PNG_eXIf_SUPPORTED
-   int num_exif;
+   int num_exif;  /* Added at libpng-1.6.31 */
    png_bytep exif;
+# ifdef PNG_READ_eXIf_SUPPORTED
+   png_bytep eXIf_buf;  /* Added at libpng-1.6.32 */
+# endif
 #endif
 
 #ifdef PNG_hIST_SUPPORTED
diff --git a/pngpread.c b/pngpread.c
index 650ba1e..fbe361d 100644
--- a/pngpread.c
+++ b/pngpread.c
@@ -1,8 +1,8 @@
 
 /* pngpread.c - read a png file in push mode
  *
- * Last changed in libpng 1.6.24 [August 4, 2016]
- * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
+ * Last changed in libpng 1.6.32 [August 24, 2017]
+ * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -189,6 +189,7 @@
       png_crc_read(png_ptr, chunk_tag, 4);
       png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
       png_check_chunk_name(png_ptr, png_ptr->chunk_name);
+      png_check_chunk_length(png_ptr, png_ptr->push_length);
       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
    }
 
diff --git a/pngpriv.h b/pngpriv.h
index ef45ab7..1f2e90f 100644
--- a/pngpriv.h
+++ b/pngpriv.h
@@ -1,7 +1,7 @@
 
 /* pngpriv.h - private declarations for use inside libpng
  *
- * Last changed in libpng 1.6.31 [July 27, 2017]
+ * Last changed in libpng 1.6.32 [August 24, 2017]
  * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -1143,6 +1143,11 @@
     int intent),PNG_EMPTY);
 #endif
 
+#ifdef PNG_WRITE_eXIf_SUPPORTED
+PNG_INTERNAL_FUNCTION(void,png_write_eXIf,(png_structrp png_ptr,
+    png_bytep exif, int num_exif),PNG_EMPTY);
+#endif
+
 #ifdef PNG_WRITE_iCCP_SUPPORTED
 PNG_INTERNAL_FUNCTION(void,png_write_iCCP,(png_structrp png_ptr,
    png_const_charp name, png_const_bytep profile), PNG_EMPTY);
@@ -1522,8 +1527,11 @@
     png_inforp info_ptr, png_uint_32 length),PNG_EMPTY);
 #endif
 
-PNG_INTERNAL_FUNCTION(void,png_check_chunk_name,(png_structrp png_ptr,
-    png_uint_32 chunk_name),PNG_EMPTY);
+PNG_INTERNAL_FUNCTION(void,png_check_chunk_name,(png_const_structrp png_ptr,
+    const png_uint_32 chunk_name),PNG_EMPTY);
+
+PNG_INTERNAL_FUNCTION(void,png_check_chunk_length,(png_const_structrp png_ptr,
+    const png_uint_32 chunk_length),PNG_EMPTY);
 
 PNG_INTERNAL_FUNCTION(void,png_handle_unknown,(png_structrp png_ptr,
     png_inforp info_ptr, png_uint_32 length, int keep),PNG_EMPTY);
diff --git a/pngread.c b/pngread.c
index 331ce12..e34ddd9 100644
--- a/pngread.c
+++ b/pngread.c
@@ -1,7 +1,7 @@
 
 /* pngread.c - read a PNG file
  *
- * Last changed in libpng 1.6.31 [July 27, 2017]
+ * Last changed in libpng 1.6.32 [August 24, 2017]
  * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -175,6 +175,11 @@
          png_handle_cHRM(png_ptr, info_ptr, length);
 #endif
 
+#ifdef PNG_READ_eXIf_SUPPORTED
+      else if (chunk_name == png_eXIf)
+         png_handle_eXIf(png_ptr, info_ptr, length);
+#endif
+
 #ifdef PNG_READ_gAMA_SUPPORTED
       else if (chunk_name == png_gAMA)
          png_handle_gAMA(png_ptr, info_ptr, length);
@@ -534,6 +539,7 @@
       png_error(png_ptr, "Invalid attempt to read row data");
 
    /* Fill the row with IDAT data: */
+   png_ptr->row_buf[0]=255; /* to force error if no data was found */
    png_read_IDAT_data(png_ptr, png_ptr->row_buf, row_info.rowbytes + 1);
 
    if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE)
@@ -842,6 +848,11 @@
          png_handle_cHRM(png_ptr, info_ptr, length);
 #endif
 
+#ifdef PNG_READ_eXIf_SUPPORTED
+      else if (chunk_name == png_eXIf)
+         png_handle_eXIf(png_ptr, info_ptr, length);
+#endif
+
 #ifdef PNG_READ_gAMA_SUPPORTED
       else if (chunk_name == png_gAMA)
          png_handle_gAMA(png_ptr, info_ptr, length);
diff --git a/pngrutil.c b/pngrutil.c
index 7fe5cd1..a4fa714 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1,7 +1,7 @@
 
 /* pngrutil.c - utilities to read a PNG file
  *
- * Last changed in libpng 1.6.31 [July 27, 2017]
+ * Last changed in libpng 1.6.32 [August 24, 2017]
  * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -181,6 +181,9 @@
    /* Check to see if chunk name is valid. */
    png_check_chunk_name(png_ptr, png_ptr->chunk_name);
 
+   /* Check for too-large chunk length */
+   png_check_chunk_length(png_ptr, length);
+
 #ifdef PNG_IO_STATE_SUPPORTED
    png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
 #endif
@@ -1377,11 +1380,13 @@
     * chunk is just ignored, so does not invalidate the color space.  An
     * alternative is to set the 'invalid' flags at the start of this routine
     * and only clear them in they were not set before and all the tests pass.
-    * The minimum 'deflate' stream is assumed to be just the 2 byte header and
-    * 4 byte checksum.  The keyword must be at least one character and there is
-    * a terminator (0) byte and the compression method.
     */
-   if (length < 9)
+
+   /* The keyword must be at least one character and there is a
+    * terminator (0) byte and the compression method byte, and the
+    * 'zlib' datastream is at least 11 bytes.
+    */
+   if (length < 14)
    {
       png_crc_finish(png_ptr, length);
       png_chunk_benign_error(png_ptr, "too short");
@@ -1413,6 +1418,16 @@
       png_crc_read(png_ptr, (png_bytep)keyword, read_length);
       length -= read_length;
 
+      /* The minimum 'zlib' stream is assumed to be just the 2 byte header,
+       * 5 bytes minimum 'deflate' stream, and the 4 byte checksum.
+       */
+      if (length < 11)
+      {
+         png_crc_finish(png_ptr, length);
+         png_chunk_benign_error(png_ptr, "too short");
+         return;
+      }
+
       keyword_length = 0;
       while (keyword_length < 80 && keyword_length < read_length &&
          keyword[keyword_length] != 0)
@@ -1431,7 +1446,7 @@
 
             if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
             {
-               Byte profile_header[132];
+               Byte profile_header[132]={0};
                Byte local_buffer[PNG_INFLATE_BUF_SIZE];
                png_alloc_size_t size = (sizeof profile_header);
 
@@ -2014,36 +2029,61 @@
 png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 {
    unsigned int i;
-   png_bytep eXIf_buf;
 
    png_debug(1, "in png_handle_eXIf");
 
    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
       png_chunk_error(png_ptr, "missing IHDR");
 
-   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_eXIf) != 0)
+   if (length < 2)
+   {
+      png_crc_finish(png_ptr, length);
+      png_chunk_benign_error(png_ptr, "too short");
+      return;
+   }
+
+   else if (info_ptr == NULL || (info_ptr->valid & PNG_INFO_eXIf) != 0)
    {
       png_crc_finish(png_ptr, length);
       png_chunk_benign_error(png_ptr, "duplicate");
       return;
    }
 
-   eXIf_buf = png_voidcast(png_bytep,
+   info_ptr->free_me |= PNG_FREE_EXIF;
+
+   info_ptr->eXIf_buf = png_voidcast(png_bytep,
              png_malloc_warn(png_ptr, length));
 
+   if (info_ptr->eXIf_buf == NULL)
+   {
+      png_crc_finish(png_ptr, length);
+      png_chunk_benign_error(png_ptr, "out of memory");
+      return;
+   }
+
    for (i = 0; i < length; i++)
    {
       png_byte buf[1];
       png_crc_read(png_ptr, buf, 1);
-      eXIf_buf[i] = buf[0];
+      info_ptr->eXIf_buf[i] = buf[0];
+      if (i == 1 && buf[0] != 'M' && buf[0] != 'I'
+                 && info_ptr->eXIf_buf[0] != buf[0])
+      {
+         png_crc_finish(png_ptr, length);
+         png_chunk_benign_error(png_ptr, "incorrect byte-order specifier");
+         png_free(png_ptr, info_ptr->eXIf_buf);
+         info_ptr->eXIf_buf = NULL;
+         return;
+      }
    }
 
    if (png_crc_finish(png_ptr, 0) != 0)
       return;
 
-   info_ptr->num_exif = length;
+   png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
 
-   png_set_eXIf(png_ptr, info_ptr, eXIf_buf);
+   png_free(png_ptr, info_ptr->eXIf_buf);
+   info_ptr->eXIf_buf = NULL;
 }
 #endif
 
@@ -2624,23 +2664,28 @@
       {
          png_text text;
 
-         /* It worked; png_ptr->read_buffer now looks like a tEXt chunk except
-          * for the extra compression type byte and the fact that it isn't
-          * necessarily '\0' terminated.
-          */
-         buffer = png_ptr->read_buffer;
-         buffer[uncompressed_length+(keyword_length+2)] = 0;
+         if (png_ptr->read_buffer == NULL)
+           errmsg="Read failure in png_handle_zTXt";
+         else
+         {
+            /* It worked; png_ptr->read_buffer now looks like a tEXt chunk
+             * except for the extra compression type byte and the fact that
+             * it isn't necessarily '\0' terminated.
+             */
+            buffer = png_ptr->read_buffer;
+            buffer[uncompressed_length+(keyword_length+2)] = 0;
 
-         text.compression = PNG_TEXT_COMPRESSION_zTXt;
-         text.key = (png_charp)buffer;
-         text.text = (png_charp)(buffer + keyword_length+2);
-         text.text_length = uncompressed_length;
-         text.itxt_length = 0;
-         text.lang = NULL;
-         text.lang_key = NULL;
+            text.compression = PNG_TEXT_COMPRESSION_zTXt;
+            text.key = (png_charp)buffer;
+            text.text = (png_charp)(buffer + keyword_length+2);
+            text.text_length = uncompressed_length;
+            text.itxt_length = 0;
+            text.lang = NULL;
+            text.lang_key = NULL;
 
-         if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
-            errmsg = "insufficient memory";
+            if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
+               errmsg = "insufficient memory";
+         }
       }
 
       else
@@ -3076,20 +3121,58 @@
  */
 
 void /* PRIVATE */
-png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name)
+png_check_chunk_name(png_const_structrp png_ptr, const png_uint_32 chunk_name)
 {
    int i;
+   png_uint_32 cn=chunk_name;
 
    png_debug(1, "in png_check_chunk_name");
 
    for (i=1; i<=4; ++i)
    {
-      int c = chunk_name & 0xff;
+      int c = cn & 0xff;
 
       if (c < 65 || c > 122 || (c > 90 && c < 97))
          png_chunk_error(png_ptr, "invalid chunk type");
 
-      chunk_name >>= 8;
+      cn >>= 8;
+   }
+}
+
+void /* PRIVATE */
+png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
+{
+   png_alloc_size_t limit = PNG_UINT_31_MAX;
+
+   if (png_ptr->chunk_name != png_IDAT)
+   {
+# ifdef PNG_SET_USER_LIMITS_SUPPORTED
+      if (png_ptr->user_chunk_malloc_max > 0 &&
+          png_ptr->user_chunk_malloc_max < limit)
+         limit = png_ptr->user_chunk_malloc_max;
+# elif PNG_USER_CHUNK_MALLOC_MAX > 0
+      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+         limit = PNG_USER_CHUNK_MALLOC_MAX;
+# endif
+   }
+   else
+   {
+      size_t row_factor =
+         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+          + 1 + (png_ptr->interlaced? 6: 0));
+      if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+         limit=PNG_UINT_31_MAX;
+      else
+         limit = png_ptr->height * row_factor;
+      limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
+      limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
+   }
+
+   if (length > limit)
+   {
+      png_debug2(0," length = %lu, limit = %lu",
+         (unsigned long)length,(unsigned long)limit);
+      png_chunk_error(png_ptr, "chunk data is too large");
    }
 }
 
diff --git a/pngset.c b/pngset.c
index 9984735..6f3a1ee 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1,7 +1,7 @@
 
 /* pngset.c - storage of image information into info struct
  *
- * Last changed in libpng 1.6.30 [June 28, 2017]
+ * Last changed in libpng 1.6.32 [August 24, 2017]
  * Copyright (c) 1998-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -139,6 +139,15 @@
 png_set_eXIf(png_const_structrp png_ptr, png_inforp info_ptr,
     const png_bytep eXIf_buf)
 {
+  png_warning(png_ptr, "png_set_eXIf does not work; use png_set_eXIf_1");
+  PNG_UNUSED(info_ptr)
+  PNG_UNUSED(eXIf_buf)
+}
+
+void PNGAPI
+png_set_eXIf_1(png_const_structrp png_ptr, png_inforp info_ptr,
+    const png_uint_32 num_exif, const png_bytep eXIf_buf)
+{
    int i;
 
    png_debug1(1, "in %s storage function", "eXIf");
@@ -146,7 +155,13 @@
    if (png_ptr == NULL || info_ptr == NULL)
       return;
 
-   png_free_data(png_ptr, info_ptr, PNG_FREE_EXIF, 0);
+   if (info_ptr->exif)
+   {
+      png_free(png_ptr, info_ptr->exif);
+      info_ptr->exif = NULL;
+   }
+
+   info_ptr->num_exif = num_exif;
 
    info_ptr->exif = png_voidcast(png_bytep, png_malloc_warn(png_ptr,
        info_ptr->num_exif));
@@ -154,13 +169,12 @@
    if (info_ptr->exif == NULL)
    {
       png_warning(png_ptr, "Insufficient memory for eXIf chunk data");
-
       return;
    }
 
    info_ptr->free_me |= PNG_FREE_EXIF;
 
-   for (i = 0; i < info_ptr->num_exif; i++)
+   for (i = 0; i < (int) info_ptr->num_exif; i++)
       info_ptr->exif[i] = eXIf_buf[i];
 
    info_ptr->valid |= PNG_INFO_eXIf;
@@ -1388,6 +1402,7 @@
       static PNG_CONST png_byte chunks_to_ignore[] = {
          98,  75,  71,  68, '\0',  /* bKGD */
          99,  72,  82,  77, '\0',  /* cHRM */
+        101,  88,  73, 102, '\0',  /* eXIf */
         103,  65,  77,  65, '\0',  /* gAMA */
         104,  73,  83,  84, '\0',  /* hIST */
         105,  67,  67,  80, '\0',  /* iCCP */
diff --git a/pngstruct.h b/pngstruct.h
index 44b79de..d83f971 100644
--- a/pngstruct.h
+++ b/pngstruct.h
@@ -1,7 +1,7 @@
 
 /* pngstruct.h - header file for PNG reference library
  *
- * Last changed in libpng 1.6.28 [January 5, 2017]
+ * Last changed in libpng 1.6.32 [August 24, 2017]
  * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -479,8 +479,5 @@
    png_colorspace   colorspace;
 #endif
 #endif
-
-/* New member added in libpng-1.6.31 */
-   int num_exif;
 };
 #endif /* PNGSTRUCT_H */
diff --git a/pngtest.c b/pngtest.c
index bdd37db..ce53345 100644
--- a/pngtest.c
+++ b/pngtest.c
@@ -1,8 +1,8 @@
 
 /* pngtest.c - a simple test program to test libpng
  *
- * Last changed in libpng 1.6.26 [October 20, 2016]
- * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
+ * Last changed in libpng 1.6.32 [August 24, 2017]
+ * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -144,6 +144,7 @@
 static int verbose = 0;
 static int strict = 0;
 static int relaxed = 0;
+static int xfail = 0;
 static int unsupported_chunks = 0; /* chunk unsupported by libpng in input */
 static int error_count = 0; /* count calls to png_error */
 static int warning_count = 0; /* count calls to png_warning */
@@ -463,7 +464,7 @@
    if (test != NULL && test->file_name != NULL)
       name = test->file_name;
 
-   fprintf(STDERR, "%s: libpng warning: %s\n", name, message);
+   fprintf(STDERR, "\n%s: libpng warning: %s\n", name, message);
 }
 
 /* This is the default error handling function.  Note that replacements for
@@ -936,8 +937,12 @@
       fprintf(STDERR, "%s -> %s: libpng read error\n", inname, outname);
       png_free(read_ptr, row_buf);
       row_buf = NULL;
+      if (verbose != 0)
+        fprintf(STDERR, "   destroy read structs\n");
       png_destroy_read_struct(&read_ptr, &read_info_ptr, &end_info_ptr);
 #ifdef PNG_WRITE_SUPPORTED
+      if (verbose != 0)
+        fprintf(STDERR, "   destroy write structs\n");
       png_destroy_info_struct(write_ptr, &write_end_info_ptr);
       png_destroy_write_struct(&write_ptr, &write_info_ptr);
 #endif
@@ -952,11 +957,13 @@
    if (setjmp(png_jmpbuf(write_ptr)))
    {
       fprintf(STDERR, "%s -> %s: libpng write error\n", inname, outname);
+      if (verbose != 0)
+        fprintf(STDERR, "   destroying read structs\n");
       png_destroy_read_struct(&read_ptr, &read_info_ptr, &end_info_ptr);
+      if (verbose != 0)
+        fprintf(STDERR, "   destroying write structs\n");
       png_destroy_info_struct(write_ptr, &write_end_info_ptr);
-#ifdef PNG_WRITE_SUPPORTED
       png_destroy_write_struct(&write_ptr, &write_info_ptr);
-#endif
       FCLOSE(fpin);
       FCLOSE(fpout);
       return (1);
@@ -1192,12 +1199,20 @@
       }
    }
 #endif
-#ifdef PNG_eXIf_SUPPORTED
+#ifdef PNG_READ_eXIf_SUPPORTED
    {
-      png_bytep exif;
+      png_bytep exif=NULL;
+      png_uint_32 exif_length;
 
-      if (png_get_eXIf(read_ptr, read_info_ptr, &exif) != 0)
-         png_set_eXIf(write_ptr, write_info_ptr, exif);
+      if (png_get_eXIf_1(read_ptr, read_info_ptr, &exif_length, &exif) != 0)
+      {
+         if (exif_length > 1)
+            fprintf(STDERR," eXIf type %c%c, %lu bytes\n",exif[0],exif[1],
+               (unsigned long)exif_length);
+# ifdef PNG_WRITE_eXIf_SUPPORTED
+         png_set_eXIf_1(write_ptr, write_info_ptr, exif_length, exif);
+# endif
+      }
    }
 #endif
 #ifdef PNG_hIST_SUPPORTED
@@ -1310,10 +1325,10 @@
          {
             int i;
 
