path: root/src/3rdparty/libpng/CHANGES
diff options
authorAndré Klitzing <>2017-01-03 15:50:16 +0100
committerAndré Klitzing <>2017-01-31 18:28:54 +0000
commit9369eca108cc509ed651c0dbab6fa54de83727fc (patch)
tree86beb64efc900cbd8d32831f4256e5b1e350a4b5 /src/3rdparty/libpng/CHANGES
parentbba4abd35fcfff294cda266ddd9e73d04c805860 (diff)
Update bundled libpng to version 1.6.28
Merged in the upstream version. The remaining diff to clean 1.6.28 is archived in the qtpatches.diff file. This fixes CVE-2016-10087 but Qt was never vulnerable to that issue! [ChangeLog][Third-Party Code] libpng was updated to version 1.6.28. Change-Id: I46712103fb160f31702eb7496fdd5c492a59ba5b Reviewed-by: Frederik Gladhorn <> Reviewed-by: Eirik Aavitsland <>
Diffstat (limited to 'src/3rdparty/libpng/CHANGES')
1 files changed, 351 insertions, 3 deletions
diff --git a/src/3rdparty/libpng/CHANGES b/src/3rdparty/libpng/CHANGES
index 28094fd26c..0b5e944ee3 100644
--- a/src/3rdparty/libpng/CHANGES
+++ b/src/3rdparty/libpng/CHANGES
@@ -593,7 +593,7 @@ Version 1.0.5e [November 30, 1999]
with trailing compressed parts easier in the future, and added new functions
png_free_iCCP, png_free_pCAL, png_free_sPLT, png_free_text, png_get_iCCP,
png_get_spalettes, png_set_iCCP, png_set_spalettes (Eric S. Raymond).
- NOTE: Applications that write text chunks MUST define png_text->lang
+ NOTE: Applications that write text chunks MUST define png_text->lang
before calling png_set_text(). It must be set to NULL if you want to
write tEXt or zTXt chunks. If you want your application to be able to
run with older versions of libpng, use
@@ -5063,7 +5063,8 @@ Version 1.6.15beta04 [November 4, 2014]
Version 1.6.15beta05 [November 5, 2014]
Use png_get_libpng_ver(NULL) instead of PNG_LIBPNG_VER_STRING in
example.c, pngtest.c, and applications in the contrib directory.
- Avoid out-of-bounds memory access in png_user_version_check().
+ Fixed an out-of-range read in png_user_version_check() (Bug report from
+ Qixue Xiao, CVE-2015-8540).
Simplified and future-proofed png_user_version_check().
Fixed GCC unsigned int->float warnings. Various versions of GCC
seem to generate warnings when an unsigned value is implicitly
@@ -5421,7 +5422,7 @@ Version 1.6.20beta01 [November 20, 2015]
Version 1.6.20beta02 [November 23, 2015]
Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
- vulnerability.
+ vulnerability. Fixes CVE-2015-8472.
Version 1.6.20beta03 [November 24, 2015]
Backported tests from libpng-1.7.0beta69.
@@ -5446,6 +5447,353 @@ Version 1.6.20rc02 [November 29, 2015]
Version 1.6.20 [December 3, 2015]
No changes.
+Version 1.6.21beta01 [December 11, 2015]
+ Fixed syntax "$(command)" in tests/pngstest that some shells other than
+ bash could not parse (Bug report by Nelson Beebe). Use `command` instead.
+Version 1.6.21beta02 [December 14, 2015]
+ Moved png_check_keyword() from pngwutil.c to pngset.c
+ Removed LE/BE dependencies in pngvalid, to 'fix' the current problem
+ in the BigEndian tests by not testing it, making the BE code the same
+ as the LE version.
+ Fixes to pngvalid for various reduced build configurations (eliminate unused
+ statics) and a fix for the case in rgb_to_gray when the digitize option
+ reduces graylo to 0, producing a large error.
+Version 1.6.21beta03 [December 18, 2015]
+ Widened the 'limit' check on the internally calculated error limits in
+ the 'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error
+ checks) and changed the check to only operate in non-release builds
+ (base build type not RC or RELEASE.)
+ Fixed undefined behavior in pngvalid.c, undefined because
+ (png_byte) << shift is undefined if it changes the signed bit
+ (because png_byte is promoted to int). The libpng exported functions
+ png_get_uint_32 and png_get_uint_16 handle this. (Bug reported by
+ David Drysdale as a result of reports from UBSAN in clang 3.8).
+ This changes pngvalid to use BE random numbers; this used to produce
+ errors but these should not be fixed as a result of the previous changes.
+Version 1.6.21rc01 [January 4, 2016]
+ In projects/vstudio, combined readme.txt and WARNING into README.txt
+Version 1.6.21rc02 [January 7, 2016]
+ Relocated assert() in contrib/tools/pngfix.c, bug found by American
+ Fuzzy Lop, reported by Brian Carpenter.
+ Marked 'limit' UNUSED in transform_range_check(). This only affects
+ release builds.
+Version 1.6.21 [January 15, 2016]
+ Worked around a false-positive Coverity issue in pngvalid.c.
+Version 1.6.22beta01 [January 23, 2016]
+ Changed PNG_USE_MKSTEMP to __COVERITY__ to select alternate
+ "tmpfile()" implementation in contrib/libtests/pngstest.c
+ Fixed NO_STDIO build of pngunknown.c to skip calling png_init_io()
+ if there is no stdio.h support.
+ Added a png_image_write_to_memory() API and a number of assist macros
+ to allow an application that uses the simplified API write to bypass
+ stdio and write directly to memory.
+ Added some warnings (png.h) and some check code to detect *possible*
+ overflow in the ROW_STRIDE and simplified image SIZE macros. This
+ disallows image width/height/format that *might* overflow. This is
+ a quiet API change that limits in-memory image size (uncompressed) to
+ less than 4GByte and image row size (stride) to less than 2GByte.
+ Revised workaround for false-positive Coverity issue in pngvalid.c.
+Version 1.6.22beta02 [February 8, 2016]
+ Only use exit(77) in configure builds.
+ Corrected error in PNG_IMAGE_PNG_SIZE_MAX. This new macro underreported
+ the palette size because it failed to take into account that the memory
+ palette has to be expanded to full RGB when it is written to PNG.
+ Updated CMakeLists.txt, added supporting scripts/gen*
+ and (Roger Leigh).
+ Relaxed limit checks on gamma values in pngrtran.c. As suggested in
+ the comments gamma values outside the range currently permitted
+ by png_set_alpha_mode are useful for HDR data encoding. These values
+ are already permitted by png_set_gamma so it is reasonable caution to
+ extend the png_set_alpha_mode range as HDR imaging systems are starting
+ to emerge.
+Version 1.6.22beta03 [March 9, 2016]
+ Added a common-law trademark notice and export control information
+ to the LICENSE file, png.h, and the man page.
+ Restored "& 0xff" in png_save_uint_16() and png_save_uint_32() that
+ were accidentally removed from libpng-1.6.17.
+ Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h
+ (Robert C. Seacord).
+ Removed dubious "#if INT_MAX" test from png.h that was added to
+ libpng-1.6.19beta02 (John Bowler).
+ Add ${INCLUDES} in scripts/ (Bug report by Nixon Kwok).
+ Updated LICENSE to say files in the contrib directory are not
+ necessarily under the libpng license, and that some makefiles have
+ other copyright owners.
+ Added INTEL-SSE2 support (Mike Klein and Matt Sarett, Google, Inc.).
+ Made contrib/libtests/timepng more robust. The code no longer gives
+ up/fails on invalid PNG data, it just skips it (with error messages).
+ The code no longer fails on PNG files with data beyond IEND. Options
+ exist to use png_read_png (reading the whole image, not by row) and, in
+ that case, to apply any of the supported transforms. This makes for
+ more realistic testing; the decoded data actually gets used in a
+ meaningful fashion (John Bowler).
+ Fixed some misleading indentation (Krishnaraj Bhat).
+Version 1.6.22beta04 [April 5, 2016]
+ Force GCC compilation to C89 if needed (Dagobert Michelsen).
+ SSE filter speed improvements for bpp=3:
+ memcpy-free implementations of load3() / store3().
+ call load3() only when needed at the end of a scanline.
+Version 1.6.22beta05 [April 27, 2016]
+ Added PNG_FAST_FILTERS macro (defined as
+ Various fixes for contrib/libtests/timepng.c
+ Moved INTEL-SSE code from pngpriv.h into contrib/intel/intel_sse.patch.
+ Fixed typo (missing underscore) in #define PNG_READ_16_TO_8_SUPPORTED
+ (Bug report by Y.Ohashik).
+Version 1.6.22beta06 [May 5, 2016]
+ Rebased contrib/intel_sse.patch.
+ Quieted two Coverity issues in contrib/libtests/timepng.c.
+ Fixed issues with scripts/ (David Capello, Nixon Kwok):
+ Added support to use multiple directories in ZLIBINCDIR variable,
+ Fixed CMAKE_C_FLAGS with multiple values when genout is compiled on MSVC,
+ Fixed pnglibconf.c compilation on OS X including the sysroot path.
+Version 1.6.22rc01 [May 14, 2016]
+ No changes.
+Version 1.6.22rc02 [May 16, 2016]
+ Removed contrib/timepng from default build; it does not build on platforms
+ that don't supply clock_gettime().
+Version 1.6.22rc03 [May 17, 2016]
+ Restored contrib/timepng to default build but check for the presence
+ of clock_gettime() in and
+Version 1.6.22 [May 26, 2016]
+ No changes.
+Version 1.6.23beta01 [May 29, 2016]
+ Stop a potential memory leak in png_set_tRNS() (Bug report by Ted Ying).
+ Fixed the progressive reader to handle empty first IDAT chunk properly
+ (patch by Timothy Nikkel). This bug was introduced in libpng-1.6.0 and
+ only affected the libpng16 branch.
+ Added tests in pngvalid.c to check zero-length IDAT chunks in various
+ positions. Fixed the sequential reader to handle these more robustly
+ (John Bowler).
+Version 1.6.23rc01 [June 2, 2016]
+ Corrected progressive read input buffer in pngvalid.c. The previous version
+ the code invariably passed just one byte at a time to libpng. The intent
+ was to pass a random number of bytes in the range 0..511.
+ Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch.
+ Added missing ")" in pngerror.c (Matt Sarrett).
+Version 1.6.23rc02 [June 4, 2016]
+ Fixed undefined behavior in png_push_save_buffer(). Do not call
+ memcpy() with a null source, even if count is zero (Leon Scroggins III).
+Version 1.6.23 [June 9, 2016]
+ Fixed bad link to RFC2083 in png.5 (Nikola Forro).
+Version 1.6.24beta01 [June 11, 2016]
+ Avoid potential overflow of the PNG_IMAGE_SIZE macro. This macro
+ is not used within libpng, but is used in some of the examples.
+Version 1.6.24beta02 [June 23, 2016]
+ Correct filter heuristic overflow handling. This was broken when the
+ write filter code was moved out-of-line; if there is a single filter and
+ the heuristic sum overflows the calculation of the filtered line is not
+ completed. In versions prior to 1.6 the code was duplicated in-line
+ and the check not performed, so the filter operation completed; however,
+ in the multi-filter case where the sum is performed the 'none' filter would
+ be selected if all the sums overflowed, even if it wasn't in the filter
+ list. The fix to the first problem is simply to provide PNG_SIZE_MAX as
+ the current lmins sum value; this means the sum can never exceed it and
+ overflows silently. A reasonable compiler that does choose to inline
+ the code will simply eliminate the sum check.
+ The fix to the second problem is to use high precision arithmetic (this is
+ implemented in 1.7), however a simple safe fix here is to chose the lowest
+ numbered filter in the list from png_set_filter (this only works if the
+ first problem is also fixed) (John Bowler).
+ Use a more efficient absolute value calculation on SSE2 (Matthieu Darbois).
+ Fixed the case where PNG_IMAGE_BUFFER_SIZE can overflow in the application
+ as a result of the application using an increased 'row_stride'; previously
+ png_image_finish_read only checked for overflow on the base calculation of
+ components. (I.e. it checked for overflow of a 32-bit number on the total
+ number of pixel components in the output format, not the possibly padded row
+ length and not the number of bytes, which for linear formats is twice the
+ number of components.)
+ MSVC does not like '-(unsigned)', so replaced it with 0U-(unsigned)
+ MSVC does not like (uInt) = -(unsigned) (i.e. as an initializer), unless
+ the conversion is explicitly invoked by a cast.
