src/java.desktop/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java

@@ -426,16 +426,20 @@
         metadata.hIST_present = true;
     }
 
     private void parse_iCCP_chunk(int chunkLength) throws IOException {
         String keyword = readNullTerminatedString("ISO-8859-1", 80);
+        int compressedProfileLength = chunkLength - keyword.length() - 2;
+        if (compressedProfileLength < 0) {
+            throw new IIOException("iCCP chunk length is not proper");
+        }
         metadata.iCCP_profileName = keyword;
 
         metadata.iCCP_compressionMethod = stream.readUnsignedByte();
 
         byte[] compressedProfile =
-          new byte[chunkLength - keyword.length() - 2];
+          new byte[compressedProfileLength];
         stream.readFully(compressedProfile);
         metadata.iCCP_compressedProfile = compressedProfile;
 
         metadata.iCCP_present = true;
     }

@@ -461,11 +465,15 @@
             readNullTerminatedString("UTF8", maxLen);
         metadata.iTXt_translatedKeyword.add(translatedKeyword);
 
         String text;
         pos = stream.getStreamPosition();
-        byte[] b = new byte[(int)(chunkStart + chunkLength - pos)];
+        int textLength = (int)(chunkStart + chunkLength - pos);
+        if (textLength < 0) {
+            throw new IIOException("iTXt chunk length is not proper");
+        }
+        byte[] b = new byte[textLength];
         stream.readFully(b);
 
         if (compressionFlag == 1) { // Decompress the text
             text = new String(inflate(b), "UTF8");
         } else {

@@ -556,13 +564,17 @@
         metadata.sRGB_present = true;
     }
 
     private void parse_tEXt_chunk(int chunkLength) throws IOException {
         String keyword = readNullTerminatedString("ISO-8859-1", 80);
+        int textLength = chunkLength - keyword.length() - 1;
+        if (textLength < 0) {
+            throw new IIOException("tEXt chunk length is not proper");
+        }
         metadata.tEXt_keyword.add(keyword);
 
-        byte[] b = new byte[chunkLength - keyword.length() - 1];
+        byte[] b = new byte[textLength];
         stream.readFully(b);
         metadata.tEXt_text.add(new String(b, "ISO-8859-1"));
 
         // Check if the text chunk contains image creation time
         if (keyword.equals(PNGMetadata.tEXt_creationTimeKey)) {

@@ -650,16 +662,20 @@
         return baos.toByteArray();
     }
 
     private void parse_zTXt_chunk(int chunkLength) throws IOException {
         String keyword = readNullTerminatedString("ISO-8859-1", 80);
+        int textLength = chunkLength - keyword.length() - 2;
+        if (textLength < 0) {
+            throw new IIOException("zTXt chunk length is not proper");
+        }
         metadata.zTXt_keyword.add(keyword);
 
         int method = stream.readUnsignedByte();
         metadata.zTXt_compressionMethod.add(method);
 
-        byte[] b = new byte[chunkLength - keyword.length() - 2];
+        byte[] b = new byte[textLength];
         stream.readFully(b);
         metadata.zTXt_text.add(new String(inflate(b), "ISO-8859-1"));
 
         // Check if the text chunk contains image creation time
         if (keyword.equals(PNGMetadata.tEXt_creationTimeKey)) {