-            printf("\n");
+            fprintf(STDERR,"\n");
             for (i=0; i<num_text; i++)
             {
-               printf("   Text compression[%d]=%d\n",
+               fprintf(STDERR,"   Text compression[%d]=%d\n",
                    i, text_ptr[i].compression);
             }
          }
@@ -1406,6 +1421,10 @@
 
    write_chunks(write_ptr, before_IDAT); /* after PLTE */
 
+   png_write_info(write_ptr, write_end_info_ptr);
+
+   write_chunks(write_ptr, after_IDAT); /* after IDAT */
+
 #ifdef PNG_COMPRESSION_COMPAT
    /* Test the 'compatibility' setting here, if it is available. */
    png_set_compression(write_ptr, PNG_COMPRESSION_COMPAT);
@@ -1526,10 +1545,10 @@
          {
             int i;
 
-            printf("\n");
+            fprintf(STDERR,"\n");
             for (i=0; i<num_text; i++)
             {
-               printf("   Text compression[%d]=%d\n",
+               fprintf(STDERR,"   Text compression[%d]=%d\n",
                    i, text_ptr[i].compression);
             }
          }
@@ -1538,12 +1557,20 @@
       }
    }
 #endif
-#ifdef PNG_eXIf_SUPPORTED
+#ifdef PNG_READ_eXIf_SUPPORTED
    {
-      png_bytep exif;
+      png_bytep exif=NULL;
+      png_uint_32 exif_length;
 
-      if (png_get_eXIf(read_ptr, end_info_ptr, &exif) != 0)
-         png_set_eXIf(write_ptr, write_end_info_ptr, exif);
+      if (png_get_eXIf_1(read_ptr, end_info_ptr, &exif_length, &exif) != 0)
+      {
+         if (exif_length > 1)
+            fprintf(STDERR," eXIf type %c%c, %lu bytes\n",exif[0],exif[1],
+               (unsigned long)exif_length);
+# ifdef PNG_WRITE_eXIf_SUPPORTED
+         png_set_eXIf_1(write_ptr, write_end_info_ptr, exif_length, exif);
+# endif
+      }
    }
 #endif
 #ifdef PNG_tIME_SUPPORTED
@@ -1861,6 +1888,7 @@
          inname = argv[2];
          strict++;
          relaxed = 0;
+         multiple=1;
       }
 
       else if (strcmp(argv[1], "--relaxed") == 0)
@@ -1870,6 +1898,17 @@
          inname = argv[2];
          strict = 0;
          relaxed++;
+         multiple=1;
+      }
+      else if (strcmp(argv[1], "--xfail") == 0)
+      {
+         status_dots_requested = 0;
+         verbose = 1;
+         inname = argv[2];
+         strict = 0;
+         xfail++;
+         relaxed++;
+         multiple=1;
       }
 
       else
@@ -1927,8 +1966,13 @@
 
          else
          {
-            fprintf(STDERR, " FAIL\n");
-            ierror += kerror;
+            if (xfail)
+              fprintf(STDERR, " XFAIL\n");
+            else
+            {
+              fprintf(STDERR, " FAIL\n");
+              ierror += kerror;
+            }
          }
 #if defined(PNG_USER_MEM_SUPPORTED) && PNG_DEBUG
          if (allocation_now != current_allocation)
@@ -2016,8 +2060,13 @@
 #endif
             }
 
-            fprintf(STDERR, " FAIL\n");
-            ierror += kerror;
+            if (xfail)
+              fprintf(STDERR, " XFAIL\n");
+            else
+            {
+              fprintf(STDERR, " FAIL\n");
+              ierror += kerror;
+            }
          }
 #if defined(PNG_USER_MEM_SUPPORTED) && PNG_DEBUG
          if (allocation_now != current_allocation)
@@ -2104,4 +2153,4 @@
 #endif
 
 /* Generate a compiler error if there is an old png.h in the search path. */
-typedef png_libpng_version_1_6_31 Your_png_h_is_not_version_1_6_31;
+typedef png_libpng_version_1_6_32 Your_png_h_is_not_version_1_6_32;
diff --git a/pngwrite.c b/pngwrite.c
index 70d47c4..a7662ac 100644
--- a/pngwrite.c
+++ b/pngwrite.c
@@ -1,7 +1,7 @@
 
 /* pngwrite.c - general routines to write a PNG file
  *
- * Last changed in libpng 1.6.31 [July 27, 2017]
+ * Last changed in libpng 1.6.32 [August 24, 2017]
  * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -237,6 +237,11 @@
       png_write_bKGD(png_ptr, &(info_ptr->background), info_ptr->color_type);
 #endif
 
+#ifdef PNG_WRITE_eXIf_SUPPORTED
+   if ((info_ptr->valid & PNG_INFO_eXIf) != 0)
+      png_write_eXIf(png_ptr, info_ptr->exif, info_ptr->num_exif);
+#endif
+
 #ifdef PNG_WRITE_hIST_SUPPORTED
    if ((info_ptr->valid & PNG_INFO_hIST) != 0)
       png_write_hIST(png_ptr, info_ptr->hist, info_ptr->num_palette);
@@ -432,6 +437,12 @@
          }
       }
 #endif
+
+#ifdef PNG_WRITE_eXIf_SUPPORTED
+   if ((info_ptr->valid & PNG_INFO_eXIf) != 0)
+      png_write_eXIf(png_ptr, info_ptr->exif, info_ptr->num_exif);
+#endif
+
 #ifdef PNG_WRITE_UNKNOWN_CHUNKS_SUPPORTED
       write_unknown_chunks(png_ptr, info_ptr, PNG_AFTER_IDAT);
 #endif
diff --git a/pngwutil.c b/pngwutil.c
index 348bb52..0d4fb13 100644
--- a/pngwutil.c
+++ b/pngwutil.c
@@ -1,8 +1,8 @@
 
 /* pngwutil.c - utilities to write a PNG file
  *
- * Last changed in libpng 1.6.26 [October 20, 2016]
- * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
+ * Last changed in libpng 1.6.32 [August 24, 2017]
+ * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -1479,24 +1479,15 @@
 png_write_eXIf(png_structrp png_ptr, png_bytep exif, int num_exif)
 {
    int i;
-   png_byte buf[3];
+   png_byte buf[1];
 
    png_debug(1, "in png_write_eXIf");
 
-   if (num_exif > (int)png_ptr->num_exif)
-   {
-      png_debug2(3, "num_exif = %d, png_ptr->num_exif = %d", num_exif,
-          png_ptr->num_exif);
-
-      png_warning(png_ptr, "Invalid number of exif bytes specified");
-      return;
-   }
-
    png_write_chunk_header(png_ptr, png_eXIf, (png_uint_32)(num_exif));
 
    for (i = 0; i < num_exif; i++)
    {
-      buf[i] = exif[i];
+      buf[0] = exif[i];
       png_write_chunk_data(png_ptr, buf, (png_size_t)1);
    }
 
diff --git a/projects/vstudio/README.txt b/projects/vstudio/README.txt
index 38c159c..e68f242 100644
--- a/projects/vstudio/README.txt
+++ b/projects/vstudio/README.txt
@@ -1,7 +1,7 @@
 
 VisualStudio instructions
 
-libpng version 1.6.31 - July 27, 2017
+libpng version 1.6.32 - August 24, 2017
 
 Copyright (c) 2010,2013,2015 Glenn Randers-Pehrson
 
diff --git a/projects/vstudio/zlib.props b/projects/vstudio/zlib.props
index f3fa101..2b2d690 100644
--- a/projects/vstudio/zlib.props
+++ b/projects/vstudio/zlib.props
@@ -2,7 +2,7 @@
 <!--
  * zlib.props - location of zlib source
  *
- * libpng version 1.6.31 - July 27, 2017
+ * libpng version 1.6.32 - August 24, 2017
  *
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  *
diff --git a/scripts/README.txt b/scripts/README.txt
index 76e70e6..fdc767a 100644
--- a/scripts/README.txt
+++ b/scripts/README.txt
@@ -1,11 +1,11 @@
 
-Makefiles for  libpng version 1.6.31 - July 27, 2017
+Makefiles for  libpng version 1.6.32 - August 24, 2017
 
 pnglibconf.h.prebuilt       =>  Stores configuration settings
  makefile.linux    =>  Linux/ELF makefile
-                       (gcc, creates libpng16.so.16.1.6.31)
+                       (gcc, creates libpng16.so.16.1.6.32)
  makefile.linux-opt=>  Linux/ELF makefile with hardware optimizations on
-                       (gcc, creates libpng16.so.16.1.6.31)
+                       (gcc, creates libpng16.so.16.1.6.32)
  makefile.gcc      =>  Generic makefile (gcc, creates static libpng.a)
  makefile.knr      =>  Archaic UNIX Makefile that converts files with
                        ansi2knr (Requires ansi2knr.c from
@@ -35,12 +35,12 @@
  makefile.os2      =>  OS/2 Makefile (gcc and emx, requires libpng.def)
  makefile.sco      =>  For SCO OSr5  ELF and Unixware 7 with Native cc
  makefile.sggcc    =>  Silicon Graphics (gcc,
-                       creates libpng16.so.16.1.6.31)
+                       creates libpng16.so.16.1.6.32)
  makefile.sgi      =>  Silicon Graphics IRIX makefile (cc, creates static lib)
  makefile.solaris  =>  Solaris 2.X makefile (gcc,
-                       creates libpng16.so.16.1.6.31)
+                       creates libpng16.so.16.1.6.32)
  makefile.so9      =>  Solaris 9 makefile (gcc,
-                       creates libpng16.so.16.1.6.31)
+                       creates libpng16.so.16.1.6.32)
  makefile.std      =>  Generic UNIX makefile (cc, creates static libpng.a)
  makefile.sunos    =>  Sun makefile
  makefile.32sunu   =>  Sun Ultra 32-bit makefile
diff --git a/scripts/def.c b/scripts/def.c
index aedaec8..d5c4075 100644
--- a/scripts/def.c
+++ b/scripts/def.c
@@ -21,7 +21,7 @@
 PNG_DFN "OS2 CODE PRELOAD MOVEABLE DISCARDABLE"
 PNG_DFN ""
 PNG_DFN "EXPORTS"
-PNG_DFN ";Version 1.6.31"
+PNG_DFN ";Version 1.6.32"
 
