--- webkit-1.4.0.orig/Source/WebCore/platform/image-decoders/png/PNGImageDecoder.cpp
+++ webkit-1.4.0/Source/WebCore/platform/image-decoders/png/PNGImageDecoder.cpp
@@ -226,7 +226,7 @@
 #ifdef PNG_iCCP_SUPPORTED
     char* profileName;
     int compressionType;
-    char* profile;
+    png_byte* profile;
     png_uint_32 profileLength;
     if (png_get_iCCP(png, info, &profileName, &compressionType, &profile, &profileLength)) {
         ColorProfile colorProfile;
@@ -241,11 +241,11 @@
 {
     png_structp png = m_reader->pngPtr();
     png_infop info = m_reader->infoPtr();
-    png_uint_32 width = png->width;
-    png_uint_32 height = png->height;
+    png_uint_32 width = png_get_image_width(png, info);
+    png_uint_32 height = png_get_image_height(png, info);
     
     // Protect against large images.
-    if (png->width > cMaxPNGSize || png->height > cMaxPNGSize) {
+    if (width > cMaxPNGSize || height > cMaxPNGSize) {
         longjmp(JMPBUF(png), 1);
         return;
     }
@@ -318,9 +318,9 @@
     m_reader->setHasAlpha(channels == 4);
 
     if (m_reader->decodingSizeOnly()) {
-        // If we only needed the size, halt the reader.     
-        m_reader->setReadOffset(m_reader->currentBufferSize() - png->buffer_size);
-        png->buffer_size = 0;
+        // If we only needed the size, halt the reader.
+        // '0' argument to png_process_data_pause means: Do not cache unprocessed data.
+        m_reader->setReadOffset(m_reader->currentBufferSize() - png_process_data_pause(png, 0));
     }
 }
 
@@ -343,7 +343,7 @@
         // For PNGs, the frame always fills the entire image.
         buffer.setOriginalFrameRect(IntRect(IntPoint(), size()));
 
-        if (m_reader->pngPtr()->interlaced)
+        if (png_get_interlace_type(m_reader->pngPtr(), m_reader->infoPtr()) != PNG_INTERLACE_NONE)
             m_reader->createInterlaceBuffer((m_reader->hasAlpha() ? 4 : 3) * size().width() * size().height());
     }