Recent Releases
1.6.45.24 Nov 2024 08:25
minor feature:
Hardened calculations in chroma handling to prevent overflows, and
relaxed a constraint in cHRM validation to accomodate the standard
ACES AP1 set of color primaries.
Removed the ASM implementation of ARM Neon optimizations and updated
the build accordingly. Only the remaining C implementation shall be
used from now on, thus ensuring the support of the PAC/BTI security
features on ARM64.
the pickup of the PNG_HARDWARE_OPTIMIZATIONS option in the
CMake build on FreeBSD/amd64. This is an important performance on this platform.
Applied various and improvements to the CMake build.
Added fuzzing targets for the simplified read API.
a build error involving pngtest.c under a custom config.
This was a regression introduced in a code cleanup in libpng-1.6.43.
and improved the config files for AppVeyor CI and Travis CI.
1.6.4424 Nov 2024 04:05
minor feature:
Hardened calculations in chroma handling to prevent overflows, and
relaxed a constraint in cHRM validation to accomodate the standard
ACES AP1 set of color primaries.
Removed the ASM implementation of ARM Neon optimizations and updated
the build accordingly. Only the remaining C implementation shall be
used from now on, thus ensuring the support of the PAC/BTI security
features on ARM64.
the pickup of the PNG_HARDWARE_OPTIMIZATIONS option in the
CMake build on FreeBSD/amd64. This is an important performance on this platform.
Applied various and improvements to the CMake build.
Added fuzzing targets for the simplified read API.
a build error involving pngtest.c under a custom config.
This was a regression introduced in a code cleanup in libpng-1.6.43.
and improved the config files for AppVeyor CI and Travis CI.
1.6.44.28 Feb 2024 06:45
minor feature:
the row width check in png_check_IHDR().
This corrected a that was specific to the 16-bit platforms,
and removed a spurious compiler warning from the 64-bit builds.
Added eXIf chunk support to the push-mode reader in pngpread.c.
Added contrib/pngexif for the benefit of the users who would like
to inspect the content of eXIf chunks.
Added contrib/conftest/basic.dfa, a basic build-time configuration.
a preprocessor condition in pngread.c that broke build-time
configurations like contrib/conftest/pngcp.dfa.
Added CMake build support for LoongArch LSX.
a CMake build error that occurred under a peculiar state of the
dependency tree. This was a regression introduced in libpng-1.6.41.
Marked the installed libpng headers as system headers in CMake.
Updated the build support for RISCOS.
Updated the makefiles to allow cross-platform builds to initialize
conventional make variables like AR and ARFLAGS.
Added various improvements to the CI scripts in areas like version
consistency verification and text linting.
Added version consistency verification to pngtest.c also.
1.6.4324 Feb 2024 21:45
minor feature:
the row width check in png_check_IHDR().
This corrected a that was specific to the 16-bit platforms,
and removed a spurious compiler warning from the 64-bit builds.
Added eXIf chunk support to the push-mode reader in pngpread.c.
Added contrib/pngexif for the benefit of the users who would like
to inspect the content of eXIf chunks.
Added contrib/conftest/basic.dfa, a basic build-time configuration.
a preprocessor condition in pngread.c that broke build-time
configurations like contrib/conftest/pngcp.dfa.
Added CMake build support for LoongArch LSX.
a CMake build error that occurred under a peculiar state of the
dependency tree. This was a regression introduced in libpng-1.6.41.
Marked the installed libpng headers as system headers in CMake.
Updated the build support for RISCOS.
Updated the makefiles to allow cross-platform builds to initialize
conventional make variables like AR and ARFLAGS.
Added various improvements to the CI scripts in areas like version
consistency verification and text linting.
Added version consistency verification to pngtest.c also.
1.6.43.03 Feb 2024 12:25
minor feature:
the implementation of the macro function `png_check_sig`.
This was an API regression, introduced in libpng-1.6.41.
Changes from version 1.6.40 to version 1.6.41.
Added SIMD-optimized code for the Loongarch LSX hardware.
the run-time discovery of MIPS MSA hardware.
an off-by-one error in the function `png_do_check_palette_indexes`,
which failed to recognize errors that might have existed in the first
column of a broken palette-encoded image. This was a benign regression
accidentally introduced in libpng-1.6.33. No pixel was harmed.
improved and modernized the contrib/pngminus programs, i.e. png2pnm.c and pnm2png.c.
Removed old and peculiar portability hacks that were meant to silence
warnings d by gcc version 7.1 alone.
and modernized the CMake file, and raised the minimum required
CMake version from 3.1 to 3.6.
Allowed the configure script to disable the building of auxiliary tools
and tests, thus catching up with the CMake file.
a build on Mac.
Moved the Autoconf macro files to scripts/autoconf.
