Closed Bug 2003957 Opened 6 months ago Closed 6 months ago

Update libpng to new version v1.6.52 from 2025-12-03 21:48:14

Categories

(Core :: Graphics: ImageLib, enhancement)

Product:
Core
Component:
Graphics: ImageLib
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 2004498
Tracking Flags:
Tracking Status
firefox147 --- affected

People

(Reporter: update-bot, Assigned: tnikkel)

References

Details

(Whiteboard: [3pl-filed][task_id: W8InCW2HTqOiRw_zo6h1iA])

Attachments

(1 obsolete file)

This update covers 47 commits. Here are the overall diff statistics, and then the commit information.

media/libpng/ANNOUNCE | 52 +---
media/libpng/AUTHORS | 2 +
media/libpng/CHANGES | 11 +
media/libpng/README | 2 +-
media/libpng/arm/arm_init.c | 2 +-
media/libpng/arm/filter_neon.S | 6 -
media/libpng/libpng-manual.txt | 2 +-
media/libpng/moz.yaml | 2 +-
media/libpng/png.c | 4 +-
media/libpng/png.h | 106 +---------
media/libpng/pngconf.h | 2 +-
media/libpng/pngget.c | 162 ----------------
media/libpng/pnginfo.h | 13 -
media/libpng/pngpread.c | 169 ----------------
media/libpng/pngpriv.h | 57 -----
media/libpng/pngread.c | 133 +++---------
media/libpng/pngrtran.c | 1 +
media/libpng/pngrutil.c | 291 -----------------------------
media/libpng/pngset.c | 145 --------------
media/libpng/pngstruct.h | 21 --
media/libpng/pngwrite.c | 47 ----
media/libpng/pngwutil.c | 142 --------------
media/libpng/riscv/filter_rvv_intrinsics.c | 65 ++----
23 files changed, 106 insertions(+), 1331 deletions(-)

fbed16182b92eeb3a06d96e49f0836d450318098 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/fbed16182b92eeb3a06d96e49f0836d450318098
Authored: 2025-12-03 21:48:14 +0200
Committed: 2025-12-03 21:48:14 +0200

Release libpng version 1.6.52

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • libpng-manual.txt
  • libpng.3
  • libpngpf.3
  • png.5
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

5c7d02d73b12aa96ff5bc27f3695d3fe3c6b1dd7 by Philippe Antoine <contact@catenacyber.fr>

https://github.com/pnggroup/libpng/commit/5c7d02d73b12aa96ff5bc27f3695d3fe3c6b1dd7
Authored: 2025-11-21 22:12:56 +0100
Committed: 2025-12-03 20:49:47 +0200

oss-fuzz: Add allocation failure fuzzing via nalloc

Integrate nalloc fuzzing to systematically test error handling paths
when memory allocations fail. This technique previously found a memory
leak in pCAL chunk handling and is already in production use via
OSS-Fuzz on libwebp and libssh.

This is enabled via the _nalloc target suffix or the NALLOC_FREQ
environment variable.

Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Added:

  • contrib/oss-fuzz/nalloc.h

Files Modified:

  • contrib/oss-fuzz/libpng_read_fuzzer.cc

5b159aed75e9d02d065026b8eeefcfc8b7c6b8e4 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/5b159aed75e9d02d065026b8eeefcfc8b7c6b8e4
Authored: 2025-12-03 20:31:19 +0200
Committed: 2025-12-03 20:31:19 +0200

riscv: Reformat the contributor list and update the AUTHORS file

Files Modified:

  • AUTHORS
  • riscv/filter_rvv_intrinsics.c

d27beddf9f4d80b8998791cbb91fe684820ff387 by liangjunzhao <junzhao.liang@spacemit.com>

https://github.com/pnggroup/libpng/commit/d27beddf9f4d80b8998791cbb91fe684820ff387
Authored: 2025-12-02 09:46:07 +0800
Committed: 2025-12-03 20:31:19 +0200

riscv: Fix undefined behavior in png_read_filter_row_paeth_rvv

The existing implementation produced incorrect output at -O2/-O3 due
to reliance on RVV mask-agnostic element preservation.

The old code computed absolute values using masked operations:

vbool8_t p_neg_mask = __riscv_vmslt_vx_i16m2_b8(p, 0, vl);
vint16m2_t pa = __riscv_vrsub_vx_i16m2_m(p_neg_mask, p, 0, vl);

Per RVV 1.0 specification (section 5.4), the elements where the mask
bit is 0 have agnostic tail policy: implementations may either preserve
the original value or may set all bits to 1. This is explicitly
implementation-defined and not guaranteed.

