Update bundled libpng to version 1.6.28

Merged in the upstream version.
The remaining diff to clean 1.6.28 is archived in the qtpatches.diff file.

This fixes CVE-2016-10087 but Qt was never vulnerable to that issue!

[ChangeLog][Third-Party Code] libpng was updated to version 1.6.28.

Change-Id: I46712103fb160f31702eb7496fdd5c492a59ba5b
Reviewed-by: Frederik Gladhorn <frederik.gladhorn@qt.io>
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>

1 files changed, 16 insertions, 29 deletions

diff --git a/src/3rdparty/libpng/ANNOUNCE b/src/3rdparty/libpng/ANNOUNCE
index 4dae783b55..70a71e3b0e 100644
--- a/src/3rdparty/libpng/ANNOUNCE
+++ b/src/3rdparty/libpng/ANNOUNCE
@@ -1,4 +1,4 @@
-Libpng 1.6.20 - December 3, 2015
+Libpng 1.6.28 - January 5, 2017
 
 This is a public release of libpng, intended for use in production codes.
 
@@ -7,41 +7,28 @@ Files available for download:
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
 
-   libpng-1.6.20.tar.xz (LZMA-compressed, recommended)
-   libpng-1.6.20.tar.gz
+   libpng-1.6.28.tar.xz (LZMA-compressed, recommended)
+   libpng-1.6.28.tar.gz
 
 Source files with CRLF line endings (for Windows), without the
 "configure" script
 
-   /scratch/glennrp/Libpng16/lpng1620.7z  (LZMA-compressed, recommended)
-   /scratch/glennrp/Libpng16/lpng1620.zip
+   lpng1628.7z  (LZMA-compressed, recommended)
+   lpng1628.zip
 
 Other information:
 
-   libpng-1.6.20-README.txt
-   libpng-1.6.20-LICENSE.txt
-   libpng-1.6.20-*.asc (armored detached GPG signatures)
-
-Changes since the last public release (1.6.19):
-  Avoid potential pointer overflow/underflow in png_handle_sPLT() and
-    png_handle_pCAL() (Bug report by John Regehr).
-  Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
-    not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
-    vulnerability.
-  Backported tests from libpng-1.7.0beta69.
-  Fixed an error in handling of bad zlib CMINFO field in pngfix, found by
-    American Fuzzy Lop, reported by Brian Carpenter.  inflate() doesn't
-    immediately fault a bad CMINFO field; instead a 'too far back' error
-    happens later (at least some times).  pngfix failed to limit CMINFO to
-    the allowed values but then assumed that window_bits was in range,
-    triggering an assert. The bug is mostly harmless; the PNG file cannot
-    be fixed.
-  In libpng 1.6 zlib initialization was changed to use the window size
-    in the zlib stream, not a fixed value. This causes some invalid images,
-    where CINFO is too large, to display 'correctly' if the rest of the
-    data is valid.  This provides a workaround for zlib versions where the
-    error arises (ones that support the API change to use the window size
-    in the stream).
+   libpng-1.6.28-README.txt
+   libpng-1.6.28-LICENSE.txt
+   libpng-1.6.28-*.asc (armored detached GPG signatures)
+
+Changes since the last public release (1.6.27):
+  Fixed arm/aarch64 detection in CMakeLists.txt (Gianfranco Costamagna).
+  Added option to Cmake build allowing a custom location of zlib to be
+    specified in a scenario where libpng is being built as a subproject
+    alongside zlib by another project (Sam Serrels).
+  Changed png_ptr->options from a png_byte to png_uint_32, to accomodate
+    up to 16 options.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit