--- old/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java	2014-05-09 02:20:35.691833700 +0400
+++ new/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java	2014-05-09 02:20:35.521812100 +0400
@@ -664,6 +664,12 @@
             try {
                 while (true) {
                     int chunkLength = stream.readInt();
+
+                    // verify the chunk length first
+                    if (chunkLength < 0 || chunkLength + 4 < 0) {
+                        throw new IIOException("Invalid chunk length " + chunkLength);
+                    }
+
                     int chunkType = stream.readInt();
 
                     if (chunkType == IDAT_TYPE) {
@@ -692,7 +698,7 @@
 
                 // verify the chunk length
                 if (chunkLength < 0) {
-                    throw new IIOException("Invalid chunk lenght " + chunkLength);
+                    throw new IIOException("Invalid chunk length " + chunkLength);
                 };
 
                 try {