When p >= 0, the mask bit is 0, so the "preserved" value of pa may
be clobbered to 0xFFFF depending on microarchitecture and optimization
level. This causes silent data corruption in decoded PNG images.

Fix by eliminating all masked operations in favour of unconditional
vector operations:

  1. Compute the absolute value via min(x, -x) in unsigned arithmetic:

    vuint16m2_t tmp = __riscv_vrsub_vx_u16m2(p, 0, vl);
vuint16m2_t pa = __riscv_vminu_vv_u16m2(p, tmp, vl);

    This works because operands are u8 values widened to u16.
    For any difference d = b - c where b and c are in [0...255]:

    • If b >= c:
      d is in [0...255], and -d (mod 2^16) is in [65281...65535].
    • If b < c:
      d is in [65281...65535], and -d (mod 2^16) is in [1...255].
      In both cases, min(d, -d) yields |b - c|.

  2. Select the Paeth predictor via iterative min-tracking with vmerge:

    vbool8_t m1 = __riscv_vmsltu_vv_u16m2_b8(pb, pa, vl);
pa = __riscv_vmerge_vvm_u16m2(pa, pb, m1, vl);
a = __riscv_vmerge_vvm_u8m1(a, b, m1, vl);

    The vmerge instruction explicitly defines all lanes (no agnostic
    elements), and the strict less-than comparison preserves correct
    tie-breaking per the PNG specification (prefer a over b over
    c when equal).

The new implementation is also simpler (with fewer instructions) and
provides ~14% speedup over scalar on SpacemiT K1.

Reported-by: Filip Wasil <f.wasil@samsung.com>
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • riscv/filter_rvv_intrinsics.c

87ed1cd2b802ba8df133e6cbc91a5b4fdaf87cf6 by liangjunzhao <junzhao.liang@spacemit.com>

https://github.com/pnggroup/libpng/commit/87ed1cd2b802ba8df133e6cbc91a5b4fdaf87cf6
Authored: 2025-12-01 15:29:26 +0800
Committed: 2025-12-03 20:31:19 +0200

riscv: Improve averaging performance in png_read_filter_row_avg_rvv

Replace the two-instruction sequence (vwaddu and vnsrl) with a single
vaaddu instruction for computing the average.

The vaaddu instruction with vxrm=2 (round-toward-zero) produces
identical results to the widening add followed by narrowing shift,
but in a single operation.

Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • riscv/filter_rvv_intrinsics.c

a05a48b756de63e3234ea6b3b938b8f5f862484a by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a
Authored: 2025-12-01 22:31:54 +0200
Committed: 2025-12-01 22:31:54 +0200

Finalize the fix for out-of-bounds read in png_image_read_composite

Following up on commit 788a624d7387a758ffd5c7ab010f1870dea753a1.

The previous commit added a defensive bounds check to address the
security issue (out-of-bounds read), but noted that the correctness
issue remained: when the clamp triggered, the affected pixels were
clamped to white instead of the correct composited color.

This commit addresses the correctness issue by fixing the flag
synchronization error identified in the previous commit's TODO:

  1. In png_init_read_transformations:
    Clear PNG_FLAG_OPTIMIZE_ALPHA when clearing PNG_COMPOSE for palette
    images. This correctly signals that the data is sRGB, not linear
    premultiplied.

  2. In png_image_read_composite:
    Check PNG_FLAG_OPTIMIZE_ALPHA and use the appropriate composition
    formula. When set, use the existing linear composition. When cleared
    (palette composition already done), use sRGB composition to match
    what was done to the palette.

Retain the previous clamp to the valid range as belt-and-suspenders
protection against any other unforeseen cases.

Files Modified:

  • pngread.c
  • pngrtran.c

788a624d7387a758ffd5c7ab010f1870dea753a1 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1
Authored: 2025-11-29 00:39:16 +0200
Committed: 2025-11-29 00:39:16 +0200

Fix an out-of-bounds read in png_image_read_composite

Add a defensive bounds check before calling PNG_sRGB_FROM_LINEAR to
prevent reading up to 506 entries (1012 bytes) past png_sRGB_base[].

For palette images with gamma, png_init_read_transformations
clears PNG_COMPOSE after compositing on the palette, but it leaves
PNG_FLAG_OPTIMIZE_ALPHA set. The simplified API then calls
png_image_read_composite with sRGB data (not linear premultiplied),
causing the index to reach 1017. (The maximum valid index is 511.)

NOTE:
This is a defensive fix that addresses the security issue (out-of-bounds
read) but NOT the correctness issue (wrong output). When the clamp
triggers, the affected pixels are clamped to white instead of the
correct composited color. Valid PNG images may render incorrectly with
the simplified API.

TODO:
We already know the root cause is a flag synchronization error.
For palette images with gamma, png_init_read_transformations
clears PNG_COMPOSE but leaves PNG_FLAG_OPTIMIZE_ALPHA set, causing
png_image_read_composite to misinterpret sRGB data as linear
premultiplied. However, we have yet to implement an architectural fix
that requires coordinating the simplified API with the transformation
pipeline.

Reported-by: flyfish101 <flyfish101@users.noreply.github.com>

Files Modified:

  • pngread.c

cf53e54ccf631d8de68a30ebb3b8eeed1d6f1a08 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/cf53e54ccf631d8de68a30ebb3b8eeed1d6f1a08
Authored: 2025-11-28 17:05:40 +0200
Committed: 2025-11-28 17:05:40 +0200

Bump version to 1.6.52.git

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

49363adcfaf098748d7a4c8c624ad8c45a8c3a86 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/49363adcfaf098748d7a4c8c624ad8c45a8c3a86
Authored: 2025-11-21 23:01:00 +0200
Committed: 2025-11-21 23:01:00 +0200

Release libpng version 1.6.51

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • libpng-manual.txt
  • libpng.3
  • libpngpf.3
  • png.5
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

869ed49945e48ca31e5add8e727fa07dd7b10dc8 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/869ed49945e48ca31e5add8e727fa07dd7b10dc8
Authored: 2025-11-21 21:52:02 +0200
Committed: 2025-11-21 21:52:02 +0200

Update the main AUTHORS file

Files Modified:

  • AUTHORS

fe855702dec58a205580dc127e2c92d765e61262 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/fe855702dec58a205580dc127e2c92d765e61262
Authored: 2025-11-21 21:40:56 +0200
Committed: 2025-11-21 21:40:56 +0200

chore: Rerun ./autogen.sh --maintainer

Files Modified:

  • configure

b7fc38c91008c50b825bedfc693b1f594ca0e6f2 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/b7fc38c91008c50b825bedfc693b1f594ca0e6f2
Authored: 2025-11-21 20:43:36 +0200
Committed: 2025-11-21 20:43:36 +0200

ci: Update the branch and tag exclusions on AppVeyor CI

As we plan to release libpng-1.8.0, with the 'libpng18' branch being
the new default, we are also discontinuing the 'master' branch as an
alias branch. Update the exclusions in the AppVeyor CI configuration
file, replacing 'libpng00' to 'libpng18' with 'master'.

Also update the regular expression that excludes release tags to
account for all 'vNN.NN.NN' tag names.

Files Modified:

  • .appveyor.yml

c53a3237e3de2d0efb86cdc9de52fac18b143fa0 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/c53a3237e3de2d0efb86cdc9de52fac18b143fa0
Authored: 2025-11-21 19:12:40 +0200
Committed: 2025-11-21 19:12:40 +0200

chore: Disable automatic charset detection in .editorconfig-checker

Work around a regression in editorconfig-checker version 3.5.0.
In this new version, editorconfig-checker fails to validate ASCII as
a valid subset of UTF-8.

This commit unblocks the GitHub linting action.

Files Modified:

  • .editorconfig-checker.json

728ac129b152654660fb22ce49d34ad2fc507bb2 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/728ac129b152654660fb22ce49d34ad2fc507bb2
Authored: 2025-11-21 19:03:57 +0200
Committed: 2025-11-21 19:03:57 +0200

chore: Update .gitignore to exclude more local files

Files Modified:

  • .gitignore

3a3d485a7564de4f1f348628864a774a4af16af8 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/3a3d485a7564de4f1f348628864a774a4af16af8
Authored: 2025-11-21 17:57:36 +0200
Committed: 2025-11-21 17:57:36 +0200

riscv: Fix -Wundef compiler warnings and relax RVV version checks

Fix a regression from commit 816b008d8fcb9f741bcacdb29e72955914936856.

When the build was not optimized for RVV (PNG_RISCV_RVV_OPT == 0),
the macro PNG_RISCV_RVV_IMPLEMENTATION was left undefined, even though
it is checked with #if instead of #ifdef in the source code.
Additionally, the RVV version checks included an upper bound check
(__riscv_v < 1900000) that disabled the RVV-optimized path for any
future RVV 1.9+ version.

We added the missing fallback definition and we removed the v1.9+ upper
bound. The RVV optimizations are now enabled for any RISC-V compiler
that supports RVV 1.0 or later, following the expectation that minor
version updates shall maintain compatibility.

Files Modified:

  • pngpriv.h

218612ddd6b17944e21eda56caf8b4bf7779d1ea by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
Authored: 2025-11-19 21:45:13 +0200
Committed: 2025-11-19 21:45:13 +0200

Rearchitect the fix to the buffer overflow in png_image_finish_read

Undo the fix from commit 16b5e3823918840aae65c0a6da57c78a5a496a4d.
That fix turned out to be unnecessarily limiting. It rejected all
16-to-8 bit transformations, although the vulnerability only affects
interlaced PNGs where png_combine_row writes using IHDR bit-depth
before the transformation completes.

The proper solution is to add an intermediate local_row buffer,
specifically for the slow but necessary step of 16-to-8 bit conversion
of interlaced images. (The processing of non-interlaced images remains
intact, using the fast path.) We added the flag do_local_scale and
the function png_image_read_direct_scaled, following the pattern that
involves do_local_compose.

In conclusion:

  • The 16-to-8 bit transformations of interlaced images are now safe,
    as they use an intermediate buffer.
  • The 16-to-8 bit transformations of non-interlaced images remain safe,
    as the fast path remains unchanged.
  • All our regression tests are now passing.

Files Modified:

  • pngread.c

16b5e3823918840aae65c0a6da57c78a5a496a4d by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d
Authored: 2025-11-17 20:38:47 +0200
Committed: 2025-11-17 20:38:47 +0200

Fix a buffer overflow in png_image_finish_read

Reject bit-depth mismatches between IHDR and the requested output
format. When a 16-bit PNG is processed with an 8-bit output format
request, png_combine_row writes using the IHDR depth before
transformation, causing writes beyond the buffer allocated via
PNG_IMAGE_SIZE(image).

The validation establishes a safe API contract where
PNG_IMAGE_SIZE(image) is guaranteed to be sufficient across the
transformation pipeline.

Example overflow (32×32 pixels, 16-bit RGB to 8-bit RGBA):

  • Input format: 16 bits/channel × 3 channels = 6144 bytes
  • Output buffer: 8 bits/channel × 4 channels = 4096 bytes
  • Overflow: 6144 bytes - 4096 bytes = 2048 bytes

Larger images produce proportionally larger overflows. For example,
for 256×256 pixels, the overflow is 131072 bytes.

Reported-by: yosiimich <yosiimich@users.noreply.github.com>

Files Modified:

  • pngread.c

08da33b4c88cfcd36e5a706558a8d7e0e4773643 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643
Authored: 2025-11-12 13:46:23 +0200
Committed: 2025-11-12 13:46:23 +0200

Fix a buffer overflow in png_init_read_transformations

The palette compositing code in png_init_read_transformations was
incorrectly applying background compositing when PNG_FLAG_OPTIMIZE_ALPHA
was set. This violated the premultiplied alpha invariant
component <= alpha expected by png_image_read_composite, causing
values that exceeded the valid range for the PNG_sRGB_FROM_LINEAR lookup
tables.

When PNG_ALPHA_OPTIMIZED is active, palette entries should contain pure
premultiplied RGB values without background compositing. The background
compositing must happen later in png_image_read_composite where the
actual background color from the PNG file is available.

The fix consists in introducing conditional behavior based on
PNG_FLAG_OPTIMIZE_ALPHA: when set, the code performs only
premultiplication using the formula component * alpha + 127) / 255
with proper gamma correction. When not set, the original background
compositing calculation based on the png_composite macro is preserved.

This prevents buffer overflows in png_image_read_composite where
out-of-range premultiplied values would cause out-of-bounds array access
in png_sRGB_base[] and png_sRGB_delta[].

Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
Analyzed-by: John Bowler <jbowler@acm.org>

Files Modified:

  • pngrtran.c

83b23a888b4395c3ae0af3f6d484fce3e4a81155 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/83b23a888b4395c3ae0af3f6d484fce3e4a81155
Authored: 2025-11-10 11:11:42 +0200
Committed: 2025-11-10 11:11:42 +0200

refactor: Delete unreachable code from png_do_read_transformations

After calling png_do_quantize from png_do_read_transformations,
rowbytes (i.e. the length in bytes of a non-empty row) is always
non-zero. The subsequent call to png_error was therefore unreachable.

Files Modified:

  • pngrtran.c

6a528eb5fd0dd7f6de1c39d30de0e41473431c37 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37
Authored: 2025-11-08 23:58:26 +0200
Committed: 2025-11-10 11:11:42 +0200

Fix a buffer overflow in png_do_quantize

Allocate the quantize_index array to PNG_MAX_PALETTE_LENGTH (256 bytes)
instead of num_palette bytes. This approach matches the allocation
pattern for palette[], trans_alpha[] and riffled_palette[] which
were similarly oversized in libpng 1.2.1 to prevent buffer overflows
from malformed PNG files with out-of-range palette indices.

Out-of-range palette indices index >= num_palette will now read
identity-mapped values from the quantize_index array (where index N
maps to palette entry N). This prevents undefined behavior while
avoiding runtime bounds checking overhead in the performance-critical
pixel processing loop.

Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
Analyzed-by: degrigis <degrigis@users.noreply.github.com>

Files Modified:

  • pngrtran.c

ea094764f3436e3c6524622724c2d342a3eff235 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/ea094764f3436e3c6524622724c2d342a3eff235
Authored: 2025-11-08 17:16:59 +0200
Committed: 2025-11-10 11:11:42 +0200

Fix a memory leak in function png_set_quantize; refactor

Release the previously-allocated array quantize_index before
reallocating it. This avoids leaking memory when the function
png_set_quantize is called multiple times on the same png_struct.

This function assumed single-call usage, but fuzzing revealed that
repeated calls would overwrite the pointers without freeing the
original allocations, leaking 256 bytes per call for quantize_index
and additional memory for quantize_sort when histogram-based
quantization is used.

Also remove the array quantize_sort from the list of png_struct
members and make it a local variable. This array is initialized,
used and released exclusively inside the function png_set_quantize.

Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
Analyzed-by: degrigis <degrigis@users.noreply.github.com>
Reviewed-by: John Bowler <jbowler@acm.org>

Files Modified:

  • pngrtran.c
  • pngstruct.h

2bd84c019c300b78e811743fbcddb67c9d9bf821 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821
Authored: 2025-11-07 22:40:05 +0200
Committed: 2025-11-09 18:39:33 +0200

Fix a heap buffer overflow in png_write_image_8bit

The condition guarding the pre-transform path incorrectly allowed 8-bit
input data to enter png_write_image_8bit which expects 16-bit input.
This caused out-of-bounds reads when processing 8-bit grayscale+alpha
images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746),
with the convert_to_8bit flag set (an invalid combination that should
bypass the pre-transform path).

The second part of the condition, i.e.

colormap == 0 && convert_to_8bit != 0

failed to verify that input was 16-bit, i.e.

linear != 0

contradicting the comment "This only applies when the input is 16-bit".

The fix consists in restructuring the condition to ensure both the
alpha path and the convert_to_8bit path require linear (16-bit)
input. The corrected condition, i.e.

linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)

matches the expectation of the png_write_image_8bit function and
prevents treating 8-bit buffers as 16-bit data.

Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
Reported-by: weijinjinnihao <weijinjinnihao@users.noreply.github.com>
Analyzed-by: degrigis <degrigis@users.noreply.github.com>
Reviewed-by: John Bowler <jbowler@acm.org>

Files Modified:

  • pngwrite.c

bd41aa64d34609a9f39944fd241c24f38bb7c3d6 by Tobias Stoeckmann <tobias@stoeckmann.org>

https://github.com/pnggroup/libpng/commit/bd41aa64d34609a9f39944fd241c24f38bb7c3d6
Authored: 2025-09-29 22:06:04 +0200
Committed: 2025-09-29 22:10:27 +0200

api! Remove the experimental (and incomplete) ERROR_NUMBERS code

The purpose of this feature is to optionally prepend standardized
numbers to error and warning messages. The ERROR_NUMBERS feature was
first drafted in libpng-1.2.0 and further developed in libpng-1.4.0;
and yet, it was always disabled by default, and never completed.

In the light of a recent report concerning the security hazards arising
from enabling this code in custom libpng builds, we think it's best to
simply remove all the code written to support this feature.

Based on removal in libpng18, but keeping functions and options as
no-ops for backwards compatibility.

Co-authored-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • png.c
  • pngdebug.h
  • pngerror.c
  • pngpriv.h

c6913e22dfb791e02d333cd174e73c4d6c22b805 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/c6913e22dfb791e02d333cd174e73c4d6c22b805
Authored: 2025-09-29 14:38:59 +0300
Committed: 2025-09-29 14:38:59 +0300

chore: Update .gitignore to exclude local coding agent files

This is a cherry-pick of commit 8cfbbab55715674d7ea7f123707806f8b44228ab
from branch 'libpng18'.

Files Modified:

  • .gitignore

99230a0368ccd1f31e974b9dd8cd8bcebaa30d00 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/99230a0368ccd1f31e974b9dd8cd8bcebaa30d00
Authored: 2025-09-03 21:18:33 +0300
Committed: 2025-09-03 21:18:33 +0300

refactor: Delete conditional compilation for libpng 1.6.0 or earlier

This is a cherry-pick of commit 5ff29c03bbe19992dcfe173a8db8528b4317ae4b
from branch 'libpng18'

Files Modified:

  • contrib/libtests/pngimage.c
  • contrib/libtests/pngstest.c
  • contrib/libtests/pngunknown.c
  • contrib/libtests/pngvalid.c
  • libpng-manual.txt
  • libpng.3

27de46c5a418d0cd8b2bded5a4430ff48deb2920 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/27de46c5a418d0cd8b2bded5a4430ff48deb2920
Authored: 2025-09-01 16:50:02 +0300
Committed: 2025-09-01 16:50:02 +0300

ci: Run autogen.sh without --maintainer in ci_verify_configure.sh

The autogen.sh script is not user-serviceable in the 'libpng16' branch,
which implies the following:

  • It requires the --maintainer option.
  • It should not be run by the CI tooling.

Starting from the branch 'libpng18' onwards, the autogen.sh script
becomes not only user-serviceable, but also mandatory, which implies:

  • It should be run by the CI tooling.
  • It does not require the --maintainer option.

Removing the option --maintainer from ci_verify_configure.sh should
not only simplify the verification script, but also catch errors that
might occur in the above-mentioned scenarios.

This is a cherry-pick of commit 2cd45a9728fa054ccf17e4cac5a9dd77f46251a0
from branch 'libpng18'.

Files Modified:

  • ci/ci_verify_configure.sh

e4e25f2e986456481c728e2327c9912b30bdcbfb by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/e4e25f2e986456481c728e2327c9912b30bdcbfb
Authored: 2025-09-01 16:44:51 +0300
Committed: 2025-09-01 16:44:51 +0300

ci: Add GitHub Actions for verifying libpng on Linux, macOS and Windows

This is a cherry-pick of commit 03f83b88c16605d670dff6070956a47b116e0787
from branch 'libpng18'.

Files Added:

  • .github/workflows/verify-linux.yml
  • .github/workflows/verify-macos.yml
  • .github/workflows/verify-windows.yml

134ab615b617f548e822d8857f1cfc0525aefeba by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/134ab615b617f548e822d8857f1cfc0525aefeba
Authored: 2025-07-17 23:00:16 +0300
Committed: 2025-07-17 23:06:50 +0300

chore: Update .gitignore

This is a cherry-pick of commit c14037646e4f61a7a6cc65c96cf9c3188af25022
from branch 'develop'.

Files Modified:

  • .gitignore

8fb19f2e2fe0ffa80c6f462eb1d8685f3d428604 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/8fb19f2e2fe0ffa80c6f462eb1d8685f3d428604
Authored: 2025-07-14 22:05:50 +0300
Committed: 2025-07-15 19:54:49 +0300

doc: Update and reorganize the png.5 man page

This is a cherry-pick of commit 929ad805c5aa15321e8236897a8b0225607d3182
from branch 'develop'.