Moved the CMake files (except for the main CMakeLists.txt) to
scripts/cmake and moved the list of their contributing authors to
scripts/cmake/AUTHORS.md.
Updated the CI configurations and scripts.
Relicensed the CI scripts to the MIT License.
Improved the test coverage.
1.6.4230 Jan 2024 22:05
minor feature:
the implementation of the macro function `png_check_sig`.
This was an API regression, introduced in libpng-1.6.41.
Changes from version 1.6.40 to version 1.6.41.
Added SIMD-optimized code for the Loongarch LSX hardware.
the run-time discovery of MIPS MSA hardware.
an off-by-one error in the function `png_do_check_palette_indexes`,
which failed to recognize errors that might have existed in the first
column of a broken palette-encoded image. This was a benign regression
accidentally introduced in libpng-1.6.33. No pixel was harmed.
improved and modernized the contrib/pngminus programs, i.e. png2pnm.c and pnm2png.c.
Removed old and peculiar portability hacks that were meant to silence
warnings d by gcc version 7.1 alone.
and modernized the CMake file, and raised the minimum required
CMake version from 3.1 to 3.6.
Allowed the configure script to disable the building of auxiliary tools
and tests, thus catching up with the CMake file.
a build on Mac.
Moved the Autoconf macro files to scripts/autoconf.
Moved the CMake files (except for the main CMakeLists.txt) to
scripts/cmake and moved the list of their contributing authors to
scripts/cmake/AUTHORS.md.
Updated the CI configurations and scripts.
Relicensed the CI scripts to the MIT License.
Improved the test coverage.
1.6.4125 Jan 2024 17:05
minor feature:
* Added SIMD-optimized code for the Loongarch LSX hardware.
(Contributed by GuXiWei, JinBo and ZhangLixia)
* Fixed the run-time discovery of MIPS MSA hardware.
(Contributed by Sui Jingfeng)
* Fixed an off-by-one error in the function `png_do_check_palette_indexes`,
which failed to recognize errors that might have existed in the first
column of a broken palette-encoded image. This was a benign regression
accidentally introduced in libpng-1.6.33. No pixel was harmed.
(Contributed by Adam Richter; reviewed by John Bowler)
* Fixed, improved and modernized the contrib/pngminus programs, i.e.,
png2pnm.c and pnm2png.c
* Removed old and peculiar portability hacks that were meant to silence
warnings issued by gcc version 7.1 alone.
(Contributed by John Bowler)
* Fixed and modernized the CMake file, and raised the minimum required
CMake version from 3.1 to 3.6.
(Contributed by Clinton Ingram, Timothy Lyanguzov, Tyler Kropp, et al.)
* Allowed the configure script to disable the building of auxiliary tools
and tests, thus catching up with the CMake file.
(Contributed by Carlo Bramini)
* Fixed a build issue on Mac.
(Contributed by Zixu Wang)
* Moved the Autoconf macro files to scripts/autoconf.
* Moved the CMake files (except for the main CMakeLists.txt) to
scripts/cmake and moved the list of their contributing authors to
scripts/cmake/AUTHORS.md
* Updated the CI configurations and scripts.
* Relicensed the CI scripts to the MIT License.
* Improved the test coverage.
(Contributed by John Bowler)
1.6.3522 Oct 2018 09:45
minor feature:
Restored 21 of the contrib/pngsuite/i*.png, which do not cause test
failures. Placed the remainder in contrib/pngsuite/interlaced/i*.png.
Added calls to png_set_*() transforms commonly used by browsers to
the fuzzer.
Removed some unnecessary brackets in pngrtran.c
miscellaneous typos.
Change "ASM C" to "C ASM" in CMakeLists.txt
incorrect handling of bKGD chunk in sub-8-bit files (Cosmin)
Added hardware optimization directories to zip and 7z distributions.
incorrect bitmask for options.
many spelling typos.
Make png_get_iCCP consistent with man page (allow compression-type argument
to be NULL, report by Lenard Szolnoki).
Replaced the remaining uses of png_size_t with size_t (Cosmin)
the calculation of row_factor in png_check_chunk_length
Added missing parentheses to a macro definition.
1.6.3329 Sep 2017 12:05
minor feature:
Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing
parenthesis in contrib/pngminus/pnm2png.c (report by Christian Hesse).
off-by-one error in png_do_check_palette_indexes() (report
by Mick P. Source Forge ).
Initialize png_handler.row_ptr in contrib/oss-fuzz/libpng_read_fuzzer.cc
to shortlived oss-fuzz.
Compute a larger limit on IDAT because some applications write a deflate
buffer for each row (report by Andrew Church).
Use current date (DATE) instead of release-date (RDATE) in last
changed date of contrib/oss-fuzz files.
