Commit 1f7620792 for imagemagick.org

commit 1f7620792f859399b2b34c607a617dfdd1895244
Author: Madars <mad182@gmail.com>
Date:   Sat Mar 21 14:25:56 2026 +0200

    Fix off-by-one in MNG FRAM chunk delay/timeout parsing (#8623)

    The boundary check (p-chunk) < (length-4) rejected valid FRAM
    chunks where the 4-byte delay value ends exactly at the chunk
    boundary. Changed to (p-chunk)+4 <= length to correctly allow
    reading the delay when it fits within the chunk data.

    This caused all MNG frames to use the MHDR default delay (1 tick)
    instead of the per-frame delay specified in the FRAM chunk. Resizing
    or editing an animated MNG would produce output running at the wrong
    speed (e.g., 5x too fast for a file with delay=5 ticks at 100 tps).

diff --git a/coders/png.c b/coders/png.c
index d90e7c7dd..52356fae0 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -5589,7 +5589,7 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info,
                     change_clipping=(*p++);
                     p++; /* change_sync */

-                    if (change_delay && ((p-chunk) < (ssize_t) (length-4)))
+                    if (change_delay && ((p-chunk)+4 <= (ssize_t) length))
                       {
                         frame_delay=(size_t) image->ticks_per_second*
                           (size_t) mng_get_long(p);
@@ -5610,7 +5610,7 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info,
                             "    Framing_delay=%.20g",(double) frame_delay);
                       }

-                    if (change_timeout && ((p-chunk) < (ssize_t) (length-4)))
+                    if (change_timeout && ((p-chunk)+4 <= (ssize_t) length))
                       {
                         frame_timeout=(size_t) image->ticks_per_second*
                           (size_t) mng_get_long(p);