 #define PNG_EXPORTA(ordinal, type, name, args, attributes)\
         PNG_DFN "@" SYMBOL_PREFIX "@@" name "@"
diff --git a/scripts/libpng-config-head.in b/scripts/libpng-config-head.in
index 9e7d952..2198c52 100644
--- a/scripts/libpng-config-head.in
+++ b/scripts/libpng-config-head.in
@@ -11,7 +11,7 @@
 
 # Modeled after libxml-config.
 
-version=1.6.31
+version=1.6.32
 prefix=""
 libdir=""
 libs=""
diff --git a/scripts/libpng.pc.in b/scripts/libpng.pc.in
index 8210520..ef50624 100644
--- a/scripts/libpng.pc.in
+++ b/scripts/libpng.pc.in
@@ -5,6 +5,6 @@
 
 Name: libpng
 Description: Loads and saves PNG files
-Version: 1.6.31
+Version: 1.6.32
 Libs: -L${libdir} -lpng16
 Cflags: -I${includedir}
diff --git a/scripts/makefile.cegcc b/scripts/makefile.cegcc
index ef17dab..4a3e925 100644
--- a/scripts/makefile.cegcc
+++ b/scripts/makefile.cegcc
@@ -23,7 +23,7 @@
 
 VERMAJ = 1
 VERMIN = 6
-VERMIC = 31
+VERMIC = 32
 VER = $(VERMAJ).$(VERMIN).$(VERMIC)
 NAME = libpng
 PACKAGE = $(NAME)-$(VER)
diff --git a/scripts/makefile.linux b/scripts/makefile.linux
index 8bb5ba7..618cb2f 100644
--- a/scripts/makefile.linux
+++ b/scripts/makefile.linux
@@ -10,7 +10,7 @@
 # Library name:
 LIBNAME = libpng16
 PNGMAJ = 16
-RELEASE = 31
+RELEASE = 32
 
 # Shared library names:
 LIBSO=$(LIBNAME).so
diff --git a/scripts/makefile.linux-opt b/scripts/makefile.linux-opt
index f93c545..f75a787 100644
--- a/scripts/makefile.linux-opt
+++ b/scripts/makefile.linux-opt
@@ -10,7 +10,7 @@
 # Library name:
 LIBNAME = libpng16
 PNGMAJ = 16
-RELEASE = 31
+RELEASE = 32
 
 # Shared library names:
 LIBSO=$(LIBNAME).so
diff --git a/scripts/makefile.msys b/scripts/makefile.msys
index 3056542..84a8949 100644
--- a/scripts/makefile.msys
+++ b/scripts/makefile.msys
@@ -18,7 +18,7 @@
 # Library name:
 LIBNAME = libpng16
 PNGMAJ = 16
-RELEASE = 31
+RELEASE = 32
 
 # Shared library names:
 LIBSO=$(LIBNAME).dll
diff --git a/scripts/makefile.ne12bsd b/scripts/makefile.ne12bsd
index 01d9727..c04993f 100644
--- a/scripts/makefile.ne12bsd
+++ b/scripts/makefile.ne12bsd
@@ -17,7 +17,7 @@
 
 LIB=	png16
 SHLIB_MAJOR=	0
-SHLIB_MINOR=	1.6.31
+SHLIB_MINOR=	1.6.32
 SRCS=	png.c pngset.c pngget.c pngrutil.c pngtrans.c pngwutil.c \
 	pngread.c pngrio.c pngwio.c pngwrite.c pngrtran.c \
 	pngwtran.c pngmem.c pngerror.c pngpread.c
diff --git a/scripts/makefile.netbsd b/scripts/makefile.netbsd
index 7e39344..b52b942 100644
--- a/scripts/makefile.netbsd
+++ b/scripts/makefile.netbsd
@@ -17,7 +17,7 @@
 
 LIB=	png
 SHLIB_MAJOR=	16
-SHLIB_MINOR=	1.6.31
+SHLIB_MINOR=	1.6.32
 SRCS=	png.c pngset.c pngget.c pngrutil.c pngtrans.c pngwutil.c \
 	pngread.c pngrio.c pngwio.c pngwrite.c pngrtran.c \
 	pngwtran.c pngmem.c pngerror.c pngpread.c
diff --git a/scripts/makefile.openbsd b/scripts/makefile.openbsd
index f3f8105..daec109 100644
--- a/scripts/makefile.openbsd
+++ b/scripts/makefile.openbsd
@@ -11,7 +11,7 @@
 MANDIR= ${PREFIX}/man/cat
 
 SHLIB_MAJOR=	16
-SHLIB_MINOR=	1.6.31
+SHLIB_MINOR=	1.6.32
 
 LIB=	png
 SRCS=	png.c pngerror.c pngget.c pngmem.c pngpread.c \
diff --git a/scripts/pnglibconf.dfa b/scripts/pnglibconf.dfa
index cd7aaaf..52c0c74 100644
--- a/scripts/pnglibconf.dfa
+++ b/scripts/pnglibconf.dfa
@@ -741,7 +741,6 @@
 # Ancillary chunks
 chunk bKGD
 chunk cHRM enables COLORSPACE
-# enable eXIf only after chunk is approved
 chunk eXIf
 chunk gAMA enables GAMMA
 chunk hIST
diff --git a/scripts/pnglibconf.h.prebuilt b/scripts/pnglibconf.h.prebuilt
index 9b9bbce..9e45f73 100644
--- a/scripts/pnglibconf.h.prebuilt
+++ b/scripts/pnglibconf.h.prebuilt
@@ -1,8 +1,8 @@
-/* libpng 1.6.31 STANDARD API DEFINITION */
+/* libpng 1.6.32 STANDARD API DEFINITION */
 
 /* pnglibconf.h - library build configuration */
 
-/* Libpng version 1.6.31 - July 27, 2017 */
+/* Libpng version 1.6.32 - August 24, 2017 */
 
 /* Copyright (c) 1998-2017 Glenn Randers-Pehrson */
 
diff --git a/scripts/symbols.def b/scripts/symbols.def
index d714cf6..45bcf89 100644
--- a/scripts/symbols.def
+++ b/scripts/symbols.def
@@ -1,4 +1,4 @@
-;Version 1.6.31
+;Version 1.6.32
 ;--------------------------------------------------------------
 ; LIBPNG symbol list as a Win32 DEF file
 ; Contains all the symbols that can be exported from libpng
@@ -252,3 +252,5 @@
  png_image_write_to_memory @245
  png_get_eXIf @246
  png_set_eXIf @247
+ png_get_eXIf_1 @248
+ png_set_eXIf_1 @249
diff --git a/tests/pngtest b/tests/pngtest
index d33f936..813973b 100755
--- a/tests/pngtest
+++ b/tests/pngtest
@@ -1,4 +1,2 @@
 #!/bin/sh
-./pngtest --relaxed ${srcdir}/tests/badcrc.png
-./pngtest --relaxed ${srcdir}/tests/badadler.png
 exec ./pngtest --strict ${srcdir}/pngtest.png
diff --git a/tests/pngtest-badpngs b/tests/pngtest-badpngs
new file mode 100755
index 0000000..7777523
--- /dev/null
+++ b/tests/pngtest-badpngs
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# various crashers
+# using --relaxed because some come from fuzzers that don't maintain CRC's
+
+./pngtest --relaxed ${srcdir}/contrib/testpngs/crashers/badcrc.png
+./pngtest --relaxed ${srcdir}/contrib/testpngs/crashers/badadler.png
+./pngtest --xfail ${srcdir}/contrib/testpngs/crashers/bad_iCCP.png
+./pngtest --xfail ${srcdir}/contrib/testpngs/crashers/empty_ancillary_chunks.png
+./pngtest --xfail ${srcdir}/contrib/testpngs/crashers/huge_*_chunk.png \
+    ${srcdir}/contrib/testpngs/crashers/huge_*safe_to_copy.png
+
+exec ./pngtest --xfail ${srcdir}/contrib/testpngs/crashers/huge_IDAT.png
diff --git a/tests/pngunknown-sAPI b/tests/pngunknown-sAPI
index 4317b18..88a1f6b 100755
--- a/tests/pngunknown-sAPI
+++ b/tests/pngunknown-sAPI
@@ -1,2 +1,2 @@
 #!/bin/sh
-exec ./pngunknown --strict bKGD=save cHRM=save gAMA=save all=discard iCCP=save sBIT=save sRGB=save "${srcdir}/pngtest.png"
+exec ./pngunknown --strict bKGD=save cHRM=save gAMA=save all=discard iCCP=save sBIT=save sRGB=save eXIf=save "${srcdir}/pngtest.png"