+ Put the SKIP definition in the correct place. It needs to come after the
+ png.h include (see all the other .c files in contrib/libtests) because it
+ depends on PNG_LIBPNG_VER.
+ Removed the three compile warning options from the individual project
+ files into the zlib.props globals. It increases the warning level from 4
+ to All and adds a list of the warnings that need to be turned off. This is
+ semi-documentary; the intent is to tell libpng users which warnings have
+ been examined and judged non-fixable at present. The warning about
+ structure padding is fixable, but it would be a signficant change (moving
+ structure members around).
+Version 1.6.24beta03 [July 4, 2016]
+ Optimized absolute value calculation in filter selection, similar to
+ code in the PAETH decoder in pngrutil.c. Build with PNG_USE_ABS to
+ use this.
+ Added pngcp to the build together with a pngcp.dfa configuration test.
+ Added high resolution timing to pngcp.
+ Added "Common linking failures" section to INSTALL.
+ Relocated misplaced #endif in png.c sRGB profile checking.
+ Fixed two Coverity issues in pngcp.c.
+Version 1.6.24beta04 [July 8, 2016]
+ Avoid filter-selection heuristic sum calculations in cases where only one
+ filter is a candidate for selection. This trades off code size (added
+ private png_setup_*_row_only() functions) for speed.
+Version 1.6.24beta05 [July 13, 2016]
+ Fixed some indentation to comply with our coding style.
+ Added contrib/tools/reindent.
+Version 1.6.24beta06 [July 18, 2016]
+ Fixed more indentation to comply with our coding style.
+ Eliminated unnecessary tests of boolean png_isaligned() vs 0.
+Version 1.6.24rc01 [July 25, 2016]
+ No changes.
+Version 1.6.24rc02 [August 1, 2016]
+ Conditionally compile SSE2 headers in contrib/intel/intel_sse.patch
+ Conditionally compile png_decompress_chunk().
+Version 1.6.24rc03 [August 2, 2016]
+ Conditionally compile ARM_NEON headers in pngpriv.h
+ Updated contrib/intel/intel_sse.patch
+Version 1.6.24[August 4, 2016]
+ No changes.
+Version 1.6.25beta01 [August 12, 2016]
+ Reject oversized iCCP profile immediately.
+ Cleaned up PNG_DEBUG compile of pngtest.c.
+ Conditionally compile png_inflate().
+Version 1.6.25beta02 [August 18, 2016]
+ Don't install pngcp; it conflicts with pngcp in the pngtools package.
+ Minor editing of INSTALL, (whitespace, added copyright line)
+Version 1.6.25rc01 [August 24, 2016]
+ No changes.
+Version 1.6.25rc02 [August 29, 2016]
+ Added MIPS support (Mandar Sahastrabuddhe <>).
+ Only the UP filter is currently implemented.
+Version 1.6.25rc03 [August 29, 2016]
+ Rebased contrib/intel/intel_sse.patch after the MIPS implementation.
+Version 1.6.25rc04 [August 30, 2016]
+ Added MIPS support for SUB, AVG, and PAETH filters (Mandar Sahastrabuddhe).
+Version 1.6.25rc05 [August 30, 2016]
+ Rebased contrib/intel/intel_sse.patch after the MIPS implementation update..
+Version 1.6.25 [September 1, 2016]
+ No changes.
+Version 1.6.26beta01 [September 26, 2016]
+ Fixed handling zero length IDAT in pngfix (bug report by Agostino Sarubbo,
+ bugfix by John Bowler).
+ Do not issue a png_error() on read in png_set_pCAL() because png_handle_pCAL
+ has allocated memory that libpng needs to free.
+ Conditionally compile png_set_benign_errors() in pngread.c and pngtest.c
+ Issue a png_benign_error instead of a png_error on ADLER32 mismatch
+ while decoding compressed data chunks.
+ Changed PNG_ZLIB_VERNUM to ZLIB_VERNUM in pngpriv.h, pngstruct.h, and
+ pngrutil.c.
+ If CRC handling of critical chunks has been set to PNG_CRC_QUIET_USE,
+ ignore the ADLER32 checksum in the IDAT chunk as well as the chunk CRCs.
+ Issue png_benign_error() on ADLER32 checksum mismatch instead of png_error().
+ Add tests/badcrc.png and tests/badadler.png to tests/pngtest.
+ Merged pngtest.c with libpng-1.7.0beta84/pngtest.c
+Version 1.6.26beta02 [October 1, 2016]
+ Updated the documentation about CRC and ADLER32 handling.
+ Quieted 117 warnings from clang-3.8 in pngtrans.c, pngread.c,
+ pngwrite.c, pngunknown.c, and pngvalid.c.
+ Quieted 58 (out of 144) -Wconversion compiler warnings by changing
+ flag definitions in pngpriv.h from 0xnnnn to 0xnnnnU and trivial changes
+ in png.c, pngread.c, and pngwutil.c.
+Version 1.6.26beta03 [October 2, 2016]
+ Removed contrib/libtests/*.orig and *.rej that slipped into the tarballs.
+ Quieted the 86 remaining -Wconversion compiler warnings by
+ revising the png_isaligned() macro and trivial changes in png.c,
+ pngerror.c, pngget.c, pngmem.c, pngset.c, pngrtran.c, pngrutil.c,
+ pngwtran.c, pngwrite.c, and pngwutil.c.
+Version 1.6.26beta04 [October 3, 2016]
+ Quieted (bogus?) clang warnings about "absolute value has no effect"
+ when PNG_USE_ABS is defined.
+ Fixed offsets in contrib/intel/intel_sse.patch
+Version 1.6.26beta05 [October 6, 2016]
+ Changed integer constant 4294967294 to unsigned 4294967294U in pngconf.h
+ to avoid a signed/unsigned compare in the preprocessor.
+Version 1.6.26beta06 [October 7, 2016]
+ Use zlib- inflateValidate() instead of inflateReset2() to
+ optionally avoid ADLER32 evaluation.
+Version 1.6.26rc01 [October 12, 2016]
+ No changes.
+Version 1.6.26 [October 20, 2016]
+ Cosmetic change, "ptr != 0" to "ptr != NULL" in png.c and pngrutil.c
+ Despammed email addresses (replaced "@" with " at ").
+Version 1.6.27beta01 [November 2, 2016]
+ Restrict the new ADLER32-skipping to IDAT chunks. It broke iCCP chunk
+ handling: an erroneous iCCP chunk would throw a png_error and reject the
+ entire PNG image instead of rejecting just the iCCP chunk with a warning,
+ if built with zlib-
+Version 1.6.27rc01 [December 27, 2016]
+ Control ADLER32 checking with new PNG_IGNORE_ADLER32 option.
+ Removed the use of a macro containing the pre-processor 'defined'
+ operator. It is unclear whether this is valid; a macro that
+ "generates" 'defined' is not permitted, but the use of the word
+ "generates" within the C90 standard seems to imply more than simple
+ substitution of an expression itself containing a well-formed defined
+ operation.
+ Added ARM support to CMakeLists.txt (Andreas Franek).
+Version 1.6.27 [December 29, 2016]
+ Fixed a potential null pointer dereference in png_set_text_2() (bug report
+ and patch by Patrick Keshishian, CVE-2016-10087).
+Version 1.6.28rc01 [January 3, 2017]
+ Fixed arm/aarch64 detection in CMakeLists.txt (Gianfranco Costamagna).
+ Added option to Cmake build allowing a custom location of zlib to be
+ specified in a scenario where libpng is being built as a subproject
+ alongside zlib by another project (Sam Serrels).
+ Changed png_ptr->options from a png_byte to png_uint_32, to accomodate
+ up to 16 options.
+Version 1.6.28rc02 [January 4, 2017]
+ Added "include(GNUInstallDirs)" to CMakeLists.txt (Gianfranco Costamagna).
+ Moved SSE2 optimization code into the main libpng source directory.
+ Configure libpng with "configure --enable-intel-sse" or compile
+ libpng with "-DPNG_INTEL_SSE" in CPPFLAGS to enable it.
+Version 1.6.28rc03 [January 4, 2017]
+ Backed out the SSE optimization and last CMakeLists.txt to allow time for QA.
+Version 1.6.28 [January 5, 2017]
+ No changes.
Send comments/corrections/commendations to png-mng-implement at
(subscription required; visit