--- old/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java	2014-05-08 22:26:35.056284800 +0400
+++ new/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java	2014-05-08 22:26:34.895264300 +0400
@@ -664,6 +664,12 @@
             try {
                 while (true) {
                     int chunkLength = stream.readInt();
+
+                    // verify the chunk length first
+                    if (chunkLength < 0 || chunkLength + 4 < 0) {
+                        throw new IIOException("Invalid chunk lenght " + chunkLength);
+                    }
+
                     int chunkType = stream.readInt();
 
                     if (chunkType == IDAT_TYPE) {