1diff --git a/png.c b/png.c
2index 35e14f63d..01d8d9bae 100644
3--- a/png.c
4+++ b/png.c
5@@ -1931,8 +1931,8 @@ png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
6 static const png_byte D50_nCIEXYZ[12] =
7    { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
8
9-int /* PRIVATE */
10-png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
11+static int /* bool */
12+icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
13    png_const_charp name, png_uint_32 profile_length)
14 {
15    if (profile_length < 132)
16@@ -1942,6 +1942,40 @@ png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
17    return 1;
18 }
19
20+#ifdef PNG_READ_iCCP_SUPPORTED
21+int /* PRIVATE */
22+png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
23+    png_const_charp name, png_uint_32 profile_length)
24+{
25+   if (!icc_check_length(png_ptr, colorspace, name, profile_length))
26+      return 0;
27+
28+   /* This needs to be here because the 'normal' check is in
29+    * png_decompress_chunk, yet this happens after the attempt to
30+    * png_malloc_base the required data.  We only need this on read; on write
31+    * the caller supplies the profile buffer so libpng doesn't allocate it.  See
32+    * the call to icc_check_length below (the write case).
33+    */
34+#  ifdef PNG_SET_USER_LIMITS_SUPPORTED
35+      else if (png_ptr->user_chunk_malloc_max > 0 &&
36+               png_ptr->user_chunk_malloc_max < profile_length)
37+         return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
38+             "exceeds application limits");
39+#  elif PNG_USER_CHUNK_MALLOC_MAX > 0
40+      else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
41+         return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
42+             "exceeds libpng limits");
43+#  else /* !SET_USER_LIMITS */
44+      /* This will get compiled out on all 32-bit and better systems. */
45+      else if (PNG_SIZE_MAX < profile_length)
46+         return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
47+             "exceeds system limits");
48+#  endif /* !SET_USER_LIMITS */
49+
50+   return 1;
51+}
52+#endif /* READ_iCCP */
53+
54 int /* PRIVATE */
55 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
56    png_const_charp name, png_uint_32 profile_length,
57@@ -2379,7 +2413,7 @@ png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
58    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
59       return 0;
60
61-   if (png_icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
62+   if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
63        png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
64           color_type) != 0 &&
65        png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
66diff --git a/pngpriv.h b/pngpriv.h
67index 9ea023fea..633671352 100644
68--- a/pngpriv.h
69+++ b/pngpriv.h
70@@ -1541,9 +1541,11 @@ PNG_INTERNAL_FUNCTION(int,png_colorspace_set_ICC,(png_const_structrp png_ptr,
71    /* The 'name' is used for information only */
72
73 /* Routines for checking parts of an ICC profile. */
74+#ifdef PNG_READ_iCCP_SUPPORTED
75 PNG_INTERNAL_FUNCTION(int,png_icc_check_length,(png_const_structrp png_ptr,
76    png_colorspacerp colorspace, png_const_charp name,
77    png_uint_32 profile_length), PNG_EMPTY);
78+#endif /* READ_iCCP */
79 PNG_INTERNAL_FUNCTION(int,png_icc_check_header,(png_const_structrp png_ptr,
80    png_colorspacerp colorspace, png_const_charp name,
81    png_uint_32 profile_length,
82