libpng (Portable Network Graphics) 1.6.31

libpng is the PNG image format reference implementation. Portable Network Graphics are the most widely used raster image format, patent-free, based on lossless data compression, support indexed/paletted, grayscale, and 24 or 32 bit truecolor images with transparency. It's also an highly extensible container format, with built-in color profiles and representation information, textual meta data, filters, progressive interlacing, and permits animations in the derived APNG or MNG formats.

Tags c png image format library raster-image compression deflate gamma icc zlib
License Zlib
State beta

Recent Releases

1.6.3128 Jul 2017 10:25 minor feature: Guard the definition of _POSIX_SOURCE in pngpriv.h (AIX already defines it; report by Michael Felt). Revised pngpriv.h to work around failure to compile arm/filter_neon.S. typedef" directive is unrecognized by the assembler). The problem was introduced in libpng-1.6.30beta01. Added "Requires: zlib" to libpng.pc.in (Pieter Neerincx). Added special case for FreeBSD in arm/filter_neon.S (Maya Rashish). Added instructions for disabling hardware optimizations in INSTALL. Added "--enable-hardware-optimizations" configuration flag to enable or disable all hardware optimizations with one flag. Updated CMakeLists.txt to add INTEL_SSE and MIPS_MSA platforms. Changed "int" to "png_size_t" in intel/filter_sse2.c to prevent possible integer overflow (report by John Bowler). Quieted "declaration after statement" warnings in intel/filter_sse2.c. Added scripts/makefile-linux-opt, which has hardware optimizations enabled. Removed one of the GCC-7.1.0 'strict-overflow' warnings that result when integers appear on both sides of a compare. Worked around the others by forcing the strict-overflow setting in the relevant functions to a level where they are not reported (John Bowler). Changed "FALL THROUGH" comments to "FALLTHROUGH" because GCC doesn't like the space. Worked around some C-style casts from (void*) because g++ 5.4.0 objects to them. Increased the buffer size for 'sprint' to pass the gcc 7.1.0 'sprint overflow' check that is on by default with -Wall -Wextra. Added eXIf chunk support. Added a minimal eXIf chunk (with Orientation and FocalLengthIn35mmFilm tags) to pngtest.png.
1.6.3029 Jun 2017 15:25 minor feature: Added missing " (CPPFLAGS)" to the compile line for c.pic.o in makefile.linux and makefile.solaris-x86 (Cosmin). Revised documentation of png_get_error_ptr() in the libpng manual. Silence clang -Wcomma and const drop warnings (Viktor Szakats). Update Sourceforge URLs in documentation (https instead of http). Document need to check for integer overflow when allocating a pixel buffer for multiple rows in contrib/gregbook, contrib/pngminus, example.c, and in the manual. This is similar to the reported against pngquant in CVE-2016-5735. Removed reference to the obsolete PNG_SAFE_LIMITS macro in the documentation. Check for integer overflow in contrib/visupng and contrib/tools/genpng. Do not double evaluate CMAKE_SYSTEM_PROCESSOR in CMakeLists.txt. Test CMAKE_HOST_WIN32 instead of WIN32 in CMakeLists.txt. some URL in documentation. Avoid writing an empty IDAT when the last IDAT exactly fills the compression buffer (report by Brian Baird). This was introduced in libpng-1.6.0. Update copyright year in pnglibconf.h, make ltmain.sh executable. Add a reference to the libpng.download site in README.
1.6.2917 Mar 2017 20:45 minor feature: Readded "include(GNUInstallDirs)" to CMakeLists.txt (Gianfranco Costamagna). Moved SSE2 optimization code into the main libpng source directory. Configure libpng with "configure --enable-intel-sse" or compile libpng with "-DPNG_INTEL_SSE" in CPPFLAGS to enable it. Simplified conditional compilation in pngvalid.c, for AIX (Michael Felt). Avoid conditional directives that break statements in pngrutil.c (Romero Malaquias) The contrib/examples/pngtopng.c recovery code was in the wrong "if" branches; the comments were correct. Added code for PowerPC VSX optimisation (Vadim Barkov). Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer). Change test ZLIB_VERNUM = 0x1281 to ZLIB_VERNUM = 0x1290 in pngrutil.c because Solaris 11 distributes zlib-1.2.8.f that is older than 1.2.8.1. Suppress clang warnings about implicit sign changes in png.c.
1.6.2806 Jan 2017 03:18 minor feature: Arm/aarch64 detection in CMakeLists.txt (Gianfranco Costamagna). Added option to Cmake build allowing a custom location of zlib to be. Specified in a scenario where libpng is being built as a subproject Alongside zlib by another project (Sam Serrels). Changed png_ptr- options from a png_byte to png_uint_32, to accomodate up to 16 options.
1.6.2730 Dec 2016 06:45 minor feature: Control ADLER32 checking with new PNG_IGNORE_ADLER32 option. Removed the use of a macro containing the pre-processor 'defined'. Operator. It is unclear whether this is valid; a macro that generates" 'defined' is not permitted, but the use of the word. generates" within the C90 standard seems to imply more than simple. Substitution of an expression itself containing a well-formed defined Operation. Added ARM support to CMakeLists.txt (Andreas Franek). a potential null pointer dereference in png_set_text_2() (report. And patch by Patrick Keshishian).
1.6.2620 Oct 2016 22:45 minor feature: Handling zero length IDAT in png(report by Agostino Sarubbo, by John Bowler). Do not a png_error() on read in png_set_pCAL() because png_handle_pCAL. Has allocated memory that libpng needs to free. Conditionally compile png_set_benign_errors() in pngread.c and pngtest.c a png_benign_error instead of a png_error on ADLER32 mismatch. While decoding compressed data chunks. Changed PNG_ZLIB_VERNUM to ZLIB_VERNUM in pngpriv.h, pngstruct.h, and. Pngrutil.c. If CRC handling of critical chunks has been set to PNG_CRC_QUIET_USE. Ignore the ADLER32 checksum in the IDAT chunk as well as the chunk CRCs. Png_benign_error() on ADLER32 checksum mismatch instead of png_error(). Add tests/badcrc.png and tests/badadler.png to tests/pngtest. Merged pngtest.c with libpng-1.7.0beta84/pngtest.c Updated the documentation about CRC and ADLER32 handling. Quieted 117 warnings from clang-3.8 in pngtrans.c, pngread.c. Pngwrite.c, pngunknown.c, and pngvalid.c. Quieted the 144 remaining -Wconversion compiler warnings by. Revising the png_isaligned() macro and trivial changes in png.c, Pngerror.c, pngget.c, pngmem.c, pngset.c, pngrtran.c, pngrutil.c, Pngwtran.c, pngwrite.c, and pngwutil.c. Quieted (bogus?) clang warnings about "absolute value has no effect". When PNG_USE_ABS is defined. Offsets in contrib/intel/intel_sse.patch Changed integer constant 4294967294 to unsigned 4294967294U in pngconf.h to avoid a signed/unsigned compare in the preprocessor. Use zlib-1.2.8.1 inflateValidate() instead of inflateReset2() to. Optionally avoid ADLER32 evaluation. Cosmetic change, "ptr != 0" to "ptr != NULL" in png.c and pngrutil.c Despammed email addresses.
1.6.2502 Sep 2016 17:25 minor feature: Reject oversized iCCP profile immediately. Cleaned up PNG_DEcompile of pngtest.c. Conditionally compile png_inflate(). Don't install pngcp; it conflicts with pngcp in the pngtools package. Minor editing of INSTALL, (whitespace, added copyright line) Added MIPS support (Mandar Sahastrabuddhe ). Rebased contrib/intel/intel_sse.patch after the MIPS implementation.
1.6.2404 Aug 2016 03:25 minor feature: Avoid potential overflow of the PNG_IMAGE_SIZE macro. This macro is not used within libpng, but is used in some of the examples. Correct filter heuristic overflow handling. This was broken when the. Write filter code was moved out-of-line; if there is a single filter and The heuristic sum overflows the calculation of the filtered line is not Completed. In versions prior to 1.6 the code was duplicated in-line And the check not performed, so the filter operation completed; however, in the multi-filter case where the sum is performed the 'none' filter would be selected if all the sums overflowed, even if it wasn't in the filter. List. The to the first problem is simply to provide PNG_SIZE_MAX as The current lmins sum value; this means the sum can never exceed it and Overflows silently. A reasonable compiler that does choose to inline The code will simply eliminate the sum check. The to the second problem is to use high precision arithmetic (this is. Implemented in 1.7), however a simple safe here is to chose the lowest Numbered filter in the list from png_set_filter (this only works if the First problem is also ) (John Bowler). Use a more efficient absolute value calculation on SSE2 (Matthieu Darbois). The case where PNG_IMAGE_BUFFER_SIZE can overflow in the application as a result of the application using an increased 'row_stride'; previously. Png_image_finish_read only checked for overflow on the base calculation of Components. (I.e. it checked for overflow of a 32-bit number on the total Number of pixel components in the output format, not the possibly padded row Length and not the number of bytes, which for linear formats is twice the Number of components.) MSVC does not like '-(unsigned)', so replaced it with 0U-(unsigned) MSVC does not like (uInt) = -(unsigned) (i.e. as an initializer), unless. The conversion is explicitly invoked by a cast. Put the SKIP definition in the correct place. It needs to come after the. Png.h include (see all the other.c files in contr
1.6.2310 Jun 2016 09:25 minor feature: Stop a potential memory leak in png_set_tRNS() (report by Ted Ying). The progressive reader to handle empty first IDAT chunk properly. This was introduced in libpng-1.6.0 and Only affected the libpng16 branch. Added tests in pngvalid.c to check zero-length IDAT chunks in various. Positions. the sequential reader to handle these more robustly John Bowler). Corrected progressive read input buffer in pngvalid.c. The previous version. The code invariably passed just one byte at a time to libpng. The intent Was to pass a random number of bytes in the range 0..511. Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch. Added missing ")" in pngerror.c (Matt Sarrett). Undefined behavior in png_push_save_buffer(). Do not call Memcpy() with a null source, even if count is zero (Leon Scroggins III). Bad link to RFC2083 in png.5 (Nikola Forro).
1.6.2227 May 2016 22:25 minor feature: Changed PNG_USE_MKSTEMP to __COVERITY__ to select alternate tmpfile()" implementation in contrib/libtests/pngstest.c NO_STDIO build of pngunknown.c to skip calling png_init_io() if there is no stdio.h support. Added a png_image_write_to_memory() API and a number of assist macros to allow an application that uses the simplified API write to bypass stdio and write directly to memory. Added some warnings (png.h) and some check code to detect *possible* overflow in the ROW_STRIDE and simplified image SIZE macros. This disallows image width/height/format that *might overflow. This is a quiet API change that limits in-memory image size (uncompressed) to less than 4GByte and image row size (stride) to less than 2GByte. Revised workaround for false-positive Coverity in pngvalid.c. Only use exit(77) in configure builds. Updated CMakeLists.txt, added supporting scripts/gen*.cmake.in and test.cmake.in (Roger Leigh). Relaxed limit checks on gamma values in pngrtran.c. As suggested in the comments gamma values outside the range currently permitted by png_set_alpha_mode are useful for HDR data encoding. These values are already permitted by png_set_gamma so it is reasonable caution to extend the png_set_alpha_mode range as HDR imaging systems are starting to emerge. Added a common-law trademark notice and export control information to the LICENSE file, png.h, and the man page. Restored " 0xff" in png_save_uint_16() and png_save_uint_32() that were accidentally removed from libpng-1.6.17. Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h. Robert C. Seacord). Removed dubious "#if INT_MAX" test from png.h that was added to libpng-1.6.19 (John Bowler). Add INCLUDES in scripts/genout.cmake.in (report by Nixon Kwok). Updated LICENSE to say files in the contrib directory are not necessarily under the libpng license, and that some makefiles have other copyright owners. Added INTEL-SSE2 support (Mike Klein and Matt Sarett, Google, Inc.). Made contrib/libtests/time
1.6.2116 Jan 2016 03:45 minor feature: Syntax " (command)" in tests/pngstest that some shells other than Bash could not parse (report by Nelson Beebe). Use `command` instead. Moved png_check_keyword() from pngwutil.c to pngset.c Removed LE/BE dependencies in pngvalid, to '' the current problem in the BigEndian tests by not testing it, making the BE code the same as the LE version. to pngvalid for various reduced build configurations (eliminate unused. Statics) and a for the case in rgb_to_gray when the digitize option Reduces graylo to 0, producing a large error. Widened the 'limit' check on the internally calculated error limits in. The 'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error Checks) and changed the check to only operate in non-release builds base build type not RC or RELEASE.). Undefined behavior in pngvalid.c, undefined because png_byte)
1.6.2004 Dec 2015 03:15 minor feature: Avoid potential pointer overflow/underflow in png_handle_sPLT() and Png_handle_pCAL() (report by John Regehr). Incorrect implementation of png_set_PLTE() that uses png_ptr Not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 Vulnerability. Backported tests from libpng-1.7.0beta69. an error in handling of bad zlib CMINFO field in png, found by American Fuzzy Lop, reported by Brian Carpenter. inflate() doesn't. Immediately fault a bad CMINFO field; instead a 'too far back' error Happens later (at least some times). pngfailed to limit CMINFO to The allowed values but then assumed that window_bits was in range, Triggering an assert. The is mostly harmless; the PNG file cannot be. In libpng 1.6 zlib initialization was changed to use the window size in the zlib stream, not a value. This causes some invalid images. Where CINFO is too large, to display 'correctly' if the rest of the Data is valid. This provides a workaround for zlib versions where the Error arises (ones that support the API change to use the window size in the stream).
1.6.1913 Nov 2015 03:16 minor feature: Updated obsolete information about the simplified API macros in the Manual pages (report by Arc Riley). Avoid potentially dereferencing NULL info_ptr in png_info_init_3(). Rearranged png.h to put the major sections in the same order as in libpng17. Eliminated unused PNG_COST_SHIFT, PNG_WEIGHT_SHIFT, PNG_COST_FACTOR, and PNG_WEIGHT_FACTOR macros. Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler. report by Viktor Szakats). Several warnings remain and are. Unavoidable, where we test for overflow. Potential leak of png_pixels in contrib/pngminus/pnm2png.c Uninitialized variable in contrib/gregbook/rpng2-x.c Moved config.h.in from the "libpng_autotools_files" list to the. libpng_autotools_extra" list in autogen.sh because it was causing a. False positive for missing files (report by Robert C. Seacord). Removed unreachable "break" statements in png.c, pngread.c, and pngrtran.c to suppress clang warnings (report by Viktor Szakats). Some bad links in the man page. Changed "n bit" to "n-bit" in comments. Added signed/unsigned 16-bit safety net. This removes the dubious 0x8000 flag definitions on 16-bit systems. They aren't supported. Yet the defs *probably work, however it seems much safer to do this And be advised if anyone, contrary to advice, is building libpng 1.6 on a 16-bit system. It also adds back various switch default clauses. For GCC; GCC errors out if they are not present (with an appropriately High level of warnings). Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert Seacord). The recently reported 1's complement security by replacing The value that is illegal in the PNG spec, in both signed and unsigned Values, with 0. Illegal unsigned values (anything greater than or equal to 0x80000000) can still pass through, but since these are not illegal in ANSI-C (unlike 0x80000000 in the signed case) the checking that. Occurs later can catch them (John Bowler). Png_save_int_32 when int is not 2's complement (John Bowler). Updated li
1.6.1824 Jul 2015 06:05 minor feature: Removed PNG_SET_CHUNK_ CACHE MALLOC _LIMIT_SUPPORTED macros. They have been combined with PNG_SET_USER_LIMITS_SUPPORTED (resolves bug report by Andrew Church). Fixed rgb_to_gray checks and added tRNS checks to pngvalid.c. This fixes some arithmetic errors that caused some tests to fail on some 32-bit platforms (Bug reports by Peter Breitenlohner i686 and Petr Gajdos i586 ). Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler. Bug report by Viktor Szaka'ts). Replaced "unexpected" with an integer (0xabadca11) in pngset.c where a long was expected, to avoid a compiler warning when PNG_DEBUG 1. Added contrib/examples/simpleover.c, to demonstrate how to handle alpha compositing of multiple images, using the "simplified API" and an example PNG generation tool, contrib/examples/genpng.c. John Bowler). PNG_RELEASE_BUILD replaces tests where the code depended on the build base type and can be defined on the command line, allowing testing in beta builds (John Bowler). Avoid Coverity (REVERSE NULL) in pngtest.c Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug report from Christopher Ferris). Backport filter selection code from libpng-1.7.0beta51, to combine sub_row, up_row, avg_row, and paeth_row into try_row and tst_row. Changed png_voidcast(), etc. to voidcast(), etc. in contrib/tools/pngfix.c to avoid confusion with the libpng private macros. Fixed old cut paste bug in the weighted filter selection code in pngwutil.c, introduced in libpng-0.95, March 1997. Removed WRITE_WEIGHTED_FILTERED code, to save a few kbytes of the compiled library size. It never worked properly and as far as we can tell, no one uses it. The png_set_filter_heuristics() and png_set_filter_heuristics_fixed() APIs are retained but deprecated and do nothing. Quieted some Coverity issues in pngfix.c, png-fix-itxt.c, pngvalid.c, pngstest.c, and pngimage.c. Most seem harmless, but png-fix-itxt would only work with iTXt chunks with length 255 or less. Removed non-workin
1.6.1727 Mar 2015 06:25 minor feature: Removed duplicate PNG_SAFE_LIMITS_SUPPORTED handling from pngconf.h Corrected the width limit calculation in png_check_IHDR(). Removed user limits from pngfix. Also pass NULL pointers to png_read_row to skip the unnecessary row de-interlace stuff. Added testing of png_set_packing() to pngvalid.c Regenerated configure scripts in the *.tar distributions with libtool-2.4.4 Implement previously untested cases of libpng transforms in pngvalid.c Fixed byte order in 2-byte filler, in png_do_read_filler(). Made the check for out-of-range values in png_set_tRNS() detect values that are exactly 2 bit_depth, and work on 16-bit platforms. Merged some parts of libpng-1.6.17beta01 and libpng-1.7.0beta47. Added #ifndef __COVERITY__ where needed in png.c, pngrutil.c and pngset.c to avoid warnings about dead code. Do not build png_product2() when it is unused. Display user limits in the output from pngtest. Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column and 1-million-row default limits in pnglibconf.dfa, that can be reset by the user at build time or run time. This provides a more robust defense against DOS and as-yet undiscovered overflows. Added PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED macro, on by default. Allow user to call png_get_IHDR() with NULL arguments. Rebuilt configure scripts with automake-1.15 and libtool-2.4.6 Moved png_set_filter() prototype into a PNG_WRITE_SUPPORTED block of png.h. Avoid runtime checks when converting integer to png_byte with Visual Studio. Removed some comments that the configure script did not handle properly from scripts/pnglibconf.dfa and pnglibconf.h.prebuilt. Free the unknown_chunks structure even when it contains no data. Updated CMakeLists.txt to add OSX framework, change YES/NO to ON/OFF for consistency, and remove some useless tests. Remove pnglibconf.h, pnglibconf.c, pnglibconf.pre, pnglibconf.dfn, and pnglibconf.out instead of pnglibconf.* in "make clean". Fixed simplified 8-bit-linear to sRGB alpha. The calcula
1.7.0beta5015 Feb 2015 23:45 minor feature: Combined sub_row, up_row, avg_row, and paeth_row buffers into a single try_row buffer and in cases where two or more of those are being tested, a second tst_row buffer. This improves CPU speed over that achieved by libpng-1.7.0beta49.
1.6.1616 Jan 2015 07:45 minor feature: Added ".align 2" to arm/filter_neon.S to support old GAS assemblers that don't do alignment correctly. Revised Makefile.am and scripts/*.dfn to work with MinGW/MSYS; renamed scripts/*.dfn to scripts/*.c (Bob Friesenhahn and John Bowler). Quiet a "comparison always true" warning in pngstest.c (John Bowler). Restored a test on width that was removed from png.c at libpng-1.6.9 Bug report by Alex Eubanks). Fixed an overflow in png_combine_row with very wide interlaced images.
1.6.1521 Nov 2014 03:15 minor feature: Changed "if (!x)" to "if (x == 0)" and "if (x)" to "if (x != 0)" Simplified png_free_data(). Added missing "ptr = NULL" after some instances of png_free(). Made a one-line revision to configure.ac to support ARM on aarch64 bug report by Marcin Juszkiewicz, fix by John Bowler). Avoid out-of-bounds memory access in png_user_version_check(). Simplified and future-proofed png_user_version_check(). Fixed GCC unsigned int- float warnings. Various versions of GCC seem to generate warnings when an unsigned value is implicitly converted to double. This is probably a GCC bug but this change avoids the issue by explicitly converting to (int) where safe. Free all allocated memory in pngimage. The file buffer cache was left allocated at the end of the program, harmless but it causes memory leak reports from clang. Fixed array size calculations to avoid warnings. At various points in the code the number of elements in an array is calculated using sizeof. This generates a compile time constant of type (size_t) which is then typically assigned to an (unsigned int) or (int). Some versions of GCC on 64-bit systems warn about the apparent narrowing, even though the same compiler does apparently generate the correct, in-range, numeric constant. This adds appropriate, safe, casts to make the warnings go away. Removed #ifdef PNG_16BIT_SUPPORTED/#endif around png_product2(); it is needed by png_reciprocal2(). Added #ifdef PNG_16BIT_SUPPORTED/#endif around png_log16bit() and png_do_swap(). Changed all "#endif /* PNG_FEATURE_SUPPORTED */" to "#endif /* FEATURE */" The macros passed in the command line to Borland make were ignored if similarly-named macros were already defined in makefiles. This behavior is different from POSIX make and other make programs. Surround the macro definitions with ifndef guards (Cosmin). Added "-D_CRT_SECURE_NO_WARNINGS" to CFLAGS in scripts/makefile.vcwin32. Removed the obsolete ARCH variable from scripts/makefile.darwin.
1.6.1422 Oct 2014 22:00 minor bugfix: Guard usage of png_ptr- options with #ifdef PNG_SET_OPTION_SUPPORTED. Do not build contrib/tools/pngfix.c when PNG_SETJMP_NOT_SUPPORTED, to allow "make" to complete without setjmp support (bug report by Claudio Fontana) Add "#include " to contrib/tools/pngfix.c (John Bowler) Use nanosleep() instead of usleep() in contrib/gregbook/rpng2-x.c because usleep() is deprecated. Define usleep() in contrib/gregbook/rpng2-x.c if not already defined in unistd.h and nanosleep() is not available; fixes error introduced in libpng-1.6.13. Define FE_DIVBYZERO, FE_INVALID, and FE_OVERFLOW in pngvalid.c if not already defined (bug report by "zootus at users.sourceforge.net"). Fixed incorrect handling of the iTXt compression flag in pngrutil.c (bug report by Shunsaku Hirata). Bug was introduced in libpng-1.6.0. Added "option READ_iCCP enables READ_COMPRESSED_TEXT" to pnglibconf.dfa Removed unused "text_len" parameter from private function png_write_zTXt(). Conditionally compile some code in png_deflate_claim(), when PNG_WARNINGS_SUPPORTED and PNG_ERROR_TEXT_SUPPORTED are disabled. Replaced repeated code in pngpread.c with PNG_PUSH_SAVE_BUFFER_IF_FULL. Added "chunk iTXt enables TEXT" and "chunk zTXt enables TEXT" to pnglibconf.dfa. Removed "option READ_COMPRESSED_TEXT enables READ_TEXT" from pnglibconf.dfa, to make it possible to configure a libpng that supports iCCP but not TEXT. Removed "option WRITE_COMPRESSED_TEXT enables WRITE_TEXT" from pnglibconf.dfa Only mark text chunks as written after successfully writing them. Fixed some typos in comments. Changed png_convert_to_rfc_1123() to png_convert_to_rfc_1123_buffer() in the manual, to reflect the change made in libpng-1.6.0. Updated README file to explain that direct access to the png_struct and info_struct members has not been permitted since libpng-1.5.0.