Co-authored-by: Chris Lilley <chris@w3.org>

Files Modified:

  • png.5

816b008d8fcb9f741bcacdb29e72955914936856 by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/816b008d8fcb9f741bcacdb29e72955914936856
Authored: 2025-07-08 09:48:51 +0200
Committed: 2025-07-15 18:34:33 +0300

riscv: Leverage __riscv_v in pngpriv.h

Reviewed-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • pngpriv.h
  • riscv/riscv_init.c

7916eb7ba08e97ac97c71784e15f78e3ffcd838c by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/7916eb7ba08e97ac97c71784e15f78e3ffcd838c
Authored: 2025-07-07 11:08:35 +0200
Committed: 2025-07-15 18:34:33 +0300

riscv: Support only RVV 1.0

Reviewed-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Deleted:

  • contrib/riscv-rvv/README
  • contrib/riscv-rvv/linux.c

Files Modified:

  • CMakeLists.txt
  • configure.ac
  • riscv/riscv_init.c

7cecdcae0715bbf7a4b643071e0d39f05d5e7f52 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/7cecdcae0715bbf7a4b643071e0d39f05d5e7f52
Authored: 2025-07-03 22:42:11 +0300
Committed: 2025-07-03 22:42:11 +0300

Harden a vestigial check against overflow inside png_zalloc

Reported-by: Sergio Atienza Pastor, MTP Métodos y Tecnología

Files Modified:

  • png.c

cf59edd364b28de01fa6089a46e6ff8efe677074 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/cf59edd364b28de01fa6089a46e6ff8efe677074
Authored: 2025-07-02 20:24:24 +0300
Committed: 2025-07-02 20:24:24 +0300

Bump version to 1.6.51.git

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

2b978915d82377df13fcbb1fb56660195ded868a by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/2b978915d82377df13fcbb1fb56660195ded868a
Authored: 2025-07-01 23:50:00 +0300
Committed: 2025-07-01 23:50:00 +0300

Release libpng version 1.6.50

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • libpng-manual.txt
  • libpng.3
  • libpngpf.3
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

254a64ec307a8151186aea58995dcb43c8e1ce95 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/254a64ec307a8151186aea58995dcb43c8e1ce95
Authored: 2025-07-01 22:57:36 +0300
Committed: 2025-07-01 22:57:36 +0300

doc: Update the man pages to the final PNG-3 specification

Also make editorial changes regarding the previous PNG specifications.

Files Modified:

  • libpng-manual.txt
  • libpng.3
  • libpngpf.3
  • png.5

9eb25bd8993a6f70704fedd78985250b20bb7594 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/9eb25bd8993a6f70704fedd78985250b20bb7594
Authored: 2025-06-30 23:46:32 +0300
Committed: 2025-06-30 23:46:32 +0300

chore: Rerun ./autogen.sh --maintainer

Files Modified:

  • Makefile.in
  • aclocal.m4
  • compile
  • config.h.in
  • configure
  • depcomp
  • install-sh
  • missing
  • test-driver

8087a21d0aaf0f206d68506034ac6e0be49c3d77 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/8087a21d0aaf0f206d68506034ac6e0be49c3d77
Authored: 2025-06-30 22:27:17 +0300
Committed: 2025-06-30 22:27:17 +0300

build: Fix the CMake file for cross-platform builds that require libm

Detect the availability of libm on the target platform.
Previously, libm was detected on the host platform only.

Also introduce the variable PNG_LINK_LIBRARIES.
Stop using M_LIBRARY, which was not namespace-clean.

Files Modified:

  • CMakeLists.txt

2e5f296bfa04c5a4f885ebad790339641691e4bd by John Bowler <jbowler@acm.org>

https://github.com/pnggroup/libpng/commit/2e5f296bfa04c5a4f885ebad790339641691e4bd
Authored: 2025-06-24 14:18:37 -0700
Committed: 2025-06-30 16:27:22 +0300

fix: Prevent unknown chunks from causing out-of-place IEND errors

PNG_AFTER_IDAT was not set by the IDAT read code if unknown chunk
handling was turned on. This was hidden in the current tests by checks
within the text handling chunks. (For example, pngtest.png has a zTXt
chunk after IDAT.)

This change modifies both the sequential and the progressive reader to
reliably set PNG_AFTER_IDAT when the first non-IDAT chunk is seen and
before that chunk is processed.

The change is minimalist; PNG_HAVE_CHUNK_AFTER_IDAT can probably be
removed and replaced with PNG_AFTER_IDAT. Making the latter change is
something to be considered in libpng2.

Co-authored-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • pngpread.c
  • pngread.c
  • pngrutil.c

4266c75f4001355b687bd4ddc24055d970781401 by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/4266c75f4001355b687bd4ddc24055d970781401
Authored: 2025-06-28 12:00:03 +0200
Committed: 2025-06-28 16:19:11 +0300

riscv: Remove unused argument

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • contrib/riscv-rvv/linux.c
  • riscv/riscv_init.c

f451a4de09eac5533f6da3cbc194e0416984713b by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/f451a4de09eac5533f6da3cbc194e0416984713b
Authored: 2025-06-27 13:00:56 +0200
Committed: 2025-06-28 16:19:11 +0300

riscv: Simplify the runtime check to always be present

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • CMakeLists.txt
  • configure.ac
  • riscv/riscv_init.c

6aa47debba01f6a8e04e2082e05e31df39ef62af by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/6aa47debba01f6a8e04e2082e05e31df39ef62af
Authored: 2025-06-26 13:32:49 +0200
Committed: 2025-06-28 16:19:11 +0300

riscv: Do not overwrite -march when testing against SIMD availability

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • CMakeLists.txt
  • configure.ac

3391bb98e39762d3f99414209d4399a68feaadb5 by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/3391bb98e39762d3f99414209d4399a68feaadb5
Authored: 2025-06-26 11:54:29 +0200
Committed: 2025-06-28 16:19:11 +0300

riscv: Use C intrinsics

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • riscv/filter_rvv_intrinsics.c

21895b05ab22cf23b7b621252756e8419c5c5b87 by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/21895b05ab22cf23b7b621252756e8419c5c5b87
Authored: 2025-06-17 14:08:17 +0200
Committed: 2025-06-18 14:43:36 +0300

riscv: Clearly separate the build flow for autotools and cmake

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • CMakeLists.txt
  • pngpriv.h

be81ebe1a45c2da3c5788485cd55408fe2e328df by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/be81ebe1a45c2da3c5788485cd55408fe2e328df
Authored: 2025-06-17 11:41:32 +0300
Committed: 2025-06-17 11:41:32 +0300

chore: Rerun ./autogen.sh --maintainer

Files Modified:

  • configure

edf46621f3de3e643a908c1e28c40e645eaa57a2 by Filip Wasil <f.wasil@samsung.com>

https://github.com/pnggroup/libpng/commit/edf46621f3de3e643a908c1e28c40e645eaa57a2
Authored: 2025-06-17 08:36:53 +0200
Committed: 2025-06-17 11:40:57 +0300

riscv: Improve the RVV availability check

In some cases, the vector extension is not supported, although the
compiler allows the "v" flag in -march and includes <riscv_vector>
without raising an error.

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • CMakeLists.txt
  • configure.ac

5dc5937b30374091042e7d15dde1bfe95b5d72d1 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/5dc5937b30374091042e7d15dde1bfe95b5d72d1
Authored: 2025-06-14 18:29:05 +0300
Committed: 2025-06-14 18:35:46 +0300

chore: Update .gitignore

This is a cherry-pick of commit df3b9173277aae60b08a216dc23484f6ec171ef5
from branch 'libpng18'.

Files Modified:

  • .gitignore

7084241c7527c6a345a7a425af46ca06edeb4996 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/7084241c7527c6a345a7a425af46ca06edeb4996
Authored: 2025-06-14 17:13:02 +0300
Committed: 2025-06-14 17:13:02 +0300

Bump version to 1.6.50.git

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

I've submitted a try run for this commit: https://treeherder.mozilla.org/jobs?repo=try&revision=e45e750225c4dcc05deedc8325b9cd4e8a670567

Updatebot encountered an error while trying to submit to phabricator.
Updatebot will be unable to do anything more for this library version.

Flags: needinfo?(tnikkel)

The list of commits in the first comment is way more commits then are actually new in this release.

The one sec fix in this release is to a function we don't use and it's not even compiled because we don't define PNG_SIMPLIFIED_READ_SUPPORTED.

Severity: -- → S3
Flags: needinfo?(tnikkel)
See Also: → 2001758
Assignee: nobody → tnikkel
Status: NEW → ASSIGNED

This bug is being closed because a newer revision of the library is available.
This bug will be marked as a duplicate of it (because although this bug is older, it is superseded by the newer one).

Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Duplicate of bug: 2004498
Resolution: --- → DUPLICATE
Attachment #9530785 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: