1.6.3128 Jul 2017 10:25
Guard the definition of _POSIX_SOURCE in pngpriv.h (AIX already defines it;
report by Michael Felt).
Revised pngpriv.h to work around failure to compile arm/filter_neon.S.
typedef" directive is unrecognized by the assembler). The problem
was introduced in libpng-1.6.30beta01.
Added "Requires: zlib" to libpng.pc.in (Pieter Neerincx).
Added special case for FreeBSD in arm/filter_neon.S (Maya Rashish).
Added instructions for disabling hardware optimizations in INSTALL.
Added "--enable-hardware-optimizations" configuration flag to enable
or disable all hardware optimizations with one flag.
Updated CMakeLists.txt to add INTEL_SSE and MIPS_MSA platforms.
Changed "int" to "png_size_t" in intel/filter_sse2.c to prevent
possible integer overflow (report by John Bowler).
Quieted "declaration after statement" warnings in intel/filter_sse2.c.
Added scripts/makefile-linux-opt, which has hardware optimizations enabled.
Removed one of the GCC-7.1.0 'strict-overflow' warnings that result when
integers appear on both sides of a compare. Worked around the others by
forcing the strict-overflow setting in the relevant functions to a level
where they are not reported (John Bowler).
Changed "FALL THROUGH" comments to "FALLTHROUGH" because GCC doesn't like
Worked around some C-style casts from (void*) because g++ 5.4.0 objects
Increased the buffer size for 'sprint' to pass the gcc 7.1.0 'sprint
overflow' check that is on by default with -Wall -Wextra.
Added eXIf chunk support.
Added a minimal eXIf chunk (with Orientation and FocalLengthIn35mmFilm
tags) to pngtest.png.
1.6.3029 Jun 2017 15:25
Added missing " (CPPFLAGS)" to the compile line for c.pic.o in
makefile.linux and makefile.solaris-x86 (Cosmin).
Revised documentation of png_get_error_ptr() in the libpng manual.
Silence clang -Wcomma and const drop warnings (Viktor Szakats).
Update Sourceforge URLs in documentation (https instead of http).
Document need to check for integer overflow when allocating a pixel
buffer for multiple rows in contrib/gregbook, contrib/pngminus,
example.c, and in the manual. This
is similar to the reported against pngquant in CVE-2016-5735.
Removed reference to the obsolete PNG_SAFE_LIMITS macro in the documentation.
Check for integer overflow in contrib/visupng and contrib/tools/genpng.
Do not double evaluate CMAKE_SYSTEM_PROCESSOR in CMakeLists.txt.
Test CMAKE_HOST_WIN32 instead of WIN32 in CMakeLists.txt.
some URL in documentation.
Avoid writing an empty IDAT when the last IDAT exactly fills the
compression buffer (report by Brian Baird). This was
introduced in libpng-1.6.0.
Update copyright year in pnglibconf.h, make ltmain.sh executable.
Add a reference to the libpng.download site in README.
1.6.2917 Mar 2017 20:45
Readded "include(GNUInstallDirs)" to CMakeLists.txt (Gianfranco Costamagna).
Moved SSE2 optimization code into the main libpng source directory.
Configure libpng with "configure --enable-intel-sse" or compile
libpng with "-DPNG_INTEL_SSE" in CPPFLAGS to enable it.
Simplified conditional compilation in pngvalid.c, for AIX (Michael Felt).
Avoid conditional directives that break statements in pngrutil.c (Romero
The contrib/examples/pngtopng.c recovery code was in the wrong "if"
branches; the comments were correct.
Added code for PowerPC VSX optimisation (Vadim Barkov).
Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).
Change test ZLIB_VERNUM = 0x1281 to ZLIB_VERNUM = 0x1290 in pngrutil.c
because Solaris 11 distributes zlib-1.2.8.f that is older than 18.104.22.168.
Suppress clang warnings about implicit sign changes in png.c.
1.6.2806 Jan 2017 03:18
Arm/aarch64 detection in CMakeLists.txt (Gianfranco Costamagna).
Added option to Cmake build allowing a custom location of zlib to be.
Specified in a scenario where libpng is being built as a subproject
Alongside zlib by another project (Sam Serrels).
Changed png_ptr- options from a png_byte to png_uint_32, to accomodate
up to 16 options.
1.6.2730 Dec 2016 06:45
Control ADLER32 checking with new PNG_IGNORE_ADLER32 option.
Removed the use of a macro containing the pre-processor 'defined'.
Operator. It is unclear whether this is valid; a macro that
generates" 'defined' is not permitted, but the use of the word.
generates" within the C90 standard seems to imply more than simple.
Substitution of an expression itself containing a well-formed defined
Added ARM support to CMakeLists.txt (Andreas Franek).
a potential null pointer dereference in png_set_text_2() (report.
And patch by Patrick Keshishian).
1.6.2620 Oct 2016 22:45
Handling zero length IDAT in png(report by Agostino Sarubbo,
by John Bowler).
Do not a png_error() on read in png_set_pCAL() because png_handle_pCAL.
Has allocated memory that libpng needs to free.
Conditionally compile png_set_benign_errors() in pngread.c and pngtest.c
a png_benign_error instead of a png_error on ADLER32 mismatch.
While decoding compressed data chunks.
Changed PNG_ZLIB_VERNUM to ZLIB_VERNUM in pngpriv.h, pngstruct.h, and.
If CRC handling of critical chunks has been set to PNG_CRC_QUIET_USE.
Ignore the ADLER32 checksum in the IDAT chunk as well as the chunk CRCs.
Png_benign_error() on ADLER32 checksum mismatch instead of png_error().
Add tests/badcrc.png and tests/badadler.png to tests/pngtest.
Merged pngtest.c with libpng-1.7.0beta84/pngtest.c
Updated the documentation about CRC and ADLER32 handling.
Quieted 117 warnings from clang-3.8 in pngtrans.c, pngread.c.
Pngwrite.c, pngunknown.c, and pngvalid.c.
Quieted the 144 remaining -Wconversion compiler warnings by.
Revising the png_isaligned() macro and trivial changes in png.c,
Pngerror.c, pngget.c, pngmem.c, pngset.c, pngrtran.c, pngrutil.c,
Pngwtran.c, pngwrite.c, and pngwutil.c.
Quieted (bogus?) clang warnings about "absolute value has no effect".
When PNG_USE_ABS is defined.
Offsets in contrib/intel/intel_sse.patch
Changed integer constant 4294967294 to unsigned 4294967294U in pngconf.h
to avoid a signed/unsigned compare in the preprocessor.
Use zlib-22.214.171.124 inflateValidate() instead of inflateReset2() to.
Optionally avoid ADLER32 evaluation.
Cosmetic change, "ptr != 0" to "ptr != NULL" in png.c and pngrutil.c
Despammed email addresses.
1.6.2502 Sep 2016 17:25
Reject oversized iCCP profile immediately.
Cleaned up PNG_DEcompile of pngtest.c.
Conditionally compile png_inflate().
Don't install pngcp; it conflicts with pngcp in the pngtools package.
Minor editing of INSTALL, (whitespace, added copyright line)
Added MIPS support (Mandar Sahastrabuddhe ).
Rebased contrib/intel/intel_sse.patch after the MIPS implementation.
1.6.2404 Aug 2016 03:25
Avoid potential overflow of the PNG_IMAGE_SIZE macro. This macro
is not used within libpng, but is used in some of the examples.
Correct filter heuristic overflow handling. This was broken when the.
Write filter code was moved out-of-line; if there is a single filter and
The heuristic sum overflows the calculation of the filtered line is not
Completed. In versions prior to 1.6 the code was duplicated in-line
And the check not performed, so the filter operation completed; however,
in the multi-filter case where the sum is performed the 'none' filter would
be selected if all the sums overflowed, even if it wasn't in the filter.
List. The to the first problem is simply to provide PNG_SIZE_MAX as
The current lmins sum value; this means the sum can never exceed it and
Overflows silently. A reasonable compiler that does choose to inline
The code will simply eliminate the sum check.
The to the second problem is to use high precision arithmetic (this is.
Implemented in 1.7), however a simple safe here is to chose the lowest
Numbered filter in the list from png_set_filter (this only works if the
First problem is also ) (John Bowler).
Use a more efficient absolute value calculation on SSE2 (Matthieu Darbois).
The case where PNG_IMAGE_BUFFER_SIZE can overflow in the application
as a result of the application using an increased 'row_stride'; previously.
Png_image_finish_read only checked for overflow on the base calculation of
Components. (I.e. it checked for overflow of a 32-bit number on the total
Number of pixel components in the output format, not the possibly padded row
Length and not the number of bytes, which for linear formats is twice the
Number of components.)
MSVC does not like '-(unsigned)', so replaced it with 0U-(unsigned)
MSVC does not like (uInt) = -(unsigned) (i.e. as an initializer), unless.
The conversion is explicitly invoked by a cast.
Put the SKIP definition in the correct place. It needs to come after the.
Png.h include (see all the other.c files in contr
1.6.2310 Jun 2016 09:25
Stop a potential memory leak in png_set_tRNS() (report by Ted Ying).
The progressive reader to handle empty first IDAT chunk properly. This was introduced in libpng-1.6.0 and
Only affected the libpng16 branch.
Added tests in pngvalid.c to check zero-length IDAT chunks in various.
Positions. the sequential reader to handle these more robustly
Corrected progressive read input buffer in pngvalid.c. The previous version.
The code invariably passed just one byte at a time to libpng. The intent
Was to pass a random number of bytes in the range 0..511.
Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch.
Added missing ")" in pngerror.c (Matt Sarrett).
Undefined behavior in png_push_save_buffer(). Do not call
Memcpy() with a null source, even if count is zero (Leon Scroggins III).
Bad link to RFC2083 in png.5 (Nikola Forro).
1.6.2227 May 2016 22:25
Changed PNG_USE_MKSTEMP to __COVERITY__ to select alternate
tmpfile()" implementation in contrib/libtests/pngstest.c
NO_STDIO build of pngunknown.c to skip calling png_init_io()
if there is no stdio.h support.
Added a png_image_write_to_memory() API and a number of assist macros
to allow an application that uses the simplified API write to bypass
stdio and write directly to memory.
Added some warnings (png.h) and some check code to detect *possible*
overflow in the ROW_STRIDE and simplified image SIZE macros. This
disallows image width/height/format that *might overflow. This is
a quiet API change that limits in-memory image size (uncompressed) to
less than 4GByte and image row size (stride) to less than 2GByte.
Revised workaround for false-positive Coverity in pngvalid.c.
Only use exit(77) in configure builds.
Updated CMakeLists.txt, added supporting scripts/gen*.cmake.in
and test.cmake.in (Roger Leigh).
Relaxed limit checks on gamma values in pngrtran.c. As suggested in
the comments gamma values outside the range currently permitted
by png_set_alpha_mode are useful for HDR data encoding. These values
are already permitted by png_set_gamma so it is reasonable caution to
extend the png_set_alpha_mode range as HDR imaging systems are starting
Added a common-law trademark notice and export control information
to the LICENSE file, png.h, and the man page.
Restored " 0xff" in png_save_uint_16() and png_save_uint_32() that
were accidentally removed from libpng-1.6.17.
Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h.
Robert C. Seacord).
Removed dubious "#if INT_MAX" test from png.h that was added to
libpng-1.6.19 (John Bowler).
Add INCLUDES in scripts/genout.cmake.in (report by Nixon Kwok).
Updated LICENSE to say files in the contrib directory are not
necessarily under the libpng license, and that some makefiles have
other copyright owners.
Added INTEL-SSE2 support (Mike Klein and Matt Sarett, Google, Inc.).
1.6.2116 Jan 2016 03:45
Syntax " (command)" in tests/pngstest that some shells other than
Bash could not parse (report by Nelson Beebe). Use `command` instead.
Moved png_check_keyword() from pngwutil.c to pngset.c
Removed LE/BE dependencies in pngvalid, to '' the current problem
in the BigEndian tests by not testing it, making the BE code the same
as the LE version.
to pngvalid for various reduced build configurations (eliminate unused.
Statics) and a for the case in rgb_to_gray when the digitize option
Reduces graylo to 0, producing a large error.
Widened the 'limit' check on the internally calculated error limits in.
The 'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error
Checks) and changed the check to only operate in non-release builds
base build type not RC or RELEASE.).
Undefined behavior in pngvalid.c, undefined because
1.6.2004 Dec 2015 03:15
Avoid potential pointer overflow/underflow in png_handle_sPLT() and
Png_handle_pCAL() (report by John Regehr).
Incorrect implementation of png_set_PLTE() that uses png_ptr
Not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
Backported tests from libpng-1.7.0beta69.
an error in handling of bad zlib CMINFO field in png, found by
American Fuzzy Lop, reported by Brian Carpenter. inflate() doesn't.
Immediately fault a bad CMINFO field; instead a 'too far back' error
Happens later (at least some times). pngfailed to limit CMINFO to
The allowed values but then assumed that window_bits was in range,
Triggering an assert. The is mostly harmless; the PNG file cannot
In libpng 1.6 zlib initialization was changed to use the window size
in the zlib stream, not a value. This causes some invalid images.
Where CINFO is too large, to display 'correctly' if the rest of the
Data is valid. This provides a workaround for zlib versions where the
Error arises (ones that support the API change to use the window size
in the stream).
1.6.1913 Nov 2015 03:16
Updated obsolete information about the simplified API macros in the
Manual pages (report by Arc Riley).
Avoid potentially dereferencing NULL info_ptr in png_info_init_3().
Rearranged png.h to put the major sections in the same order as
Eliminated unused PNG_COST_SHIFT, PNG_WEIGHT_SHIFT, PNG_COST_FACTOR, and
Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler.
report by Viktor Szakats). Several warnings remain and are.
Unavoidable, where we test for overflow.
Potential leak of png_pixels in contrib/pngminus/pnm2png.c
Uninitialized variable in contrib/gregbook/rpng2-x.c
Moved config.h.in from the "libpng_autotools_files" list to the.
libpng_autotools_extra" list in autogen.sh because it was causing a.
False positive for missing files (report by Robert C. Seacord).
Removed unreachable "break" statements in png.c, pngread.c, and pngrtran.c
to suppress clang warnings (report by Viktor Szakats).
Some bad links in the man page.
Changed "n bit" to "n-bit" in comments.
Added signed/unsigned 16-bit safety net. This removes the dubious
0x8000 flag definitions on 16-bit systems. They aren't supported.
Yet the defs *probably work, however it seems much safer to do this
And be advised if anyone, contrary to advice, is building libpng 1.6
on a 16-bit system. It also adds back various switch default clauses.
For GCC; GCC errors out if they are not present (with an appropriately
High level of warnings).
Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert
The recently reported 1's complement security by replacing
The value that is illegal in the PNG spec, in both signed and unsigned
Values, with 0. Illegal unsigned values (anything greater than or equal
to 0x80000000) can still pass through, but since these are not illegal
in ANSI-C (unlike 0x80000000 in the signed case) the checking that.
Occurs later can catch them (John Bowler).
Png_save_int_32 when int is not 2's complement (John Bowler).
1.6.1824 Jul 2015 06:05
Removed PNG_SET_CHUNK_ CACHE MALLOC _LIMIT_SUPPORTED macros. They
have been combined with PNG_SET_USER_LIMITS_SUPPORTED (resolves
bug report by Andrew Church).
Fixed rgb_to_gray checks and added tRNS checks to pngvalid.c. This
fixes some arithmetic errors that caused some tests to fail on
some 32-bit platforms (Bug reports by Peter Breitenlohner i686
and Petr Gajdos i586 ).
Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler.
Bug report by Viktor Szaka'ts).
Replaced "unexpected" with an integer (0xabadca11) in pngset.c
where a long was expected, to avoid a compiler warning when PNG_DEBUG 1.
Added contrib/examples/simpleover.c, to demonstrate how to handle
alpha compositing of multiple images, using the "simplified API"
and an example PNG generation tool, contrib/examples/genpng.c.
PNG_RELEASE_BUILD replaces tests where the code depended on the build base
type and can be defined on the command line, allowing testing in beta
builds (John Bowler).
Avoid Coverity (REVERSE NULL) in pngtest.c
Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug
report from Christopher Ferris).
Backport filter selection code from libpng-1.7.0beta51, to combine
sub_row, up_row, avg_row, and paeth_row into try_row and tst_row.
Changed png_voidcast(), etc. to voidcast(), etc. in contrib/tools/pngfix.c
to avoid confusion with the libpng private macros.
Fixed old cut paste bug in the weighted filter selection code in
pngwutil.c, introduced in libpng-0.95, March 1997.
Removed WRITE_WEIGHTED_FILTERED code, to save a few kbytes of the
compiled library size. It never worked properly and as far as we can
tell, no one uses it. The png_set_filter_heuristics() and
png_set_filter_heuristics_fixed() APIs are retained but deprecated
and do nothing.
Quieted some Coverity issues in pngfix.c, png-fix-itxt.c, pngvalid.c,
pngstest.c, and pngimage.c. Most seem harmless, but png-fix-itxt
would only work with iTXt chunks with length 255 or less.
1.6.1727 Mar 2015 06:25
Removed duplicate PNG_SAFE_LIMITS_SUPPORTED handling from pngconf.h
Corrected the width limit calculation in png_check_IHDR().
Removed user limits from pngfix. Also pass NULL pointers to
png_read_row to skip the unnecessary row de-interlace stuff.
Added testing of png_set_packing() to pngvalid.c
Regenerated configure scripts in the *.tar distributions with libtool-2.4.4
Implement previously untested cases of libpng transforms in pngvalid.c
Fixed byte order in 2-byte filler, in png_do_read_filler().
Made the check for out-of-range values in png_set_tRNS() detect
values that are exactly 2 bit_depth, and work on 16-bit platforms.
Merged some parts of libpng-1.6.17beta01 and libpng-1.7.0beta47.
Added #ifndef __COVERITY__ where needed in png.c, pngrutil.c and
pngset.c to avoid warnings about dead code.
Do not build png_product2() when it is unused.
Display user limits in the output from pngtest.
Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
and 1-million-row default limits in pnglibconf.dfa, that can be reset
by the user at build time or run time. This provides a more robust
defense against DOS and as-yet undiscovered overflows.
Added PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED macro, on by default.
Allow user to call png_get_IHDR() with NULL arguments.
Rebuilt configure scripts with automake-1.15 and libtool-2.4.6
Moved png_set_filter() prototype into a PNG_WRITE_SUPPORTED block
Avoid runtime checks when converting integer to png_byte with
Removed some comments that the configure script did not handle
properly from scripts/pnglibconf.dfa and pnglibconf.h.prebuilt.
Free the unknown_chunks structure even when it contains no data.
Updated CMakeLists.txt to add OSX framework, change YES/NO to ON/OFF
for consistency, and remove some useless tests.
Remove pnglibconf.h, pnglibconf.c, pnglibconf.pre, pnglibconf.dfn,
and pnglibconf.out instead of pnglibconf.* in "make clean".
Fixed simplified 8-bit-linear to sRGB alpha. The calcula
1.7.0beta5015 Feb 2015 23:45
Combined sub_row, up_row, avg_row, and paeth_row buffers into a
single try_row buffer and in cases where two or more of those are
being tested, a second tst_row buffer. This improves CPU speed
over that achieved by libpng-1.7.0beta49.
1.6.1616 Jan 2015 07:45
Added ".align 2" to arm/filter_neon.S to support old GAS assemblers that
don't do alignment correctly.
Revised Makefile.am and scripts/*.dfn to work with MinGW/MSYS;
renamed scripts/*.dfn to scripts/*.c (Bob Friesenhahn and John Bowler).
Quiet a "comparison always true" warning in pngstest.c (John Bowler).
Restored a test on width that was removed from png.c at libpng-1.6.9
Bug report by Alex Eubanks).
Fixed an overflow in png_combine_row with very wide interlaced images.
1.6.1521 Nov 2014 03:15
Changed "if (!x)" to "if (x == 0)" and "if (x)" to "if (x != 0)"
Added missing "ptr = NULL" after some instances of png_free().
Made a one-line revision to configure.ac to support ARM on aarch64
bug report by Marcin Juszkiewicz, fix by John Bowler).
Avoid out-of-bounds memory access in png_user_version_check().
Simplified and future-proofed png_user_version_check().
Fixed GCC unsigned int- float warnings. Various versions of GCC
seem to generate warnings when an unsigned value is implicitly
converted to double. This is probably a GCC bug but this change
avoids the issue by explicitly converting to (int) where safe.
Free all allocated memory in pngimage. The file buffer cache was left
allocated at the end of the program, harmless but it causes memory
leak reports from clang.
Fixed array size calculations to avoid warnings. At various points
in the code the number of elements in an array is calculated using
sizeof. This generates a compile time constant of type (size_t) which
is then typically assigned to an (unsigned int) or (int). Some versions
of GCC on 64-bit systems warn about the apparent narrowing, even though
the same compiler does apparently generate the correct, in-range,
numeric constant. This adds appropriate, safe, casts to make the
warnings go away.
Removed #ifdef PNG_16BIT_SUPPORTED/#endif around png_product2(); it is
needed by png_reciprocal2().
Added #ifdef PNG_16BIT_SUPPORTED/#endif around png_log16bit() and
Changed all "#endif /* PNG_FEATURE_SUPPORTED */" to "#endif /* FEATURE */"
The macros passed in the command line to Borland make were ignored if
similarly-named macros were already defined in makefiles. This behavior
is different from POSIX make and other make programs. Surround the
macro definitions with ifndef guards (Cosmin).
Added "-D_CRT_SECURE_NO_WARNINGS" to CFLAGS in scripts/makefile.vcwin32.
Removed the obsolete ARCH variable from scripts/makefile.darwin.
1.6.1422 Oct 2014 22:00
Guard usage of png_ptr- options with #ifdef PNG_SET_OPTION_SUPPORTED.
Do not build contrib/tools/pngfix.c when PNG_SETJMP_NOT_SUPPORTED,
to allow "make" to complete without setjmp support (bug report by
Add "#include " to contrib/tools/pngfix.c (John Bowler)
Use nanosleep() instead of usleep() in contrib/gregbook/rpng2-x.c
because usleep() is deprecated.
Define usleep() in contrib/gregbook/rpng2-x.c if not already defined
in unistd.h and nanosleep() is not available; fixes error introduced
Define FE_DIVBYZERO, FE_INVALID, and FE_OVERFLOW in pngvalid.c if not
already defined (bug report by "zootus at users.sourceforge.net").
Fixed incorrect handling of the iTXt compression flag in pngrutil.c
(bug report by Shunsaku Hirata). Bug was introduced in libpng-1.6.0.
Added "option READ_iCCP enables READ_COMPRESSED_TEXT" to pnglibconf.dfa
Removed unused "text_len" parameter from private function png_write_zTXt().
Conditionally compile some code in png_deflate_claim(), when
PNG_WARNINGS_SUPPORTED and PNG_ERROR_TEXT_SUPPORTED are disabled.
Replaced repeated code in pngpread.c with PNG_PUSH_SAVE_BUFFER_IF_FULL.
Added "chunk iTXt enables TEXT" and "chunk zTXt enables TEXT"
Removed "option READ_COMPRESSED_TEXT enables READ_TEXT" from pnglibconf.dfa,
to make it possible to configure a libpng that supports iCCP but not TEXT.
Removed "option WRITE_COMPRESSED_TEXT enables WRITE_TEXT" from pnglibconf.dfa
Only mark text chunks as written after successfully writing them.
Fixed some typos in comments.
Changed png_convert_to_rfc_1123() to png_convert_to_rfc_1123_buffer()
in the manual, to reflect the change made in libpng-1.6.0.
Updated README file to explain that direct access to the png_struct
and info_struct members has not been permitted since libpng-1.5.0.