--- old/src/java.desktop/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java	2018-01-22 15:45:45.273925000 +0530
+++ new/src/java.desktop/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java	2018-01-22 15:45:44.577577000 +0530
@@ -428,12 +428,16 @@
 
     private void parse_iCCP_chunk(int chunkLength) throws IOException {
         String keyword = readNullTerminatedString("ISO-8859-1", 80);
+        int compressedProfileLength = chunkLength - keyword.length() - 2;
+        if (compressedProfileLength < 0) {
+            throw new IIOException("iCCP chunk length is not proper");
+        }
         metadata.iCCP_profileName = keyword;
 
         metadata.iCCP_compressionMethod = stream.readUnsignedByte();
 
         byte[] compressedProfile =
-          new byte[chunkLength - keyword.length() - 2];
+          new byte[compressedProfileLength];
         stream.readFully(compressedProfile);
         metadata.iCCP_compressedProfile = compressedProfile;
 
@@ -463,7 +467,11 @@
 
         String text;
         pos = stream.getStreamPosition();
-        byte[] b = new byte[(int)(chunkStart + chunkLength - pos)];
+        int textLength = (int)(chunkStart + chunkLength - pos);
+        if (textLength < 0) {
+            throw new IIOException("iTXt chunk length is not proper");
+        }
+        byte[] b = new byte[textLength];
         stream.readFully(b);
 
         if (compressionFlag == 1) { // Decompress the text
@@ -558,9 +566,13 @@
 
     private void parse_tEXt_chunk(int chunkLength) throws IOException {
         String keyword = readNullTerminatedString("ISO-8859-1", 80);
+        int textLength = chunkLength - keyword.length() - 1;
+        if (textLength < 0) {
+            throw new IIOException("tEXt chunk length is not proper");
+        }
         metadata.tEXt_keyword.add(keyword);
 
-        byte[] b = new byte[chunkLength - keyword.length() - 1];
+        byte[] b = new byte[textLength];
         stream.readFully(b);
         metadata.tEXt_text.add(new String(b, "ISO-8859-1"));
 
@@ -652,12 +664,16 @@
 
     private void parse_zTXt_chunk(int chunkLength) throws IOException {
         String keyword = readNullTerminatedString("ISO-8859-1", 80);
+        int textLength = chunkLength - keyword.length() - 2;
+        if (textLength < 0) {
+            throw new IIOException("zTXt chunk length is not proper");
+        }
         metadata.zTXt_keyword.add(keyword);
 
         int method = stream.readUnsignedByte();
         metadata.zTXt_compressionMethod.add(method);
 
-        byte[] b = new byte[chunkLength - keyword.length() - 2];
+        byte[] b = new byte[textLength];
         stream.readFully(b);
         metadata.zTXt_text.add(new String(inflate(b), "ISO-8859-1"));