Patch from:

  http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af

to fix:

  https://bugzilla.redhat.com/show_bug.cgi?id=717510
  https://bugzilla.redhat.com/show_bug.cgi?id=717511
  CVE-2011-2501

I have modified this patch to remove the changes to ANNOUNCE
and CHANGES files, and the hunk in pngerror.c which just updates
a comment.

  - RWMJ.

From 65e6d5a34f49acdb362a0625a706c6b914e670af Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Tue, 7 Jun 2011 14:58:07 -0500
Subject: [PATCH] [master] Fixed 1-byte uninitialized memory reference in png_format_buffer()

(Bug report by Frank Busse, related to CVE-2004-0421).
---
 ANNOUNCE   |    6 ++++--
 CHANGES    |    4 +++-
 pngerror.c |   11 ++++++++---
 3 files changed, 15 insertions(+), 6 deletions(-)

--- a/pngerror.c
+++ b/pngerror.c
@@ -186,8 +186,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp
    {
       buffer[iout++] = ':';
       buffer[iout++] = ' ';
-      png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
-      buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
+
+      iin = 0;
+      while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
+         buffer[iout++] = error_message[iin++];
+
+      /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
+      buffer[iout] = '\0';
    }
 }
 
-- 
1.7.0.1