Closed Bug 2015661 Opened 1 month ago Closed 1 month ago

Update libpng to new version v1.6.55 from 2026-02-09 22:02:20

Categories

(Core :: Graphics: ImageLib, enhancement)

Product:
Core
Component:
Graphics: ImageLib
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
149 Branch
Tracking Flags:
Tracking Status
firefox-esr140 --- fixed
firefox149 --- fixed

People

(Reporter: update-bot, Assigned: tnikkel)

Details

(Whiteboard: [3pl-filed][task_id: eM8OkuzaRl6Y5Oq2CBOx3w])

Attachments

(3 files)

Bug 2015661 - Update libpng to v1.6.55
48 bytes, text/x-phabricator-request
Details | Review
Bug 2015661 - Apply mozilla patches for libpng
48 bytes, text/x-phabricator-request
Details | Review
Bug 2015661 - Update libpng to v1.6.55.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr140+
Details | Review

This update covers 6 commits. Here are the overall diff statistics, and then the commit information.

media/libpng/ANNOUNCE | 24 +-
media/libpng/AUTHORS | 1 +
media/libpng/CHANGES | 12 +-
media/libpng/README | 14 +-
media/libpng/arm/arm_init.c | 2 +-
media/libpng/arm/filter_neon.S | 6 -
media/libpng/libpng-manual.txt | 4 +-
media/libpng/moz.yaml | 2 +-
media/libpng/png.c | 4 +-
media/libpng/png.h | 106 +-------------
media/libpng/pngconf.h | 2 +-
media/libpng/pngget.c | 162 ----------------------
media/libpng/pnginfo.h | 13 -
media/libpng/pngpread.c | 169 -----------------------
media/libpng/pngpriv.h | 57 --------
media/libpng/pngread.c | 80 -----------
media/libpng/pngrtran.c | 6 +-
media/libpng/pngrutil.c | 291 -----------------------------------------
media/libpng/pngset.c | 145 --------------------
media/libpng/pngstruct.h | 21 --
media/libpng/pngwrite.c | 47 ------
media/libpng/pngwutil.c | 142 --------------------
22 files changed, 45 insertions(+), 1265 deletions(-)

c3e304954a9cfd154bc0dfbfea2b01cd61d6546d by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/c3e304954a9cfd154bc0dfbfea2b01cd61d6546d
Authored: 2026-02-09 22:02:20 +0200
Committed: 2026-02-09 22:02:20 +0200

Release libpng version 1.6.55

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • libpng-manual.txt
  • libpng.3
  • libpngpf.3
  • png.5
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

b72e38c08b1bcd574c3a4a9190e5525e74604ed1 by Philippe Antoine <contact@catenacyber.fr>

https://github.com/pnggroup/libpng/commit/b72e38c08b1bcd574c3a4a9190e5525e74604ed1
Authored: 2026-01-23 16:04:16 +0100
Committed: 2026-02-09 20:48:12 +0200

oss-fuzz: Restrict the nalloc build to libfuzzer

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • contrib/oss-fuzz/build.sh

9404d8e35bdc060faa4d8a40792ba7a2527ff531 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/9404d8e35bdc060faa4d8a40792ba7a2527ff531
Authored: 2026-02-09 17:51:02 +0200
Committed: 2026-02-09 17:51:02 +0200

chore: Pacify markdownlint

Files Modified:

  • ANNOUNCE
  • CHANGES
  • README
  • TODO
  • ci/README.md
  • scripts/cmake/README.md

2f7991c31bca4812580d7f9057537b987108c90c by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/2f7991c31bca4812580d7f9057537b987108c90c
Authored: 2026-02-09 17:43:54 +0200
Committed: 2026-02-09 17:43:54 +0200

Add .markdownlint.yml, a configuration file for markdownlint

Files Added:

  • .markdownlint.yml

01d03b8453eb30ade759cd45c707e5a1c7277d88 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
Authored: 2026-02-06 19:11:54 +0200
Committed: 2026-02-06 19:11:54 +0200

Fix a heap buffer overflow in png_set_quantize

The color distance hash table stored the current palette indices, but
the color-pruning loop assumed the original indices. When colors were
eliminated and indices changed, the stored indices became stale. This
caused the loop bound max_d to grow past the 769-element hash array.

The fix consists in storing the original indices via palette_to_index
to match the pruning loop's expectations.

Reported-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
Co-authored-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • AUTHORS
  • pngrtran.c

b884e8c6188ba2002230474451deccf61f09decc by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/b884e8c6188ba2002230474451deccf61f09decc
Authored: 2026-02-06 19:03:06 +0200
Committed: 2026-02-06 19:03:06 +0200

Bump version to 1.6.55.git

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

I've submitted a try run for this commit: https://treeherder.mozilla.org/jobs?repo=try&revision=b858189dea9f3cd329dd4591bb1a8485136346e8

All the jobs in the try run succeeded. Like literally all of them, there weren't
even any intermittents. That is pretty surprising to me, so maybe you should double
check to make sure I didn't misinterpret things and that the correct tests ran...

Anyway, I've done all I can, so I'm passing to you to review and land the patch.
When reviewing, please note that this is external code, which needs a full and
careful inspection - not a rubberstamp.

Assignee: nobody → tnikkel

The CVE in this version is in png_set_quantize (and code inside that function is the only thing changed besides some other random cleanup patches, I looked over the entire diff). We don't call png_set_quantize and there are no callers of png_set_quantize inside libpng, so I think we are not affected by the CVE and so I am not intending to request uplift for this. If anyone would like me up uplift I can do so just let me know.

https://hg.mozilla.org/mozilla-central/rev/55f0d8773b21
https://hg.mozilla.org/mozilla-central/rev/5341f1a6efea

Status: NEW → RESOLVED
Closed: 1 month ago
status-firefox149: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 149 Branch
QA Whiteboard: [qa-triage-done-c150/b149]
Attachment #9550578 - Flags: approval-mozilla-esr140?

firefox-esr140 Uplift Approval Request

  • User impact if declined: Various security fixes for third-party libraries included in the Firefox build. It's not clear how impacted we actually are in practice, but backporting the updates is easy enough that it's not really worth getting too caught up in trying to figure that out.
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing:
  • Risk associated with taking this patch: low
  • Explanation of risk level: All of these libraries are used at low enough levels that any regressions caused would be very obvious in our CI and in the wild. Also, they've all baked on Nightly for a cycle already and are currently on Beta without any known issues.
  • String changes made/needed: None
  • Is Android affected?: yes
Attachment #9550578 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: