$NetBSD: patch-ab,v 1.9 2011/06/09 11:00:01 drochner Exp $

--- Source/WebCore/platform/image-decoders/png/PNGImageDecoder.cpp.orig	2011-03-21 18:43:07.000000000 +0000
+++ Source/WebCore/platform/image-decoders/png/PNGImageDecoder.cpp
@@ -226,7 +226,7 @@ static ColorProfile readColorProfile(png
 #ifdef PNG_iCCP_SUPPORTED
     char* profileName;
     int compressionType;
-    char* profile;
+    png_byte* profile;
     png_uint_32 profileLength;
     if (png_get_iCCP(png, info, &profileName, &compressionType, &profile, &profileLength)) {
         ColorProfile colorProfile;
@@ -241,11 +241,11 @@ void PNGImageDecoder::headerAvailable()
 {
     png_structp png = m_reader->pngPtr();
     png_infop info = m_reader->infoPtr();
-    png_uint_32 width = png->width;
-    png_uint_32 height = png->height;
+    png_uint_32 width = png_get_image_width(png, info);
+    png_uint_32 height = png_get_image_height(png, info);
     
     // Protect against large images.
-    if (png->width > cMaxPNGSize || png->height > cMaxPNGSize) {
+    if (width > cMaxPNGSize || height > cMaxPNGSize) {
         longjmp(JMPBUF(png), 1);
         return;
     }
@@ -319,8 +319,7 @@ void PNGImageDecoder::headerAvailable()
 
     if (m_reader->decodingSizeOnly()) {
         // If we only needed the size, halt the reader.     
-        m_reader->setReadOffset(m_reader->currentBufferSize() - png->buffer_size);
-        png->buffer_size = 0;
+        m_reader->setReadOffset(m_reader->currentBufferSize() - png_process_data_pause(png, 0/*do not save the data*/));
     }
 }
 
@@ -343,7 +342,8 @@ void PNGImageDecoder::rowAvailable(unsig
         // For PNGs, the frame always fills the entire image.
         buffer.setOriginalFrameRect(IntRect(IntPoint(), size()));
 
-        if (m_reader->pngPtr()->interlaced)
+        if (png_get_interlace_type(m_reader->pngPtr(), m_reader->infoPtr())
+		!= PNG_INTERLACE_NONE)
             m_reader->createInterlaceBuffer((m_reader->hasAlpha() ? 4 : 3) * size().width() * size().height());
     }
 