Enabled ARM support in CMakeLists.txt (Bernd Kuhls).
incorrect typecast of some arguments to png_malloc() and
png_calloc() that were png_uint_32 instead of png_alloc_size_t.
report by "irwir" in Github libpng ).
Use pnglibconf.h.prebuilt when building for ANDROID with cmake (Github.
by rcdailey).
Initialize memory allocated by png_inflate to zero, using memset, to
stop an oss-fuzz "use of uninitialized value" detection in png_set_text_2()
due to truncated iTXt or zTXt chunk.
Initialize memory allocated by png_read_buffer to zero, using memset, to
stop an oss-fuzz "use of uninitialized value" detection in
png_icc_check_tag_table() due to truncated iCCP chunk.
Removed a redundant test.
Added an interlaced version of each file in contrib/pngsuite.
Relocate new memset() call in pngrutil.c.
Removed more redundant tests.
Add support for loading images with associated alpha in the Simplified
API (Samuel Williams).
Revert contrib/oss-fuzz/libpng_read_fuzzer.cc to libpng-1.6.32 state.
Initialize png_handler.row_ptr in contrib/oss-fuzz/libpng_read_fuzzer.cc
Add end_info structure and png_read_end() to the libpng fuzzer.
1.6.3225 Aug 2017 14:05
minor feature:
Avoid possible NULL dereference in png_handle_eXIf when benign_errors
are allowed. Avoid leaking the input buffer "eXIf_buf".
Eliminated png_ptr- num_exif member from pngstruct.h and added num_exif
to arguments for png_get_eXIf() and png_set_eXIf().
Added calls to png_handle_eXIf(() in pngread.c and png_write_eXIf() in
pngwrite.c, and made various other to png_write_eXIf().
Changed name of png_get_eXIF and png_set_eXIf() to png_get_eXIf_1() and
png_set_eXIf_1(), respectively, to avoid breaking API compatibility
with libpng-1.6.31.
Updated contrib/libtests/pngunknown.c with eXIf chunk.
Initialized btoa in pngstest.c
Stop memory leak when returning from png_handle_eXIf() with an error.
report from the OSS-fuzz project).
Replaced local eXIf_buf with info_ptr-eXIf_buf in png_handle_eXIf().
Update libpng.3 and libpng-manual.txt about eXIf functions.
Restored png_get_eXIf() and png_set_eXIf() to maintain API compatability.
Removed png_get_eXIf_1() and png_set_eXIf_1().
Check length of all chunks except IDAT against user limit to an
OSS-fuzz.
Check length of IDAT against maximum possible IDAT size, accounting
for height, rowbytes, interlacing and zlib/deflate overhead.
Restored png_get_eXIf_1() and png_set_eXIf_1(), because strlen(eXIf_buf)
does not work (the eXIf chunk data can contain zeroes).
Require cmake-2.8.8 in CMakeLists.txt. Revised symlink creation,
no longer using deprecated cmake LOCATION feature (Clifford Yapp).
five-byte error in the calculation of IDAT maximum possible size.
Moved chunk-length check into a png_check_chunk_length() private
function.
Moved bad pngs from tests to contrib/libtests/crashers
Moved testing of bad pngs into a separate tests/pngtest-badpngs script
Added the --xfail (expected FAIL) option to pngtest.c. It writes XFAIL
in the output but PASS for the libpng test.
Require cmake-3.0.2 in CMakeLists.txt (Clifford Yapp).
const" declaration info_ptr argument to png_get_eXIf_1() and the
num_exif argument to png_get_eXIf_1() (Github ).
Added
1.6.3128 Jul 2017 10:25
minor feature:
Guard the definition of _POSIX_SOURCE in pngpriv.h (AIX already defines it;
report by Michael Felt).
Revised pngpriv.h to work around failure to compile arm/filter_neon.S.
typedef" directive is unrecognized by the assembler). The problem
was introduced in libpng-1.6.30beta01.
Added "Requires: zlib" to libpng.pc.in (Pieter Neerincx).
Added special case for FreeBSD in arm/filter_neon.S (Maya Rashish).
Added instructions for disabling hardware optimizations in INSTALL.
Added "--enable-hardware-optimizations" configuration flag to enable
or disable all hardware optimizations with one flag.
Updated CMakeLists.txt to add INTEL_SSE and MIPS_MSA platforms.
Changed "int" to "png_size_t" in intel/filter_sse2.c to prevent
possible integer overflow (report by John Bowler).
Quieted "declaration after statement" warnings in intel/filter_sse2.c.
Added scripts/makefile-linux-opt, which has hardware optimizations enabled.
Removed one of the GCC-7.1.0 'strict-overflow' warnings that result when
integers appear on both sides of a compare. Worked around the others by
forcing the strict-overflow setting in the relevant functions to a level
where they are not reported (John Bowler).
Changed "FALL THROUGH" comments to "FALLTHROUGH" because GCC doesn't like
the space.
Worked around some C-style casts from (void*) because g++ 5.4.0 objects
to them.
Increased the buffer size for 'sprint' to pass the gcc 7.1.0 'sprint
overflow' check that is on by default with -Wall -Wextra.
Added eXIf chunk support.
Added a minimal eXIf chunk (with Orientation and FocalLengthIn35mmFilm
tags) to pngtest.png.
1.6.3029 Jun 2017 15:25
minor feature:
Added missing " (CPPFLAGS)" to the compile line for c.pic.o in
makefile.linux and makefile.solaris-x86 (Cosmin).
Revised documentation of png_get_error_ptr() in the libpng manual.
Silence clang -Wcomma and const drop warnings (Viktor Szakats).
Update Sourceforge URLs in documentation (https instead of http).
Document need to check for integer overflow when allocating a pixel
buffer for multiple rows in contrib/gregbook, contrib/pngminus,
example.c, and in the manual. This
is similar to the reported against pngquant in CVE-2016-5735.
Removed reference to the obsolete PNG_SAFE_LIMITS macro in the documentation.
Check for integer overflow in contrib/visupng and contrib/tools/genpng.
Do not double evaluate CMAKE_SYSTEM_PROCESSOR in CMakeLists.txt.
Test CMAKE_HOST_WIN32 instead of WIN32 in CMakeLists.txt.
some URL in documentation.
Avoid writing an empty IDAT when the last IDAT exactly fills the
compression buffer (report by Brian Baird). This was
introduced in libpng-1.6.0.
Update copyright year in pnglibconf.h, make ltmain.sh executable.
Add a reference to the libpng.download site in README.
1.6.2917 Mar 2017 20:45
minor feature:
Readded "include(GNUInstallDirs)" to CMakeLists.txt (Gianfranco Costamagna).
Moved SSE2 optimization code into the main libpng source directory.
Configure libpng with "configure --enable-intel-sse" or compile
libpng with "-DPNG_INTEL_SSE" in CPPFLAGS to enable it.
Simplified conditional compilation in pngvalid.c, for AIX (Michael Felt).
Avoid conditional directives that break statements in pngrutil.c (Romero
Malaquias)
The contrib/examples/pngtopng.c recovery code was in the wrong "if"
branches; the comments were correct.
Added code for PowerPC VSX optimisation (Vadim Barkov).
Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).
Change test ZLIB_VERNUM = 0x1281 to ZLIB_VERNUM = 0x1290 in pngrutil.c
because Solaris 11 distributes zlib-1.2.8.f that is older than 1.2.8.1.
Suppress clang warnings about implicit sign changes in png.c.
1.6.2806 Jan 2017 03:18
minor feature:
Arm/aarch64 detection in CMakeLists.txt (Gianfranco Costamagna).
Added option to Cmake build allowing a custom location of zlib to be.
Specified in a scenario where libpng is being built as a subproject
Alongside zlib by another project (Sam Serrels).
Changed png_ptr- options from a png_byte to png_uint_32, to accomodate
up to 16 options.
1.6.2730 Dec 2016 06:45
minor feature:
Control ADLER32 checking with new PNG_IGNORE_ADLER32 option.
Removed the use of a macro containing the pre-processor 'defined'.
Operator. It is unclear whether this is valid; a macro that
generates" 'defined' is not permitted, but the use of the word.
generates" within the C90 standard seems to imply more than simple.
Substitution of an expression itself containing a well-formed defined
Operation.
Added ARM support to CMakeLists.txt (Andreas Franek).
a potential null pointer dereference in png_set_text_2() (report.
And patch by Patrick Keshishian).
1.6.2620 Oct 2016 22:45
minor feature:
Handling zero length IDAT in png(report by Agostino Sarubbo,
by John Bowler).
Do not a png_error() on read in png_set_pCAL() because png_handle_pCAL.
Has allocated memory that libpng needs to free.
Conditionally compile png_set_benign_errors() in pngread.c and pngtest.c
a png_benign_error instead of a png_error on ADLER32 mismatch.
While decoding compressed data chunks.
Changed PNG_ZLIB_VERNUM to ZLIB_VERNUM in pngpriv.h, pngstruct.h, and.
Pngrutil.c.
If CRC handling of critical chunks has been set to PNG_CRC_QUIET_USE.
Ignore the ADLER32 checksum in the IDAT chunk as well as the chunk CRCs.
Png_benign_error() on ADLER32 checksum mismatch instead of png_error().
Add tests/badcrc.png and tests/badadler.png to tests/pngtest.
Merged pngtest.c with libpng-1.7.0beta84/pngtest.c
Updated the documentation about CRC and ADLER32 handling.
Quieted 117 warnings from clang-3.8 in pngtrans.c, pngread.c.
Pngwrite.c, pngunknown.c, and pngvalid.c.
Quieted the 144 remaining -Wconversion compiler warnings by.
Revising the png_isaligned() macro and trivial changes in png.c,
Pngerror.c, pngget.c, pngmem.c, pngset.c, pngrtran.c, pngrutil.c,
Pngwtran.c, pngwrite.c, and pngwutil.c.
Quieted (bogus?) clang warnings about "absolute value has no effect".
When PNG_USE_ABS is defined.
Offsets in contrib/intel/intel_sse.patch
Changed integer constant 4294967294 to unsigned 4294967294U in pngconf.h
to avoid a signed/unsigned compare in the preprocessor.
Use zlib-1.2.8.1 inflateValidate() instead of inflateReset2() to.
Optionally avoid ADLER32 evaluation.
Cosmetic change, "ptr != 0" to "ptr != NULL" in png.c and pngrutil.c
Despammed email addresses.
1.6.2502 Sep 2016 17:25
minor feature:
Reject oversized iCCP profile immediately.
Cleaned up PNG_DEcompile of pngtest.c.
Conditionally compile png_inflate().
Don't install pngcp; it conflicts with pngcp in the pngtools package.
Minor editing of INSTALL, (whitespace, added copyright line)
Added MIPS support (Mandar Sahastrabuddhe ).
Rebased contrib/intel/intel_sse.patch after the MIPS implementation.
1.6.2404 Aug 2016 03:25
minor feature:
Avoid potential overflow of the PNG_IMAGE_SIZE macro. This macro
is not used within libpng, but is used in some of the examples.
Correct filter heuristic overflow handling. This was broken when the.
Write filter code was moved out-of-line; if there is a single filter and
The heuristic sum overflows the calculation of the filtered line is not
Completed. In versions prior to 1.6 the code was duplicated in-line
And the check not performed, so the filter operation completed; however,
in the multi-filter case where the sum is performed the 'none' filter would
be selected if all the sums overflowed, even if it wasn't in the filter.
List. The to the first problem is simply to provide PNG_SIZE_MAX as
The current lmins sum value; this means the sum can never exceed it and
Overflows silently. A reasonable compiler that does choose to inline
The code will simply eliminate the sum check.
The to the second problem is to use high precision arithmetic (this is.
Implemented in 1.7), however a simple safe here is to chose the lowest
Numbered filter in the list from png_set_filter (this only works if the
First problem is also ) (John Bowler).
Use a more efficient absolute value calculation on SSE2 (Matthieu Darbois).
The case where PNG_IMAGE_BUFFER_SIZE can overflow in the application
as a result of the application using an increased 'row_stride'; previously.
Png_image_finish_read only checked for overflow on the base calculation of
Components. (I.e. it checked for overflow of a 32-bit number on the total
Number of pixel components in the output format, not the possibly padded row
Length and not the number of bytes, which for linear formats is twice the
Number of components.)
MSVC does not like '-(unsigned)', so replaced it with 0U-(unsigned)
MSVC does not like (uInt) = -(unsigned) (i.e. as an initializer), unless.
The conversion is explicitly invoked by a cast.
Put the SKIP definition in the correct place. It needs to come after the.
Png.h include (see all the other.c files in contr
1.6.2310 Jun 2016 09:25
minor feature:
Stop a potential memory leak in png_set_tRNS() (report by Ted Ying).
The progressive reader to handle empty first IDAT chunk properly. This was introduced in libpng-1.6.0 and
Only affected the libpng16 branch.
Added tests in pngvalid.c to check zero-length IDAT chunks in various.
Positions. the sequential reader to handle these more robustly
John Bowler).
Corrected progressive read input buffer in pngvalid.c. The previous version.
The code invariably passed just one byte at a time to libpng. The intent
Was to pass a random number of bytes in the range 0..511.
Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch.
Added missing ")" in pngerror.c (Matt Sarrett).
Undefined behavior in png_push_save_buffer(). Do not call
Memcpy() with a null source, even if count is zero (Leon Scroggins III).
Bad link to RFC2083 in png.5 (Nikola Forro).
1.6.2227 May 2016 22:25
minor feature:
Changed PNG_USE_MKSTEMP to __COVERITY__ to select alternate
tmpfile()" implementation in contrib/libtests/pngstest.c
NO_STDIO build of pngunknown.c to skip calling png_init_io()
if there is no stdio.h support.
Added a png_image_write_to_memory() API and a number of assist macros
to allow an application that uses the simplified API write to bypass
stdio and write directly to memory.
Added some warnings (png.h) and some check code to detect *possible*
overflow in the ROW_STRIDE and simplified image SIZE macros. This
disallows image width/height/format that *might overflow. This is
a quiet API change that limits in-memory image size (uncompressed) to
less than 4GByte and image row size (stride) to less than 2GByte.
Revised workaround for false-positive Coverity in pngvalid.c.
Only use exit(77) in configure builds.
Updated CMakeLists.txt, added supporting scripts/gen*.cmake.in
and test.cmake.in (Roger Leigh).
Relaxed limit checks on gamma values in pngrtran.c. As suggested in
the comments gamma values outside the range currently permitted
by png_set_alpha_mode are useful for HDR data encoding. These values
are already permitted by png_set_gamma so it is reasonable caution to
extend the png_set_alpha_mode range as HDR imaging systems are starting
to emerge.
Added a common-law trademark notice and export control information
to the LICENSE file, png.h, and the man page.
Restored " 0xff" in png_save_uint_16() and png_save_uint_32() that
were accidentally removed from libpng-1.6.17.
Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h.
Robert C. Seacord).
Removed dubious "#if INT_MAX" test from png.h that was added to
libpng-1.6.19 (John Bowler).
Add INCLUDES in scripts/genout.cmake.in (report by Nixon Kwok).
Updated LICENSE to say files in the contrib directory are not
necessarily under the libpng license, and that some makefiles have
other copyright owners.
Added INTEL-SSE2 support (Mike Klein and Matt Sarett, Google, Inc.).
Made contrib/libtests/time
1.6.2116 Jan 2016 03:45
minor feature:
Syntax " (command)" in tests/pngstest that some shells other than
Bash could not parse (report by Nelson Beebe). Use `command` instead.
Moved png_check_keyword() from pngwutil.c to pngset.c
Removed LE/BE dependencies in pngvalid, to '' the current problem
in the BigEndian tests by not testing it, making the BE code the same
as the LE version.
to pngvalid for various reduced build configurations (eliminate unused.
Statics) and a for the case in rgb_to_gray when the digitize option
Reduces graylo to 0, producing a large error.
Widened the 'limit' check on the internally calculated error limits in.
The 'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error
Checks) and changed the check to only operate in non-release builds
base build type not RC or RELEASE.).
Undefined behavior in pngvalid.c, undefined because
png_byte)
1.6.2004 Dec 2015 03:15
minor feature:
Avoid potential pointer overflow/underflow in png_handle_sPLT() and
Png_handle_pCAL() (report by John Regehr).
Incorrect implementation of png_set_PLTE() that uses png_ptr
Not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
Vulnerability.
Backported tests from libpng-1.7.0beta69.
an error in handling of bad zlib CMINFO field in png, found by
American Fuzzy Lop, reported by Brian Carpenter. inflate() doesn't.
Immediately fault a bad CMINFO field; instead a 'too far back' error
Happens later (at least some times). pngfailed to limit CMINFO to
The allowed values but then assumed that window_bits was in range,
Triggering an assert. The is mostly harmless; the PNG file cannot
be.
In libpng 1.6 zlib initialization was changed to use the window size
in the zlib stream, not a value. This causes some invalid images.
Where CINFO is too large, to display 'correctly' if the rest of the
Data is valid. This provides a workaround for zlib versions where the
Error arises (ones that support the API change to use the window size
in the stream).
1.6.1913 Nov 2015 03:16
minor feature:
Updated obsolete information about the simplified API macros in the
Manual pages (report by Arc Riley).
Avoid potentially dereferencing NULL info_ptr in png_info_init_3().
Rearranged png.h to put the major sections in the same order as
in libpng17.
Eliminated unused PNG_COST_SHIFT, PNG_WEIGHT_SHIFT, PNG_COST_FACTOR, and
PNG_WEIGHT_FACTOR macros.
Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler.
report by Viktor Szakats). Several warnings remain and are.
Unavoidable, where we test for overflow.
Potential leak of png_pixels in contrib/pngminus/pnm2png.c
Uninitialized variable in contrib/gregbook/rpng2-x.c
Moved config.h.in from the "libpng_autotools_files" list to the.
libpng_autotools_extra" list in autogen.sh because it was causing a.
False positive for missing files (report by Robert C. Seacord).
Removed unreachable "break" statements in png.c, pngread.c, and pngrtran.c
to suppress clang warnings (report by Viktor Szakats).
Some bad links in the man page.
Changed "n bit" to "n-bit" in comments.
Added signed/unsigned 16-bit safety net. This removes the dubious
0x8000 flag definitions on 16-bit systems. They aren't supported.
Yet the defs *probably work, however it seems much safer to do this
And be advised if anyone, contrary to advice, is building libpng 1.6
on a 16-bit system. It also adds back various switch default clauses.
For GCC; GCC errors out if they are not present (with an appropriately
High level of warnings).
Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert
Seacord).
The recently reported 1's complement security by replacing
The value that is illegal in the PNG spec, in both signed and unsigned
Values, with 0. Illegal unsigned values (anything greater than or equal
to 0x80000000) can still pass through, but since these are not illegal
in ANSI-C (unlike 0x80000000 in the signed case) the checking that.
Occurs later can catch them (John Bowler).
Png_save_int_32 when int is not 2's complement (John Bowler).
Updated li
1.6.1824 Jul 2015 06:05
minor feature:
Removed PNG_SET_CHUNK_ CACHE MALLOC _LIMIT_SUPPORTED macros. They
have been combined with PNG_SET_USER_LIMITS_SUPPORTED (resolves
bug report by Andrew Church).
Fixed rgb_to_gray checks and added tRNS checks to pngvalid.c. This
fixes some arithmetic errors that caused some tests to fail on
some 32-bit platforms (Bug reports by Peter Breitenlohner i686
and Petr Gajdos i586 ).
Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler.
Bug report by Viktor Szaka'ts).
Replaced "unexpected" with an integer (0xabadca11) in pngset.c
where a long was expected, to avoid a compiler warning when PNG_DEBUG 1.
Added contrib/examples/simpleover.c, to demonstrate how to handle
alpha compositing of multiple images, using the "simplified API"
and an example PNG generation tool, contrib/examples/genpng.c.
John Bowler).
PNG_RELEASE_BUILD replaces tests where the code depended on the build base
type and can be defined on the command line, allowing testing in beta
builds (John Bowler).
Avoid Coverity (REVERSE NULL) in pngtest.c
Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug
report from Christopher Ferris).
Backport filter selection code from libpng-1.7.0beta51, to combine
sub_row, up_row, avg_row, and paeth_row into try_row and tst_row.
Changed png_voidcast(), etc. to voidcast(), etc. in contrib/tools/pngfix.c
to avoid confusion with the libpng private macros.
Fixed old cut paste bug in the weighted filter selection code in
pngwutil.c, introduced in libpng-0.95, March 1997.
Removed WRITE_WEIGHTED_FILTERED code, to save a few kbytes of the
compiled library size. It never worked properly and as far as we can
tell, no one uses it. The png_set_filter_heuristics() and
png_set_filter_heuristics_fixed() APIs are retained but deprecated
and do nothing.
Quieted some Coverity issues in pngfix.c, png-fix-itxt.c, pngvalid.c,
pngstest.c, and pngimage.c. Most seem harmless, but png-fix-itxt
would only work with iTXt chunks with length 255 or less.
Removed non-workin
1.6.1727 Mar 2015 06:25
minor feature:
Removed duplicate PNG_SAFE_LIMITS_SUPPORTED handling from pngconf.h
Corrected the width limit calculation in png_check_IHDR().
Removed user limits from pngfix. Also pass NULL pointers to
png_read_row to skip the unnecessary row de-interlace stuff.
Added testing of png_set_packing() to pngvalid.c
Regenerated configure scripts in the *.tar distributions with libtool-2.4.4
Implement previously untested cases of libpng transforms in pngvalid.c
Fixed byte order in 2-byte filler, in png_do_read_filler().
Made the check for out-of-range values in png_set_tRNS() detect
values that are exactly 2 bit_depth, and work on 16-bit platforms.
Merged some parts of libpng-1.6.17beta01 and libpng-1.7.0beta47.
Added #ifndef __COVERITY__ where needed in png.c, pngrutil.c and
pngset.c to avoid warnings about dead code.
Do not build png_product2() when it is unused.
Display user limits in the output from pngtest.
Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
and 1-million-row default limits in pnglibconf.dfa, that can be reset
by the user at build time or run time. This provides a more robust
defense against DOS and as-yet undiscovered overflows.
Added PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED macro, on by default.
Allow user to call png_get_IHDR() with NULL arguments.
Rebuilt configure scripts with automake-1.15 and libtool-2.4.6
Moved png_set_filter() prototype into a PNG_WRITE_SUPPORTED block
of png.h.
Avoid runtime checks when converting integer to png_byte with
Visual Studio.
Removed some comments that the configure script did not handle
properly from scripts/pnglibconf.dfa and pnglibconf.h.prebuilt.
Free the unknown_chunks structure even when it contains no data.
Updated CMakeLists.txt to add OSX framework, change YES/NO to ON/OFF
for consistency, and remove some useless tests.
Remove pnglibconf.h, pnglibconf.c, pnglibconf.pre, pnglibconf.dfn,
and pnglibconf.out instead of pnglibconf.* in "make clean".
Fixed simplified 8-bit-linear to sRGB alpha. The calcula
1.7.0beta5015 Feb 2015 23:45
minor feature:
Combined sub_row, up_row, avg_row, and paeth_row buffers into a
single try_row buffer and in cases where two or more of those are
being tested, a second tst_row buffer. This improves CPU speed
over that achieved by libpng-1.7.0beta49.
1.6.1616 Jan 2015 07:45
minor feature:
Added ".align 2" to arm/filter_neon.S to support old GAS assemblers that
don't do alignment correctly.
Revised Makefile.am and scripts/*.dfn to work with MinGW/MSYS;
renamed scripts/*.dfn to scripts/*.c (Bob Friesenhahn and John Bowler).
Quiet a "comparison always true" warning in pngstest.c (John Bowler).
Restored a test on width that was removed from png.c at libpng-1.6.9
Bug report by Alex Eubanks).
Fixed an overflow in png_combine_row with very wide interlaced images.
1.6.1521 Nov 2014 03:15
minor feature:
Changed "if (!x)" to "if (x == 0)" and "if (x)" to "if (x != 0)"
Simplified png_free_data().
Added missing "ptr = NULL" after some instances of png_free().
Made a one-line revision to configure.ac to support ARM on aarch64
bug report by Marcin Juszkiewicz, fix by John Bowler).
Avoid out-of-bounds memory access in png_user_version_check().
Simplified and future-proofed png_user_version_check().
Fixed GCC unsigned int- float warnings. Various versions of GCC
seem to generate warnings when an unsigned value is implicitly
converted to double. This is probably a GCC bug but this change
avoids the issue by explicitly converting to (int) where safe.
Free all allocated memory in pngimage. The file buffer cache was left
allocated at the end of the program, harmless but it causes memory
leak reports from clang.
Fixed array size calculations to avoid warnings. At various points
in the code the number of elements in an array is calculated using
sizeof. This generates a compile time constant of type (size_t) which
is then typically assigned to an (unsigned int) or (int). Some versions
of GCC on 64-bit systems warn about the apparent narrowing, even though
the same compiler does apparently generate the correct, in-range,
numeric constant. This adds appropriate, safe, casts to make the
warnings go away.
Removed #ifdef PNG_16BIT_SUPPORTED/#endif around png_product2(); it is
needed by png_reciprocal2().
Added #ifdef PNG_16BIT_SUPPORTED/#endif around png_log16bit() and
png_do_swap().
Changed all "#endif /* PNG_FEATURE_SUPPORTED */" to "#endif /* FEATURE */"
The macros passed in the command line to Borland make were ignored if
similarly-named macros were already defined in makefiles. This behavior
is different from POSIX make and other make programs. Surround the
macro definitions with ifndef guards (Cosmin).
Added "-D_CRT_SECURE_NO_WARNINGS" to CFLAGS in scripts/makefile.vcwin32.
Removed the obsolete ARCH variable from scripts/makefile.darwin.
1.6.1422 Oct 2014 22:00
minor bugfix:
Guard usage of png_ptr- options with #ifdef PNG_SET_OPTION_SUPPORTED.
Do not build contrib/tools/pngfix.c when PNG_SETJMP_NOT_SUPPORTED,
to allow "make" to complete without setjmp support (bug report by
Claudio Fontana)
Add "#include " to contrib/tools/pngfix.c (John Bowler)
Use nanosleep() instead of usleep() in contrib/gregbook/rpng2-x.c
because usleep() is deprecated.
Define usleep() in contrib/gregbook/rpng2-x.c if not already defined
in unistd.h and nanosleep() is not available; fixes error introduced
in libpng-1.6.13.
Define FE_DIVBYZERO, FE_INVALID, and FE_OVERFLOW in pngvalid.c if not
already defined (bug report by "zootus at users.sourceforge.net").
Fixed incorrect handling of the iTXt compression flag in pngrutil.c
(bug report by Shunsaku Hirata). Bug was introduced in libpng-1.6.0.
Added "option READ_iCCP enables READ_COMPRESSED_TEXT" to pnglibconf.dfa
Removed unused "text_len" parameter from private function png_write_zTXt().
Conditionally compile some code in png_deflate_claim(), when
PNG_WARNINGS_SUPPORTED and PNG_ERROR_TEXT_SUPPORTED are disabled.
Replaced repeated code in pngpread.c with PNG_PUSH_SAVE_BUFFER_IF_FULL.
Added "chunk iTXt enables TEXT" and "chunk zTXt enables TEXT"
to pnglibconf.dfa.
Removed "option READ_COMPRESSED_TEXT enables READ_TEXT" from pnglibconf.dfa,
to make it possible to configure a libpng that supports iCCP but not TEXT.
Removed "option WRITE_COMPRESSED_TEXT enables WRITE_TEXT" from pnglibconf.dfa
Only mark text chunks as written after successfully writing them.
Fixed some typos in comments.
Changed png_convert_to_rfc_1123() to png_convert_to_rfc_1123_buffer()
in the manual, to reflect the change made in libpng-1.6.0.
Updated README file to explain that direct access to the png_struct
and info_struct members has not been permitted since libpng-1.5.0.