Closed Bug 2026426 Opened 16 days ago Closed 16 days ago

Update libpng to new version v1.6.56 from 2026-03-25 22:47:06 (includes fixes for CVE-2026-33416, CVE-2026-33636)

Categories

(Core :: Graphics: ImageLib, task)

Product:
Core
Component:
Graphics: ImageLib
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
151 Branch
Tracking Flags:
Tracking Status
firefox-esr115 149+ fixed
firefox-esr140 149+ fixed
firefox149 + fixed
firefox150 + fixed
firefox151 --- fixed

People

(Reporter: update-bot, Assigned: tnikkel)

References

Details

(4 keywords, Whiteboard: [3pl-filed][task_id: NMB2W2weQj2-z4u8qJocTQ][adv-main149.0.2+r][adv-esr140.9.1+r][adv-esr115.34.1+r])

Attachments

(4 files, 2 obsolete files)

Bug 2026426. Update libpng to v1.6.56. r?#gfx-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 2026426. Update libpng to v1.6.56.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 2026426. Update libpng to v1.6.56.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr140+
Details | Review
Bug 2026426. Update libpng to v1.6.56 rollup patch for esr115.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr115+
Details | Review

This update covers 39 commits. Here are the overall diff statistics, and then the commit information.

media/libpng/ANNOUNCE | 49 +++-
media/libpng/AUTHORS | 3 +
media/libpng/CHANGES | 31 ++
media/libpng/README | 2 +-
media/libpng/arm/arm_init.c | 2 +-
media/libpng/arm/filter_neon.S | 6 -
media/libpng/arm/palette_neon_intrinsics.c | 61 ++--
media/libpng/libpng-manual.txt | 10 +-
media/libpng/moz.yaml | 2 +-
media/libpng/png.c | 16 +-
media/libpng/png.h | 108 +--------
media/libpng/pngconf.h | 2 +-
media/libpng/pngget.c | 162 --------------
media/libpng/pnginfo.h | 13 -
media/libpng/pngpread.c | 169 --------------
media/libpng/pngpriv.h | 61 +-----
media/libpng/pngread.c | 150 ++----------
media/libpng/pngrtran.c | 30 ++-
media/libpng/pngrutil.c | 333 +---------------------------
media/libpng/pngset.c | 218 ++++--------------
media/libpng/pngstruct.h | 27 +--
media/libpng/pngtrans.c | 40 ++-
media/libpng/pngwrite.c | 63 +----
media/libpng/pngwutil.c | 191 +----------------
24 files changed, 303 insertions(+), 1446 deletions(-)

d5515b5b8be3901aac04e5bd8bd5c89f287bcd33 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/d5515b5b8be3901aac04e5bd8bd5c89f287bcd33
Authored: 2026-03-25 22:47:06 +0200
Committed: 2026-03-25 22:47:06 +0200

Release libpng version 1.6.56

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • libpng-manual.txt
  • libpng.3
  • libpngpf.3
  • png.5
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

5f9a0b1e5ed1f096107dfd76fd16217f94a29673 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/5f9a0b1e5ed1f096107dfd76fd16217f94a29673
Authored: 2026-03-25 18:51:09 +0200
Committed: 2026-03-25 18:51:09 +0200

Update the main AUTHORS file

Files Modified:

  • AUTHORS

2f79003f2d89d9285fde0fe380cb8b2d7c382206 by Jeffin820 <jeffinphilip14@gmail.com>

https://github.com/pnggroup/libpng/commit/2f79003f2d89d9285fde0fe380cb8b2d7c382206
Authored: 2026-03-13 11:10:48 +0530
Committed: 2026-03-25 18:33:42 +0200

fix: Use the correct parameter name in png_file_add_chunk

The parameter name in png_file_add_chunk(pnt_ptr, ...) was a typo,
with the macro body referencing png_ptr instead. This caused the
argument to be effectively unused.

Fortunately, this typo was a latent bug with no effect. The sole call
site was already passing png_ptr, so the macro expansion is identical
before and after this fix.

Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • pngstruct.h

dc1732e37afdee070e5660d9641e202c082a6d1c by Philippe Antoine <contact@catenacyber.fr>

https://github.com/pnggroup/libpng/commit/dc1732e37afdee070e5660d9641e202c082a6d1c
Authored: 2026-03-09 22:10:50 +0100
Committed: 2026-03-25 17:22:24 +0200

oss-fuzz: Restrict transformations_fuzzer to transformations

And let the other targets focus on the other parts.

Files Modified:

  • contrib/oss-fuzz/libpng_transformations_fuzzer.cc

80c0485c276edbefe9cf795c686adf92e45936f0 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/80c0485c276edbefe9cf795c686adf92e45936f0
Authored: 2026-03-25 10:42:06 +0200
Committed: 2026-03-25 10:42:06 +0200

chore(test): Add comments and tidy up test definitions

Files Modified:

  • CMakeLists.txt
  • tests/pngimage-full
  • tests/pngimage-quick
  • tests/pngstest
  • tests/pngstest-1.8
  • tests/pngstest-1.8-alpha
  • tests/pngstest-linear
  • tests/pngstest-linear-alpha
  • tests/pngstest-none
  • tests/pngstest-none-alpha
  • tests/pngstest-sRGB
  • tests/pngstest-sRGB-alpha
  • tests/pngunknown-IDAT
  • tests/pngunknown-discard
  • tests/pngunknown-if-safe
  • tests/pngunknown-sAPI
  • tests/pngunknown-sTER
  • tests/pngunknown-save
  • tests/pngunknown-vpAg
  • tests/pngvalid-gamma-16-to-8
  • tests/pngvalid-gamma-alpha-mode
  • tests/pngvalid-gamma-background
  • tests/pngvalid-gamma-expand16-alpha-mode
  • tests/pngvalid-gamma-expand16-background
  • tests/pngvalid-gamma-expand16-transform
  • tests/pngvalid-gamma-sbit
  • tests/pngvalid-gamma-threshold
  • tests/pngvalid-gamma-transform
  • tests/pngvalid-progressive-interlace-standard
  • tests/pngvalid-progressive-size
  • tests/pngvalid-progressive-standard
  • tests/pngvalid-standard
  • tests/pngvalid-transform

0126d4293e90a4a7bd5e373b8d025d0bc8dbf5dc by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/0126d4293e90a4a7bd5e373b8d025d0bc8dbf5dc
Authored: 2026-03-23 22:45:09 +0200
Committed: 2026-03-23 22:45:09 +0200

refactor(test): Avoid undefined pointer arithmetic in pngstest.c

Guard the pointer advance with y+1 < height inside the function
compare_two_images to skip this advance on the last iteration.

With a negative stride, the unconditional row += stride in the
for-statement produced a pointer before the allocated object on
the final iteration. Standard C permits one-after-end but not
one-before-beginning; this is undefined behavior regardless of
whether the pointer is dereferenced or not.

Files Modified:

  • contrib/libtests/pngstest.c

9929ba276ea3f7b4f03fdc0c693997ece3609c5b by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/9929ba276ea3f7b4f03fdc0c693997ece3609c5b
Authored: 2026-03-23 21:13:56 +0200
Committed: 2026-03-23 21:13:56 +0200

refactor: Avoid undefined behavior (signed int overflow) in negations

The computation of abs(x) (where the type of x is png_int_32)
should involve a cast to png_uint_32 before negating x, ensuring
that the result is well-defined even for INT32_MIN.

Considering that the PNG Specification (and, implicitly, libpng)
formally prohibits INT32_MIN values, this is merely a zero-cost form
of hardening intended to appease UBSan, and not an actual bug fix.

Files Modified:

  • pngread.c
  • pngwrite.c

a625147f66ece6bcb4be441e3f1071c04ebae7ae by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/a625147f66ece6bcb4be441e3f1071c04ebae7ae
Authored: 2026-03-23 20:41:40 +0200
Committed: 2026-03-23 20:41:40 +0200

chore: Rerun ./autogen.sh --maintainer

Files Modified:

  • Makefile.in
  • aclocal.m4
  • config.guess
  • config.sub
  • configure

98019f6e7054bd4edb1159c3d7771d7462fde369 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/98019f6e7054bd4edb1159c3d7771d7462fde369
Authored: 2026-03-23 20:41:12 +0200
Committed: 2026-03-23 20:41:12 +0200

test: Add negative-stride test coverage to pngstest

Add the option --negative-stride to pngstest. When set, the row stride
is negated after buffer allocation but before calling the library, so
that png_image_finish_read and png_image_write_to_file exercise the
bottom-up (negative stride) code paths.

Add CI targets for the CMake build and for the configure build:

  • pngstest-negative-stride:
    Bottom-up layout with images covering colormapped, truecolor, alpha,
    8-bit, 16-bit, and short-height paths.
  • pngstest-negative-stride-extra:
    Same with --stride-extra 7 for non-aligned padding with bottom-up
    layout.

Note: the interlaced pngsuite images (ibasn*.png) are incompatible
with pngstest's format conversion comparison framework, so the
png_image_read_direct_scaled path (interlaced 16-to-8 conversion) is
not exercised by this test. A dedicated test for that path will require
interlaced images generated with the correct gamma properties for
pngstest's comparison logic, which is TODO.

Files Added:

  • tests/pngstest-negative-stride
  • tests/pngstest-negative-stride-extra

Files Modified:

  • CMakeLists.txt
  • Makefile.am
  • contrib/libtests/pngstest.c
  • tests/pngstest-large-stride

00002286bfdb6731fc2ca4abc76499edb93455eb by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/00002286bfdb6731fc2ca4abc76499edb93455eb
Authored: 2026-03-23 20:06:56 +0200
Committed: 2026-03-23 20:06:56 +0200

fix(test): Add missing test and tidy up the test list in Makefile.am

Add pngstest-large-stride to the test list in Makefile.am.

The test pngstest-large-stride has a shell script driver in the test
script directory, as well as a target in the CMake file, but it hasn't
been added to the test list in Makefile.am. For this reason, this test
hasn't been run by the configure build.

Also reformat the test list to one entry per line.

Files Modified:

  • Makefile.am

1632f041e47c8c1bfc90b37b8f21a62ec7c2ddc0 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/1632f041e47c8c1bfc90b37b8f21a62ec7c2ddc0
Authored: 2026-03-23 17:04:38 +0200
Committed: 2026-03-23 17:04:38 +0200

refactor(arm): Replace bit shifts and sizeof with plain expressions

Replace hand-strength-reduced idioms to make the source code easier to
read and to audit:

  • Replace i << 2 with i * 4;
  • Replace (i << 1) + i with i * 3;
  • Replace sizeof(png_color) with 3;
  • Replace sizeof(png_uint_32) with 4;
  • Use index * CONSTANT consistently in all stride expressions.

The optimizing compiler will emit identical machine code.

In particular, the expression sizeof(png_uint_32) used in this context
was a semantic misnomer: its value should represent bytes per pixel in
the RGBA format, not the size of the underlying integer type.

Files Modified:

  • arm/palette_neon_intrinsics.c

aba9f18eba870d14fb52c5ba5d73451349e339c3 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
Authored: 2026-03-21 23:48:49 +0200
Committed: 2026-03-21 23:48:49 +0200

fix(arm): Resolve out-of-bounds read/write in NEON palette expansion

Both png_do_expand_palette_rgba8_neon and
png_do_expand_palette_rgb8_neon advanced in fixed-size chunks without
guarding the final iteration, allowing out-of-bounds reads and writes
when the row width is not a multiple of the chunk size.

Restrict the NEON loop to full chunks only, remove the now-unnecessary
post-loop adjustment, and undo the *ddp pre-adjustment before the
pointer handoff to the scalar fallback.

Reported-by: Amemoyoi <Amemoyoi@users.noreply.github.com>
Co-authored-by: Amemoyoi <Amemoyoi@users.noreply.github.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • arm/palette_neon_intrinsics.c

c1b0318b393c90679e6fa5bc1d329fd5d5012ec1 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
Authored: 2026-03-20 21:25:12 +0200
Committed: 2026-03-20 21:25:12 +0200

fix: Sync info_ptr->palette after in-place transforms

Copy png_ptr->palette into info_ptr->palette upon entering
the function that runs immediately after the in-place transforms.

The palette decoupling in the previous commit gave png_struct
and png_info independently-allocated palette buffers, fixing a
use-after-free vulnerability. However, png_init_read_transformations
modifies png_ptr->palette in place (e.g. for gamma correction or
background compositing), and the old aliasing made those modifications
visible through png_get_PLTE. With independent buffers,
info_ptr->palette retained the original values, causing our tests to
fail on indexed-colour background compositing.

Files Modified:

  • pngrtran.c

7ea9eea884a2328cc7fdcb3c0c00246a50d90667 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
Authored: 2026-03-20 17:37:22 +0200
Committed: 2026-03-20 17:37:22 +0200

fix: Resolve use-after-free on png_ptr->palette

Give png_struct its own independently-allocated copy of the palette
buffer, decoupling it from info_struct's palette. Allocate both
copies with png_calloc to zero-fill, because the ARM NEON palette
riffle reads all 256 entries unconditionally.

In function png_set_PLTE, png_ptr->palette was aliased directly to
info_ptr->palette: a single heap buffer shared across two structs
with independent lifetimes. If the buffer was freed through info_ptr
(via png_free_data(PNG_FREE_PLTE) or a second call to png_set_PLTE),
png_ptr->palette became a dangling pointer. Subsequent row reads,
performed in png_do_expand_palette and in other transform functions,
dereferenced (and in the bit-shift path, wrote to) freed memory.

Also fix png_set_quantize to allocate an owned copy of the caller's
palette rather than aliasing the user pointer, so that the unconditional
free in png_read_destroy does not free unmanaged memory.

Files Modified:

  • pngread.c
  • pngrtran.c
  • pngrutil.c
  • pngset.c
  • pngwrite.c

a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25 by Oblivionsage <cookieandcream560@gmail.com>

https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
Authored: 2026-03-17 08:55:18 +0100
Committed: 2026-03-18 22:57:40 +0200

fix: Initialize tail bytes in trans_alpha buffers

Although the arrays info_ptr->trans_alpha and png_ptr->trans_alpha
are allocated 256 bytes, only num_trans bytes are copied.
The remaining entries were left uninitialized. Set them to 0xff (fully
opaque) before copying, which matches the conventional treatment of
entries beyond num_trans.

This is a follow-up to the previous use-after-free fix.

Reported-by: Cosmin Truta <ctruta@gmail.com>
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • pngset.c

bf7fefe787af624e01df9517e4576c386853c34b by Oblivionsage <cookieandcream560@gmail.com>

https://github.com/pnggroup/libpng/commit/bf7fefe787af624e01df9517e4576c386853c34b
Authored: 2026-03-17 08:52:55 +0100
Committed: 2026-03-18 22:57:40 +0200

Add Halil Oktay to AUTHORS

Files Modified:

  • AUTHORS

23019269764e35ed8458e517f1897bd3c54820eb by Oblivionsage <cookieandcream560@gmail.com>

https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
Authored: 2026-03-15 10:35:29 +0100
Committed: 2026-03-18 22:57:40 +0200

fix: Resolve use-after-free on png_ptr->trans_alpha

The function png_set_tRNS sets png_ptr->trans_alpha to point at
info_ptr->trans_alpha directly, so both structs share the same heap
buffer. If the application calls png_free_data(PNG_FREE_TRNS), or if
png_set_tRNS is called a second time, the buffer is freed through
info_ptr while png_ptr still holds a dangling reference. Any
subsequent row read that hits the function png_do_expand_palette will
dereference freed memory.

The fix gives png_struct its own allocation instead of aliasing the
info_ptr pointer. This was already flagged with a TODO in
png_handle_tRNS ("horrible side effect ... Fix this.") but it was
never addressed.

Verified with AddressSanitizer. All 34 existing tests pass without
regressions.

Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • pngread.c
  • pngrutil.c
  • pngset.c
  • pngwrite.c

0c37b8fbffe779314f3c842e16983ceec5930af1 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/0c37b8fbffe779314f3c842e16983ceec5930af1
Authored: 2026-03-09 17:55:16 +0200
Committed: 2026-03-09 17:55:16 +0200

oss-fuzz: Fix indentation and rephrase comments in the build script

Co-authored-by: Bob Friesenhahn <bobjfriesenhahn@gmail.com>

Files Modified:

  • contrib/oss-fuzz/build.sh

753fc9980a3186906ec363de2ab51d95b9322390 by Philippe Antoine <contact@catenacyber.fr>

https://github.com/pnggroup/libpng/commit/753fc9980a3186906ec363de2ab51d95b9322390
Authored: 2026-03-08 22:33:20 +0100
Committed: 2026-03-09 17:24:17 +0200

oss-fuzz: Build the nalloc variants only for the fuzzers that use nalloc

Files Modified:

  • contrib/oss-fuzz/build.sh

e1fa87e72e39d32518d6a5e1cc343fb81f10db44 by Philippe Antoine <contact@catenacyber.fr>

https://github.com/pnggroup/libpng/commit/e1fa87e72e39d32518d6a5e1cc343fb81f10db44
Authored: 2026-03-08 22:28:25 +0100
Committed: 2026-03-09 17:24:17 +0200

oss-fuzz: Rename _nalloc to @nalloc to match the fuzztests naming

Files Modified:

  • contrib/oss-fuzz/build.sh

c0822817b84638fa0b47049633ececb8b085ba25 by Philippe Antoine <contact@catenacyber.fr>

https://github.com/pnggroup/libpng/commit/c0822817b84638fa0b47049633ececb8b085ba25
Authored: 2026-03-08 22:10:16 +0100
Committed: 2026-03-09 17:24:17 +0200

oss-fuzz: Use bash in the nalloc wrapper script

Files Modified:

  • contrib/oss-fuzz/build.sh

905e1f85bacd68cc46c662f0672c561f30d2abbb by OwenSanzas <zesheng@tamu.edu>

https://github.com/pnggroup/libpng/commit/905e1f85bacd68cc46c662f0672c561f30d2abbb
Authored: 2026-03-05 07:53:29 +0000
Committed: 2026-03-09 11:56:10 +0200

oss-fuzz: Fix API misuse in the readapi fuzzer

Replace the calls to png_set_scale_16, png_set_packing and
png_set_expand, which were incorrectly combined with
png_read_png(..., PNG_TRANSFORM_IDENTITY, ...), with the equivalent
PNG_TRANSFORM_* flags passed directly to png_read_png.

The libpng manual states that applications must use transforms, and not
call any png_set_* transform functions when they use png_read_png.

Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • contrib/oss-fuzz/libpng_readapi_fuzzer.cc

2d899901da2bcafd088df067c891ffab6f2d0087 by OwenSanzas <zesheng@tamu.edu>

https://github.com/pnggroup/libpng/commit/2d899901da2bcafd088df067c891ffab6f2d0087
Authored: 2026-03-05 07:53:01 +0000
Committed: 2026-03-09 11:32:06 +0200

oss-fuzz: Fix memory leaks and API misuse in the transformations fuzzer

  • Fix row buffer leak: the row buffer, allocated after setjmp, was
    not freed when png_read_row triggered longjmp. Declare row as
    volatile before setjmp and free it in the error handler. This fixes
    a LeakSanitizer false positive that prevents the fuzzer from starting.
  • Fix palette buffer leak (same pattern as the row buffer leak):
    declare palette as volatile before setjmp and free it in the
    error handler.
  • Fix API misuse: replace png_set_* calls before png_read_png with
    PNG_TRANSFORM_* flags.

Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • contrib/oss-fuzz/libpng_transformations_fuzzer.cc

838b2e89ad5882597d24ce3c47c8d7461492cc97 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/838b2e89ad5882597d24ce3c47c8d7461492cc97
Authored: 2026-03-06 17:58:06 +0200
Committed: 2026-03-06 18:20:52 +0200

build: Deprecate the POINTER_INDEXING config option

POINTER_INDEXING was a build configuration option that we maintained
in order to work around a gcc 2.7.2.2 code generation bug (circa 1997).
This provided array-indexing fallback loops in png_write_PLTE and
png_write_sPLT.

Unfortunately, the fallback paths were effectively untested dead code
in every default build, and have been a recurring source of latent bugs.
(See commit 48800443eb in pnggroup/libpng#801 and commit f27592a0cd in
libpng 1.5.2rc02).

No compiler in current use requires this accommodation.

This is a cherry-pick of commit 28cb99fe65f09e79703ac2c3008649e14c7b0844
from branch 'libpng18'.

Files Modified:

  • pngwutil.c
  • scripts/pnglibconf.dfa

7d52a808795e011a2dd6290c8b4369150f815f3c by ylwango613 <1217816127@qq.com>

https://github.com/pnggroup/libpng/commit/7d52a808795e011a2dd6290c8b4369150f815f3c
Authored: 2026-02-28 10:04:57 +0800
Committed: 2026-03-02 13:24:11 +0200

Validate shift bit depths in png_set_shift to prevent infinite loop

The function png_set_shift did not validate the png_color_8 fields.
When any channel's bit depth was 0, png_do_shift entered an infinite
loop because the decrement j -= 0 never changed j. Values exceeding
the image bit depth also produced incorrect shift arithmetic.

In contrast, the read-side sBIT chunk parser (i.e., png_handle_sBIT
in pngrutil.c) already rejects out-of-range values.

This commit adds equivalent per-channel validation on the write side,
ensuring that all relevant fields are in range from 1 to bit_depth,
and reporting invalid values via png_app_error.

Fixes pnggroup/libpng#804

This is a cherry-pick of commit 203c843cd732f7062798dfadcaa48dd13d4854af
from branch 'libpng18'.

Co-authored-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • pngtrans.c

b137d2180b1059dd9dbe3e7f14758e7f0e0505e2 by ylwango613 <1217816127@qq.com>

https://github.com/pnggroup/libpng/commit/b137d2180b1059dd9dbe3e7f14758e7f0e0505e2
Authored: 2026-02-26 17:34:27 +0800
Committed: 2026-02-27 20:27:52 +0200

Add missing NULL pointer checks in four public API functions

png_set_eXIf_1, png_set_hIST, png_set_shift, and png_set_quantize
accept user-provided pointers but do not validate them for NULL
before dereferencing, unlike peer functions (png_set_iCCP,
png_set_PLTE, png_set_sBIT, png_set_tRNS) which do check.

Passing NULL causes an immediate SIGSEGV.

Fixes pnggroup/libpng#802

This is a cherry-pick of commit 747dd02240d95dc8da1b9fecf0f58569ebbcf5a7
from branch 'libpng18'.

Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • pngrtran.c
  • pngset.c
  • pngtrans.c

0e731d189ae6b2c8d2f74f2ea52c34bafc426c02 by ylwango613 <1217816127@qq.com>

https://github.com/pnggroup/libpng/commit/0e731d189ae6b2c8d2f74f2ea52c34bafc426c02
Authored: 2026-02-26 15:49:46 +0800
Committed: 2026-02-27 18:59:20 +0200

Fix two copy-paste typos in colormap read and sPLT write

Fix wrong blue channel in png_image_read_colormap: b = back_g
should be b = back_b (pngread.c:2686). This caused PNG_RGB_INDEX
to compute the wrong 6x6x6 cube index when the background has
green != blue, forcing a lossier compositing path.

Fix dead loop in png_write_sPLT: i > spalette->nentries should
be i < spalette->nentries (pngwutil.c:1274). The loop body never
executed, producing a malformed sPLT chunk with CRC mismatch. Only
affects builds without PNG_POINTER_INDEXING_SUPPORTED.

Fixes pnggroup/libpng#800.

This is a cherry-pick of commit 48800443eb1a6cee79f37da45984e52b3085e62b
from branch 'libpng18'.

Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • pngread.c
  • pngwutil.c

646d55abaab7129aa223ae4a69485910e4727717 by ylwango613 <1217816127@qq.com>

https://github.com/pnggroup/libpng/commit/646d55abaab7129aa223ae4a69485910e4727717
Authored: 2026-02-24 16:41:26 +0800
Committed: 2026-02-27 17:09:08 +0200

Fix wrong channel indices in png_image_read_and_map RGB_ALPHA path

In the PNG_CMAP_RGB_ALPHA case for semi-transparent pixels (alpha
64-195), all six bit checks used inrow[0] (red channel). The green
and blue channels were never read, causing the colormap index to
depend solely on the red value. Fix by using inrow[1] for green and
inrow[2] for blue, matching the fully-opaque branch at line 3041.

Bug introduced in commit 871b1d0 (libpng 1.6.1beta05, 2013-03-02).
Fixes pnggroup/libpng#796.

This is a cherry-pick of commit 961721b109dbc4e50ce7164e4dcde2bb49f4bb80
from branch 'libpng18'.

Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • AUTHORS
  • pngread.c

62f9a9069fc64e858fc32a7abcbb666802feabae by Philippe Antoine <contact@catenacyber.fr>

https://github.com/pnggroup/libpng/commit/62f9a9069fc64e858fc32a7abcbb666802feabae
Authored: 2026-02-11 14:51:23 +0100
Committed: 2026-02-13 20:17:41 +0200

oss-fuzz: Fix build.sh for/if

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • contrib/oss-fuzz/build.sh

8d245089d1585b1dfc24779045a6d1a4efca7ad7 by THE-Spellchecker <The.Spellchecker@outlook.com>

https://github.com/pnggroup/libpng/commit/8d245089d1585b1dfc24779045a6d1a4efca7ad7
Authored: 2026-01-10 20:07:32 -0600
Committed: 2026-02-13 18:48:22 +0200

Fix typographical errors

This is a cherry-pick of commit 0094fdbf3743c238effb88aa92cf2a2ea23ade4a
from branch 'libpng18'.

Co-authored-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • CMakeLists.txt
  • contrib/libtests/pngstest.c
  • contrib/libtests/pngvalid.c
  • contrib/pngminus/README.txt
  • contrib/visupng/VisualPng.c
  • libpng-manual.txt
  • libpng.3
  • png.c
  • png.h
  • pngpriv.h
  • pngread.c
  • pngrtran.c
  • pngrutil.c
  • pngset.c
  • pngstruct.h
  • pngwrite.c
  • pngwutil.c

d54127e3db049282850e90c590d950f1fdbf62c2 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/d54127e3db049282850e90c590d950f1fdbf62c2
Authored: 2025-11-07 11:53:04 +0200
Committed: 2026-02-11 21:17:47 +0200

refactor: Clean up pointer variable declarations

Split compound declarations of pointer variables for improved clarity.

Rename local loop boundary variables, remove their sterile const
qualifiers, and reorder their declarations to improve local cohesion.

This is a cherry-pick of commit 1ebf432e85b53bf111a4585b410592727dd40a5a
from branch 'libpng18'.

Files Modified:

  • contrib/libtests/pngunknown.c
  • pngread.c
  • pngrutil.c
  • pngtest.c
  • pngtrans.c

e0dbfd4b563331b5512424d80c909e201ac98115 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/e0dbfd4b563331b5512424d80c909e201ac98115
Authored: 2025-11-03 17:44:30 +0200
Committed: 2026-02-11 21:08:00 +0200

refactor: Clean up the redundant top-level const qualifiers

Remove the top-level const qualifiers from local variables and from
function parameters passed by value. These qualifiers only constrain
the local object within the function body: they neither affect function
signatures, nor constrain callers, nor protect any shared state.

Throughout the libpng codebase we apply const only where it
meaningfully constrains objects beyond the immediate scope, such as
true constants and pointed-to objects.

This is a cherry-pick of commit e973362b8bb15ad939b7f0eb264774bfc221d3be
from branch 'libpng18'.

Files Modified:

  • contrib/libtests/pngvalid.c
  • contrib/tools/pngfix.c
  • pngwrite.c

61b3a6fc08d3419c1857aa61bf1c1c57739935de by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/61b3a6fc08d3419c1857aa61bf1c1c57739935de
Authored: 2026-02-11 19:40:22 +0200
Committed: 2026-02-11 19:40:22 +0200

Bump version to 1.6.56.git

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

c3e304954a9cfd154bc0dfbfea2b01cd61d6546d by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/c3e304954a9cfd154bc0dfbfea2b01cd61d6546d
Authored: 2026-02-09 22:02:20 +0200
Committed: 2026-02-09 22:02:20 +0200

Release libpng version 1.6.55

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • libpng-manual.txt
  • libpng.3
  • libpngpf.3
  • png.5
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

b72e38c08b1bcd574c3a4a9190e5525e74604ed1 by Philippe Antoine <contact@catenacyber.fr>

https://github.com/pnggroup/libpng/commit/b72e38c08b1bcd574c3a4a9190e5525e74604ed1
Authored: 2026-01-23 16:04:16 +0100
Committed: 2026-02-09 20:48:12 +0200

oss-fuzz: Restrict the nalloc build to libfuzzer

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • contrib/oss-fuzz/build.sh

9404d8e35bdc060faa4d8a40792ba7a2527ff531 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/9404d8e35bdc060faa4d8a40792ba7a2527ff531
Authored: 2026-02-09 17:51:02 +0200
Committed: 2026-02-09 17:51:02 +0200

chore: Pacify markdownlint

Files Modified:

  • ANNOUNCE
  • CHANGES
  • README
  • TODO
  • ci/README.md
  • scripts/cmake/README.md

2f7991c31bca4812580d7f9057537b987108c90c by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/2f7991c31bca4812580d7f9057537b987108c90c
Authored: 2026-02-09 17:43:54 +0200
Committed: 2026-02-09 17:43:54 +0200

Add .markdownlint.yml, a configuration file for markdownlint

Files Added:

  • .markdownlint.yml

01d03b8453eb30ade759cd45c707e5a1c7277d88 by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
Authored: 2026-02-06 19:11:54 +0200
Committed: 2026-02-06 19:11:54 +0200

Fix a heap buffer overflow in png_set_quantize

The color distance hash table stored the current palette indices, but
the color-pruning loop assumed the original indices. When colors were
eliminated and indices changed, the stored indices became stale. This
caused the loop bound max_d to grow past the 769-element hash array.

The fix consists in storing the original indices via palette_to_index
to match the pruning loop's expectations.

Reported-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
Co-authored-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>

Files Modified:

  • AUTHORS
  • pngrtran.c

b884e8c6188ba2002230474451deccf61f09decc by Cosmin Truta <ctruta@gmail.com>

https://github.com/pnggroup/libpng/commit/b884e8c6188ba2002230474451deccf61f09decc
Authored: 2026-02-06 19:03:06 +0200
Committed: 2026-02-06 19:03:06 +0200

Bump version to 1.6.55.git

Files Modified:

  • ANNOUNCE
  • CHANGES
  • CMakeLists.txt
  • README
  • configure
  • configure.ac
  • png.c
  • png.h
  • pngconf.h
  • pngtest.c
  • scripts/libpng-config-head.in
  • scripts/libpng.pc.in
  • scripts/pnglibconf.h.prebuilt

I've submitted a try run for this commit: https://treeherder.mozilla.org/jobs?repo=try&revision=cb066da62e29c1f237b89da31a7d33e1037fc773

Attached file Bug 2026426 - Update libpng to v1.6.56 (obsolete) —

Couple of CVEs in this. Looking to see the impact on us. I'll just uplift back to esr140 since we have 1.6.55 there already. The question is if they are severe enough to go back to esr115, which would be a bigger chunk of work to uplift.

Assignee: nobody → tnikkel
Status: NEW → ASSIGNED
Attachment #9558470 - Flags: approval-mozilla-beta?

firefox-beta Uplift Approval Request

  • User impact if declined/Reason for urgency: various security fixes for libpng
  • Code covered by automated testing?: yes
  • Fix verified in Nightly?: no
  • Needs manual QE testing?: no
  • Steps to reproduce for manual QE testing:
  • Risk associated with taking this patch: low
  • Explanation of risk level: small security fixes to libpng
  • String changes made/needed?: none
  • Is Android affected?: yes
Attachment #9558471 - Flags: approval-mozilla-esr140?

firefox-esr140 Uplift Approval Request

  • User impact if declined/Reason for urgency: various security fixes for libpng
  • Code covered by automated testing?: yes
  • Fix verified in Nightly?: no
  • Needs manual QE testing?: no
  • Steps to reproduce for manual QE testing:
  • Risk associated with taking this patch: low
  • Explanation of risk level: small security fixes to libpng
  • String changes made/needed?: none
  • Is Android affected?: yes
Attachment #9558454 - Attachment is obsolete: true
Attachment #9558453 - Attachment is obsolete: true

https://hg.mozilla.org/mozilla-central/rev/afce0fd8f217

Status: ASSIGNED → RESOLVED
Closed: 16 days ago
status-firefox151: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 151 Branch

The try push is done, we found jobs with unclassified failures.

Needs Investigation (Possible Intermittents):

  • test-macosx1470-64/debug-gtest-1proc - 1 of 1 failed (failed: SaqO4RXTSmap2n9Tg7wOTg)
  • test-macosx1470-64/opt-gtest-1proc - 1 of 1 failed (failed: M1byKUedQo2hHRGFL2WzPg)

These failures could mean that the library update changed something and caused
tests to fail. You'll need to review them yourself and decide where to go from here.

In either event, I have done all I can and you will need to take it from here. If you
don't want to land my patch, you can replicate it locally for editing with
./mach vendor media/libpng/moz.yaml

When reviewing, please note that this is external code, which needs a full and
careful inspection - not a rubberstamp.

firefox-esr115 Uplift Approval Request

  • User impact if declined/Reason for urgency: CVEs
  • Code covered by automated testing?: yes
  • Fix verified in Nightly?: no
  • Needs manual QE testing?: no
  • Steps to reproduce for manual QE testing:
  • Risk associated with taking this patch: low
  • Explanation of risk level: same libpng code we have on all other branches, good test coverage for png, changes limited to libpng library directory
  • String changes made/needed?: none
  • Is Android affected?: yes
Attachment #9559083 - Attachment description: WIP: Bug 2026426. Update libpng to v1.6.56 rollup patch for esr115. → Bug 2026426. Update libpng to v1.6.56 rollup patch for esr115.

Comment on attachment 9559083 [details]
Bug 2026426. Update libpng to v1.6.56 rollup patch for esr115.

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined:
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
Attachment #9559083 - Flags: approval-mozilla-esr115?
Summary: Update libpng to new version v1.6.56 from 2026-03-25 22:47:06 → Update libpng to new version v1.6.56 from 2026-03-25 22:47:06 (includes fixes for CVE-2026-33416, CVE-2026-33636)
Keywords: sec-high
Type: enhancement → task
Attachment #9558470 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9558471 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
Attachment #9559083 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
QA Whiteboard: [qa-triage-done-c151/b150]
Whiteboard: [3pl-filed][task_id: NMB2W2weQj2-z4u8qJocTQ] → [3pl-filed][task_id: NMB2W2weQj2-z4u8qJocTQ][adv-main149+]
Whiteboard: [3pl-filed][task_id: NMB2W2weQj2-z4u8qJocTQ][adv-main149+] → [3pl-filed][task_id: NMB2W2weQj2-z4u8qJocTQ][adv-main149+][adv-main140.9.1+]
Whiteboard: [3pl-filed][task_id: NMB2W2weQj2-z4u8qJocTQ][adv-main149+][adv-main140.9.1+] → [3pl-filed][task_id: NMB2W2weQj2-z4u8qJocTQ][adv-main149+][adv-esr140.9.1+][adv-esr115.35.1+]
Whiteboard: [3pl-filed][task_id: NMB2W2weQj2-z4u8qJocTQ][adv-main149+][adv-esr140.9.1+][adv-esr115.35.1+] → [3pl-filed][task_id: NMB2W2weQj2-z4u8qJocTQ][adv-main149+][adv-esr140.9.1+][adv-esr115.34.1+]
Whiteboard: [3pl-filed][task_id: NMB2W2weQj2-z4u8qJocTQ][adv-main149+][adv-esr140.9.1+][adv-esr115.34.1+] → [3pl-filed][task_id: NMB2W2weQj2-z4u8qJocTQ][adv-main149+r][adv-esr140.9.1+r][adv-esr115.34.1+r]
Whiteboard: [3pl-filed][task_id: NMB2W2weQj2-z4u8qJocTQ][adv-main149+r][adv-esr140.9.1+r][adv-esr115.34.1+r] → [3pl-filed][task_id: NMB2W2weQj2-z4u8qJocTQ][adv-main149.0.2+r][adv-esr140.9.1+r][adv-esr115.34.1+r]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: