Closed Bug 2001758 Opened 1 month ago Closed 1 month ago

Update libpng to new version v1.6.51 from 2025-11-21 23:01:00

Categories

(Core :: Graphics: ImageLib, enhancement)

Product:
Core
Component:
Graphics: ImageLib
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
147 Branch
Tracking Flags:
Tracking Status
firefox147 --- fixed

People

(Reporter: update-bot, Assigned: tnikkel)

References

Details

(Whiteboard: [3pl-filed][task_id: CdZXqf7-Q3y9UewuprhDfA])

Attachments

(2 files)

Bug 2001758 - Update libpng to v1.6.51
48 bytes, text/x-phabricator-request
Details | Review
Bug 2001758 - Apply mozilla patches for libpng
48 bytes, text/x-phabricator-request
Details | Review

This update covers 39 commits. Here are the overall diff statistics, and then the commit information.

media/libpng/ANNOUNCE | 47 ++++--
media/libpng/AUTHORS | 1 +
media/libpng/CHANGES | 26 +++
media/libpng/README | 2 +-
media/libpng/arm/arm_init.c | 2 +-
media/libpng/arm/filter_neon.S | 6 -
media/libpng/libpng-manual.txt | 15 +-
media/libpng/moz.yaml | 2 +-
media/libpng/png.c | 20 +-
media/libpng/png.h | 106 +-------------
media/libpng/pngconf.h | 2 +-
media/libpng/pngdebug.h | 3 -
media/libpng/pngerror.c | 138 +------------------
media/libpng/pngget.c | 162 ----------------------
media/libpng/pnginfo.h | 13 -
media/libpng/pngpread.c | 169 -----------------------
media/libpng/pngpriv.h | 67 +--------
media/libpng/pngread.c | 155 ++++++++++----------
media/libpng/pngrtran.c | 116 ++++++++++-----
media/libpng/pngrutil.c | 291 ----------------------------------------
media/libpng/pngset.c | 145 -------------------
media/libpng/pngstruct.h | 22 ---
media/libpng/pngwrite.c | 50 +------
media/libpng/pngwutil.c | 142 -------------------
media/libpng/riscv/riscv_init.c | 27 +---
25 files changed, 246 insertions(+), 1483 deletions(-)

49363adcfaf098748d7a4c8c624ad8c45a8c3a86 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86
Authored: 2025-11-21 23:01:00 +0200
Committed: 2025-11-21 23:01:00 +0200

Release libpng version 1.6.51

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • libpng-manual.txt
  • libpng.3
  • libpngpf.3
  • png.5
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

869ed49945e48ca31e5add8e727fa07dd7b10dc8 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/869ed49945e48ca31e5add8e727fa07dd7b10dc8
Authored: 2025-11-21 21:52:02 +0200
Committed: 2025-11-21 21:52:02 +0200

Update the main AUTHORS file

Files Modified:

  • AUTHORS

fe855702dec58a205580dc127e2c92d765e61262 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/fe855702dec58a205580dc127e2c92d765e61262
Authored: 2025-11-21 21:40:56 +0200
Committed: 2025-11-21 21:40:56 +0200

chore: Rerun ./autogen.sh --maintainer

Files Modified:

  • configure

b7fc38c91008c50b825bedfc693b1f594ca0e6f2 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/b7fc38c91008c50b825bedfc693b1f594ca0e6f2
Authored: 2025-11-21 20:43:36 +0200
Committed: 2025-11-21 20:43:36 +0200

ci: Update the branch and tag exclusions on AppVeyor CI

As we plan to release libpng-1.8.0, with the 'libpng18' branch being
the new default, we are also discontinuing the 'master' branch as an
alias branch. Update the exclusions in the AppVeyor CI configuration
file, replacing 'libpng00' to 'libpng18' with 'master'.

Also update the regular expression that excludes release tags to
account for all 'vNN.NN.NN' tag names.

Files Modified:

  • .appveyor.yml

c53a3237e3de2d0efb86cdc9de52fac18b143fa0 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/c53a3237e3de2d0efb86cdc9de52fac18b143fa0
Authored: 2025-11-21 19:12:40 +0200
Committed: 2025-11-21 19:12:40 +0200

chore: Disable automatic charset detection in .editorconfig-checker

Work around a regression in editorconfig-checker version 3.5.0.
In this new version, editorconfig-checker fails to validate ASCII as
a valid subset of UTF-8.

This commit unblocks the GitHub linting action.

Files Modified:

  • .editorconfig-checker.json

728ac129b152654660fb22ce49d34ad2fc507bb2 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/728ac129b152654660fb22ce49d34ad2fc507bb2
Authored: 2025-11-21 19:03:57 +0200
Committed: 2025-11-21 19:03:57 +0200

chore: Update .gitignore to exclude more local files

Files Modified:

  • .gitignore

3a3d485a7564de4f1f348628864a774a4af16af8 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/3a3d485a7564de4f1f348628864a774a4af16af8
Authored: 2025-11-21 17:57:36 +0200
Committed: 2025-11-21 17:57:36 +0200

riscv: Fix -Wundef compiler warnings and relax RVV version checks

Fix a regression from commit 816b008d8fcb9f741bcacdb29e72955914936856.

When the build was not optimized for RVV (PNG_RISCV_RVV_OPT == 0),
the macro PNG_RISCV_RVV_IMPLEMENTATION was left undefined, even though
it is checked with #if instead of #ifdef in the source code.
Additionally, the RVV version checks included an upper bound check
(__riscv_v < 1900000) that disabled the RVV-optimized path for any
future RVV 1.9+ version.

We added the missing fallback definition and we removed the v1.9+ upper
bound. The RVV optimizations are now enabled for any RISC-V compiler
that supports RVV 1.0 or later, following the expectation that minor
version updates shall maintain compatibility.

Files Modified:

  • pngpriv.h

218612ddd6b17944e21eda56caf8b4bf7779d1ea by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
Authored: 2025-11-19 21:45:13 +0200
Committed: 2025-11-19 21:45:13 +0200

Rearchitect the fix to the buffer overflow in png_image_finish_read

Undo the fix from commit 16b5e3823918840aae65c0a6da57c78a5a496a4d.
That fix turned out to be unnecessarily limiting. It rejected all
16-to-8 bit transformations, although the vulnerability only affects
interlaced PNGs where png_combine_row writes using IHDR bit-depth
before the transformation completes.

The proper solution is to add an intermediate local_row buffer,
specifically for the slow but necessary step of 16-to-8 bit conversion
of interlaced images. (The processing of non-interlaced images remains
intact, using the fast path.) We added the flag do_local_scale and
the function png_image_read_direct_scaled, following the pattern that
involves do_local_compose.

In conclusion:

  • The 16-to-8 bit transformations of interlaced images are now safe,
    as they use an intermediate buffer.
  • The 16-to-8 bit transformations of non-interlaced images remain safe,
    as the fast path remains unchanged.
  • All our regression tests are now passing.

Files Modified:

  • pngread.c

16b5e3823918840aae65c0a6da57c78a5a496a4d by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d
Authored: 2025-11-17 20:38:47 +0200
Committed: 2025-11-17 20:38:47 +0200

Fix a buffer overflow in png_image_finish_read

Reject bit-depth mismatches between IHDR and the requested output
format. When a 16-bit PNG is processed with an 8-bit output format
request, png_combine_row writes using the IHDR depth before
transformation, causing writes beyond the buffer allocated via
PNG_IMAGE_SIZE(image).

The validation establishes a safe API contract where
PNG_IMAGE_SIZE(image) is guaranteed to be sufficient across the
transformation pipeline.

Example overflow (32×32 pixels, 16-bit RGB to 8-bit RGBA):

  • Input format: 16 bits/channel × 3 channels = 6144 bytes
  • Output buffer: 8 bits/channel × 4 channels = 4096 bytes
  • Overflow: 6144 bytes - 4096 bytes = 2048 bytes

Larger images produce proportionally larger overflows. For example,
for 256×256 pixels, the overflow is 131072 bytes.

Reported-by: yosiimich <yosiimich@users.noreply.github.com>

Files Modified:

  • pngread.c

08da33b4c88cfcd36e5a706558a8d7e0e4773643 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643
Authored: 2025-11-12 13:46:23 +0200
Committed: 2025-11-12 13:46:23 +0200

Fix a buffer overflow in png_init_read_transformations

The palette compositing code in png_init_read_transformations was
incorrectly applying background compositing when PNG_FLAG_OPTIMIZE_ALPHA
was set. This violated the premultiplied alpha invariant
component <= alpha expected by png_image_read_composite, causing
values that exceeded the valid range for the PNG_sRGB_FROM_LINEAR lookup
tables.

When PNG_ALPHA_OPTIMIZED is active, palette entries should contain pure
premultiplied RGB values without background compositing. The background
compositing must happen later in png_image_read_composite where the
actual background color from the PNG file is available.

The fix consists in introducing conditional behavior based on
PNG_FLAG_OPTIMIZE_ALPHA: when set, the code performs only
premultiplication using the formula component * alpha + 127) / 255
with proper gamma correction. When not set, the original background
compositing calculation based on the png_composite macro is preserved.

This prevents buffer overflows in png_image_read_composite where
out-of-range premultiplied values would cause out-of-bounds array access
in png_sRGB_base[] and png_sRGB_delta[].

Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
Analyzed-by: John Bowler <jbowler@acm.org>

Files Modified:

  • pngrtran.c

83b23a888b4395c3ae0af3f6d484fce3e4a81155 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/83b23a888b4395c3ae0af3f6d484fce3e4a81155
Authored: 2025-11-10 11:11:42 +0200
Committed: 2025-11-10 11:11:42 +0200

refactor: Delete unreachable code from png_do_read_transformations

After calling png_do_quantize from png_do_read_transformations,
rowbytes (i.e. the length in bytes of a non-empty row) is always
non-zero. The subsequent call to png_error was therefore unreachable.

Files Modified:

  • pngrtran.c

6a528eb5fd0dd7f6de1c39d30de0e41473431c37 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37
Authored: 2025-11-08 23:58:26 +0200
Committed: 2025-11-10 11:11:42 +0200

Fix a buffer overflow in png_do_quantize

Allocate the quantize_index array to PNG_MAX_PALETTE_LENGTH (256 bytes)
instead of num_palette bytes. This approach matches the allocation
pattern for palette[], trans_alpha[] and riffled_palette[] which
were similarly oversized in libpng 1.2.1 to prevent buffer overflows
from malformed PNG files with out-of-range palette indices.

Out-of-range palette indices index >= num_palette will now read
identity-mapped values from the quantize_index array (where index N
maps to palette entry N). This prevents undefined behavior while
avoiding runtime bounds checking overhead in the performance-critical
pixel processing loop.

Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
Analyzed-by: degrigis <degrigis@users.noreply.github.com>

Files Modified:

  • pngrtran.c

ea094764f3436e3c6524622724c2d342a3eff235 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/ea094764f3436e3c6524622724c2d342a3eff235
Authored: 2025-11-08 17:16:59 +0200
Committed: 2025-11-10 11:11:42 +0200

Fix a memory leak in function png_set_quantize; refactor

Release the previously-allocated array quantize_index before
reallocating it. This avoids leaking memory when the function
png_set_quantize is called multiple times on the same png_struct.

This function assumed single-call usage, but fuzzing revealed that
repeated calls would overwrite the pointers without freeing the
original allocations, leaking 256 bytes per call for quantize_index
and additional memory for quantize_sort when histogram-based
quantization is used.

Also remove the array quantize_sort from the list of png_struct
members and make it a local variable. This array is initialized,
used and released exclusively inside the function png_set_quantize.

Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
Analyzed-by: degrigis <degrigis@users.noreply.github.com>
Reviewed-by: John Bowler <jbowler@acm.org>

Files Modified:

  • pngrtran.c
  • pngstruct.h

2bd84c019c300b78e811743fbcddb67c9d9bf821 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821
Authored: 2025-11-07 22:40:05 +0200
Committed: 2025-11-09 18:39:33 +0200

Fix a heap buffer overflow in png_write_image_8bit

The condition guarding the pre-transform path incorrectly allowed 8-bit
input data to enter png_write_image_8bit which expects 16-bit input.
This caused out-of-bounds reads when processing 8-bit grayscale+alpha
images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746),
with the convert_to_8bit flag set (an invalid combination that should
bypass the pre-transform path).

The second part of the condition, i.e.

colormap == 0 && convert_to_8bit != 0

failed to verify that input was 16-bit, i.e.

linear != 0

contradicting the comment "This only applies when the input is 16-bit".

The fix consists in restructuring the condition to ensure both the
alpha path and the convert_to_8bit path require linear (16-bit)
input. The corrected condition, i.e.

linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)

matches the expectation of the png_write_image_8bit function and
prevents treating 8-bit buffers as 16-bit data.

Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
Reported-by: weijinjinnihao <weijinjinnihao@users.noreply.github.com>
Analyzed-by: degrigis <degrigis@users.noreply.github.com>
Reviewed-by: John Bowler <jbowler@acm.org>

Files Modified:

  • pngwrite.c

bd41aa64d34609a9f39944fd241c24f38bb7c3d6 by Tobias Stoeckmann <tobias@stoeckmann.org>

https://github.com/pnggroup/libpng/commit/bd41aa64d34609a9f39944fd241c24f38bb7c3d6
Authored: 2025-09-29 22:06:04 +0200
Committed: 2025-09-29 22:10:27 +0200

api! Remove the experimental (and incomplete) ERROR_NUMBERS code

The purpose of this feature is to optionally prepend standardized
numbers to error and warning messages. The ERROR_NUMBERS feature was
first drafted in libpng-1.2.0 and further developed in libpng-1.4.0;
and yet, it was always disabled by default, and never completed.

In the light of a recent report concerning the security hazards arising
from enabling this code in custom libpng builds, we think it's best to
simply remove all the code written to support this feature.

Based on removal in libpng18, but keeping functions and options as
no-ops for backwards compatibility.

Co-authored-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • png.c
  • pngdebug.h
  • pngerror.c
  • pngpriv.h

c6913e22dfb791e02d333cd174e73c4d6c22b805 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/c6913e22dfb791e02d333cd174e73c4d6c22b805
Authored: 2025-09-29 14:38:59 +0300
Committed: 2025-09-29 14:38:59 +0300

chore: Update .gitignore to exclude local coding agent files

This is a cherry-pick of commit 8cfbbab55715674d7ea7f123707806f8b44228ab
from branch 'libpng18'.

Files Modified:

  • .gitignore

99230a0368ccd1f31e974b9dd8cd8bcebaa30d00 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/99230a0368ccd1f31e974b9dd8cd8bcebaa30d00
Authored: 2025-09-03 21:18:33 +0300
Committed: 2025-09-03 21:18:33 +0300

refactor: Delete conditional compilation for libpng 1.6.0 or earlier

This is a cherry-pick of commit 5ff29c03bbe19992dcfe173a8db8528b4317ae4b
from branch 'libpng18'

Files Modified:

  • contrib/libtests/pngimage.c
  • contrib/libtests/pngstest.c
  • contrib/libtests/pngunknown.c
  • contrib/libtests/pngvalid.c
  • libpng-manual.txt
  • libpng.3

27de46c5a418d0cd8b2bded5a4430ff48deb2920 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/27de46c5a418d0cd8b2bded5a4430ff48deb2920
Authored: 2025-09-01 16:50:02 +0300
Committed: 2025-09-01 16:50:02 +0300

ci: Run autogen.sh without --maintainer in ci_verify_configure.sh

The autogen.sh script is not user-serviceable in the 'libpng16' branch,
which implies the following:

  • It requires the --maintainer option.
  • It should not be run by the CI tooling.

Starting from the branch 'libpng18' onwards, the autogen.sh script
becomes not only user-serviceable, but also mandatory, which implies:

  • It should be run by the CI tooling.
  • It does not require the --maintainer option.

Removing the option --maintainer from ci_verify_configure.sh should
not only simplify the verification script, but also catch errors that
might occur in the above-mentioned scenarios.

This is a cherry-pick of commit 2cd45a9728fa054ccf17e4cac5a9dd77f46251a0
from branch 'libpng18'.

Files Modified:

  • ci/ci_verify_configure.sh

e4e25f2e986456481c728e2327c9912b30bdcbfb by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/e4e25f2e986456481c728e2327c9912b30bdcbfb
Authored: 2025-09-01 16:44:51 +0300
Committed: 2025-09-01 16:44:51 +0300

ci: Add GitHub Actions for verifying libpng on Linux, macOS and Windows

This is a cherry-pick of commit 03f83b88c16605d670dff6070956a47b116e0787
from branch 'libpng18'.

Files Added:

  • .github/workflows/verify-linux.yml
  • .github/workflows/verify-macos.yml
  • .github/workflows/verify-windows.yml

134ab615b617f548e822d8857f1cfc0525aefeba by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/134ab615b617f548e822d8857f1cfc0525aefeba
Authored: 2025-07-17 23:00:16 +0300
Committed: 2025-07-17 23:06:50 +0300

chore: Update .gitignore

This is a cherry-pick of commit c14037646e4f61a7a6cc65c96cf9c3188af25022
from branch 'develop'.

Files Modified:

  • .gitignore

8fb19f2e2fe0ffa80c6f462eb1d8685f3d428604 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/8fb19f2e2fe0ffa80c6f462eb1d8685f3d428604
Authored: 2025-07-14 22:05:50 +0300
Committed: 2025-07-15 19:54:49 +0300

doc: Update and reorganize the png.5 man page

This is a cherry-pick of commit 929ad805c5aa15321e8236897a8b0225607d3182
from branch 'develop'.

Co-authored-by: Chris Lilley <chris@w3.org>

Files Modified:

  • png.5

816b008d8fcb9f741bcacdb29e72955914936856 by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/816b008d8fcb9f741bcacdb29e72955914936856
Authored: 2025-07-08 09:48:51 +0200
Committed: 2025-07-15 18:34:33 +0300

riscv: Leverage __riscv_v in pngpriv.h

Reviewed-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • pngpriv.h
  • riscv/riscv_init.c

7916eb7ba08e97ac97c71784e15f78e3ffcd838c by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/7916eb7ba08e97ac97c71784e15f78e3ffcd838c
Authored: 2025-07-07 11:08:35 +0200
Committed: 2025-07-15 18:34:33 +0300

riscv: Support only RVV 1.0

Reviewed-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Deleted:

  • contrib/riscv-rvv/README
  • contrib/riscv-rvv/linux.c

Files Modified:

  • CMakeLists.txt
  • configure.ac
  • riscv/riscv_init.c

7cecdcae0715bbf7a4b643071e0d39f05d5e7f52 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/7cecdcae0715bbf7a4b643071e0d39f05d5e7f52
Authored: 2025-07-03 22:42:11 +0300
Committed: 2025-07-03 22:42:11 +0300

Harden a vestigial check against overflow inside png_zalloc

Reported-by: Sergio Atienza Pastor, MTP Métodos y Tecnología

Files Modified:

  • png.c

cf59edd364b28de01fa6089a46e6ff8efe677074 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/cf59edd364b28de01fa6089a46e6ff8efe677074
Authored: 2025-07-02 20:24:24 +0300
Committed: 2025-07-02 20:24:24 +0300

Bump version to 1.6.51.git

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

2b978915d82377df13fcbb1fb56660195ded868a by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/2b978915d82377df13fcbb1fb56660195ded868a
Authored: 2025-07-01 23:50:00 +0300
Committed: 2025-07-01 23:50:00 +0300

Release libpng version 1.6.50

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • libpng-manual.txt
  • libpng.3
  • libpngpf.3
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

254a64ec307a8151186aea58995dcb43c8e1ce95 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/254a64ec307a8151186aea58995dcb43c8e1ce95
Authored: 2025-07-01 22:57:36 +0300
Committed: 2025-07-01 22:57:36 +0300

doc: Update the man pages to the final PNG-3 specification

Also make editorial changes regarding the previous PNG specifications.

Files Modified:

  • libpng-manual.txt
  • libpng.3
  • libpngpf.3
  • png.5

9eb25bd8993a6f70704fedd78985250b20bb7594 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/9eb25bd8993a6f70704fedd78985250b20bb7594
Authored: 2025-06-30 23:46:32 +0300
Committed: 2025-06-30 23:46:32 +0300

chore: Rerun ./autogen.sh --maintainer

Files Modified:

  • Makefile.in
  • aclocal.m4
  • compile
  • config.h.in
  • configure
  • depcomp
  • install-sh
  • missing
  • test-driver

8087a21d0aaf0f206d68506034ac6e0be49c3d77 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/8087a21d0aaf0f206d68506034ac6e0be49c3d77
Authored: 2025-06-30 22:27:17 +0300
Committed: 2025-06-30 22:27:17 +0300

build: Fix the CMake file for cross-platform builds that require libm

Detect the availability of libm on the target platform.
Previously, libm was detected on the host platform only.

Also introduce the variable PNG_LINK_LIBRARIES.
Stop using M_LIBRARY, which was not namespace-clean.

Files Modified:

  • CMakeLists.txt

2e5f296bfa04c5a4f885ebad790339641691e4bd by John Bowler <jbowler@acm.org>

https://github.com/pnggroup/libpng/commit/2e5f296bfa04c5a4f885ebad790339641691e4bd
Authored: 2025-06-24 14:18:37 -0700
Committed: 2025-06-30 16:27:22 +0300

fix: Prevent unknown chunks from causing out-of-place IEND errors

PNG_AFTER_IDAT was not set by the IDAT read code if unknown chunk
handling was turned on. This was hidden in the current tests by checks
within the text handling chunks. (For example, pngtest.png has a zTXt
chunk after IDAT.)

This change modifies both the sequential and the progressive reader to
reliably set PNG_AFTER_IDAT when the first non-IDAT chunk is seen and
before that chunk is processed.

The change is minimalist; PNG_HAVE_CHUNK_AFTER_IDAT can probably be
removed and replaced with PNG_AFTER_IDAT. Making the latter change is
something to be considered in libpng2.

Co-authored-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • pngpread.c
  • pngread.c
  • pngrutil.c

4266c75f4001355b687bd4ddc24055d970781401 by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/4266c75f4001355b687bd4ddc24055d970781401
Authored: 2025-06-28 12:00:03 +0200
Committed: 2025-06-28 16:19:11 +0300

riscv: Remove unused argument

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • contrib/riscv-rvv/linux.c
  • riscv/riscv_init.c

f451a4de09eac5533f6da3cbc194e0416984713b by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/f451a4de09eac5533f6da3cbc194e0416984713b
Authored: 2025-06-27 13:00:56 +0200
Committed: 2025-06-28 16:19:11 +0300

riscv: Simplify the runtime check to always be present

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • CMakeLists.txt
  • configure.ac
  • riscv/riscv_init.c

6aa47debba01f6a8e04e2082e05e31df39ef62af by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/6aa47debba01f6a8e04e2082e05e31df39ef62af
Authored: 2025-06-26 13:32:49 +0200
Committed: 2025-06-28 16:19:11 +0300

riscv: Do not overwrite -march when testing against SIMD availability

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • CMakeLists.txt
  • configure.ac

3391bb98e39762d3f99414209d4399a68feaadb5 by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/3391bb98e39762d3f99414209d4399a68feaadb5
Authored: 2025-06-26 11:54:29 +0200
Committed: 2025-06-28 16:19:11 +0300

riscv: Use C intrinsics

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • riscv/filter_rvv_intrinsics.c

21895b05ab22cf23b7b621252756e8419c5c5b87 by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/21895b05ab22cf23b7b621252756e8419c5c5b87
Authored: 2025-06-17 14:08:17 +0200
Committed: 2025-06-18 14:43:36 +0300

riscv: Clearly separate the build flow for autotools and cmake

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • CMakeLists.txt
  • pngpriv.h

be81ebe1a45c2da3c5788485cd55408fe2e328df by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/be81ebe1a45c2da3c5788485cd55408fe2e328df
Authored: 2025-06-17 11:41:32 +0300
Committed: 2025-06-17 11:41:32 +0300

chore: Rerun ./autogen.sh --maintainer

Files Modified:

  • configure

edf46621f3de3e643a908c1e28c40e645eaa57a2 by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/edf46621f3de3e643a908c1e28c40e645eaa57a2
Authored: 2025-06-17 08:36:53 +0200
Committed: 2025-06-17 11:40:57 +0300

riscv: Improve the RVV availability check

In some cases, the vector extension is not supported, although the
compiler allows the "v" flag in -march and includes <riscv_vector>
without raising an error.

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • CMakeLists.txt
  • configure.ac

5dc5937b30374091042e7d15dde1bfe95b5d72d1 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/5dc5937b30374091042e7d15dde1bfe95b5d72d1
Authored: 2025-06-14 18:29:05 +0300
Committed: 2025-06-14 18:35:46 +0300

chore: Update .gitignore

This is a cherry-pick of commit df3b9173277aae60b08a216dc23484f6ec171ef5
from branch 'libpng18'.

Files Modified:

  • .gitignore

7084241c7527c6a345a7a425af46ca06edeb4996 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/7084241c7527c6a345a7a425af46ca06edeb4996
Authored: 2025-06-14 17:13:02 +0300
Committed: 2025-06-14 17:13:02 +0300

Bump version to 1.6.50.git

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

I've submitted a try run for this commit: https://treeherder.mozilla.org/jobs?repo=try&revision=ce5ae6d6ade3fcdd16f7b76aeff188d187eaa947

The try push is done, we found jobs with unclassified failures.

Needs Investigation (Possible Intermittents):

  • test-windows10-64-2009-qr/debug-gtest-1proc - 2 of 3 failed on the same (retriggered) task (failed: L652sdf8SuuhFE1SN5LpDg, MYWvYPR5RciQPc_fz0ZVJw)

These failures could mean that the library update changed something and caused
tests to fail. You'll need to review them yourself and decide where to go from here.

In either event, I have done all I can and you will need to take it from here. If you
don't want to land my patch, you can replicate it locally for editing with
./mach vendor media/libpng/moz.yaml

When reviewing, please note that this is external code, which needs a full and
careful inspection - not a rubberstamp.

Assignee: nobody → tnikkel
Flags: needinfo?(tnikkel)

Having looked at the individual CVEs, the affected functions and the coverage information from Firefox, I am pretty sure that this does not affect Firefox.

Obviously, we should still keep libpng up to date.

Thanks for looking that over.

Yes, generally I take image library updates pretty quickly, especially for the minor updates and ones that have a proven track record of not breaking things in updates.

Flags: needinfo?(tnikkel)

https://hg.mozilla.org/mozilla-central/rev/762fd3893ccc
https://hg.mozilla.org/mozilla-central/rev/14d6242e8b4a

Status: NEW → RESOLVED
Closed: 1 month ago
status-firefox147: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 147 Branch

Can you check if this easily applies to ESR?

Flags: needinfo?(tnikkel)

(In reply to Frederik Braun [:freddy] from comment #9)

Can you check if this easily applies to ESR?

Which ESR?

Flags: needinfo?(tnikkel) → needinfo?(fbraun)

Also, see https://github.com/pnggroup/libpng/issues/764 where it looks like one of the security issues fixed in this release wasn't fully fixed, so there might be another release soon.

I just went through all the changesets that touched the libpng dir and all of the libpng version updates we've had back to esr 115. It all looks pretty straight forward with only minimal other changes besides the libpng version upgrades. So it wouldn't be hard or risky to create a roll up patch to either of the two esrs active right now.

Flags: needinfo?(fbraun)

And confirmed from the libpng maintainer that 1.6.52 is likely coming as a result of that: https://github.com/pnggroup/libpng/issues/765#issuecomment-3589199472

1.6.52 is in bug 2003957 now.

See Also: → 2003957
QA Whiteboard: [qa-triage-done-c148/b147]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: