Merge remote-tracking branch 'origin/5.6' into 5.7

Conflicts:
	src/widgets/styles/qgtkstyle_p.cpp
	tests/auto/corelib/io/qtextstream/test/test.pro
	tests/auto/corelib/plugin/plugin.pro

Change-Id: I512bc1b36acf3933ed2b96c00f476ee3819c1f4b

18 files changed, 146 insertions, 134 deletions

diff --git a/src/3rdparty/libpng/ANNOUNCE b/src/3rdparty/libpng/ANNOUNCE
index 9f1b665834..4dae783b55 100644
--- a/src/3rdparty/libpng/ANNOUNCE
+++ b/src/3rdparty/libpng/ANNOUNCE
@@ -1,4 +1,4 @@
-Libpng 1.6.19 - November 12, 2015
+Libpng 1.6.20 - December 3, 2015
 
 This is a public release of libpng, intended for use in production codes.
 
@@ -7,104 +7,41 @@ Files available for download:
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
 
-   libpng-1.6.19.tar.xz (LZMA-compressed, recommended)
-   libpng-1.6.19.tar.gz
+   libpng-1.6.20.tar.xz (LZMA-compressed, recommended)
+   libpng-1.6.20.tar.gz
 
 Source files with CRLF line endings (for Windows), without the
 "configure" script
 
-   lpng1619.7z  (LZMA-compressed, recommended)
-   lpng1619.zip
+   /scratch/glennrp/Libpng16/lpng1620.7z  (LZMA-compressed, recommended)
+   /scratch/glennrp/Libpng16/lpng1620.zip
 
 Other information:
 
-   libpng-1.6.19-README.txt
-   libpng-1.6.19-LICENSE.txt
-   libpng-1.6.19-*.asc (armored detached GPG signatures)
-
-Changes since the last public release (1.6.18):
-
-  Updated obsolete information about the simplified API macros in the
-    manual pages (Bug report by Arc Riley).
-  Avoid potentially dereferencing NULL info_ptr in png_info_init_3().
-  Rearranged png.h to put the major sections in the same order as
-    in libpng17.
-  Eliminated unused PNG_COST_SHIFT, PNG_WEIGHT_SHIFT, PNG_COST_FACTOR, and
-    PNG_WEIGHT_FACTOR macros.
-  Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler
-    (Bug report by Viktor Szakats).  Several warnings remain and are
-    unavoidable, where we test for overflow.
-  Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
-  Fixed uninitialized variable in contrib/gregbook/rpng2-x.c
-  Moved config.h.in~ from the "libpng_autotools_files" list to the
-    "libpng_autotools_extra" list in autogen.sh because it was causing a
-    false positive for missing files (bug report by Robert C. Seacord).
-  Removed unreachable "break" statements in png.c, pngread.c, and pngrtran.c
-    to suppress clang warnings (Bug report by Viktor Szakats).
-  Fixed some bad links in the man page.
-  Changed "n bit" to "n-bit" in comments.
-  Added signed/unsigned 16-bit safety net. This removes the dubious
-    0x8000 flag definitions on 16-bit systems. They aren't supported
-    yet the defs *probably* work, however it seems much safer to do this
-    and be advised if anyone, contrary to advice, is building libpng 1.6
-    on a 16-bit system. It also adds back various switch default clauses
-    for GCC; GCC errors out if they are not present (with an appropriately
-    high level of warnings).
-  Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert
-    Seacord).
-  Fixed the recently reported 1's complement security issue by replacing
-    the value that is illegal in the PNG spec, in both signed and unsigned
-    values, with 0. Illegal unsigned values (anything greater than or equal
-    to  0x80000000) can still pass through, but since these are not illegal
-    in ANSI-C (unlike 0x80000000 in the signed case) the checking that
-    occurs later can catch them (John Bowler).
-  Fixed png_save_int_32 when int is not 2's complement (John Bowler).
-  Updated libpng16 with all the recent test changes from libpng17,
-    including changes to pngvalid.c to ensure that the original,
-    distributed, version of contrib/visupng/cexcept.h can be used
-    (John Bowler).
-  pngvalid contains the correction to the use of SAVE/STORE_
-    UNKNOWN_CHUNKS; a bug revealed by changes in libpng 1.7. More
-    tests contain the --strict option to detect warnings and the
-    pngvalid-standard test has been corrected so that it does not
-    turn on progressive-read. There is a separate test which does
-    that. (John Bowler)
-  Also made some signed/unsigned fixes.
-  Make pngstest error limits version specific. Splitting the machine
-    generated error structs out to a file allows the values to be updated
-    without changing pngstest.c itself. Since libpng 1.6 and 1.7 have
-    slightly different error limits this simplifies maintenance. The
-    makepngs.sh script has also been updated to more accurately reflect
-    current problems in libpng 1.7 (John Bowler).
-  Incorporated new test PNG files into make check.  tests/pngstest-*
-    are changed so that the new test files are divided into 8 groups by
-    gamma and alpha channel.  These tests have considerably better code
-    and pixel-value coverage than contrib/pngsuite; however,coverage is
-    still incomplete (John Bowler).
-  Removed the '--strict' in 1.6 because of the double-gamma-correction
-    warning, updated pngstest-errors.h for the errors detected with the
-    new contrib/testspngs PNG test files (John Bowler).
-  Worked around rgb-to-gray issues in libpng 1.6.  The previous
-    attempts to ignore the errors in the code aren't quite enough to
-    deal with the 'channel selection' encoding added to libpng 1.7; abort.
-  Fixed 'pow' macros in pngvalid.c. It is legal for 'pow' to be a
-    macro, therefore the argument list cannot contain preprocessing
-    directives.  Make sure pow is a function where this happens. This is
-    a minimal safe fix, the issue only arises in non-performance-critical
-    code (bug report by Curtis Leach, fix by John Bowler).
-  Added sPLT support to pngtest.c
-  Prevent setting or writing over-length PLTE chunk (Cosmin Truta).
-  Silently truncate over-length PLTE chunk while reading.
-  Libpng incorrectly calculated the output rowbytes when the application
-    decreased either the number of channels or the bit depth (or both) in
-    a user transform.  This was safe; libpng overallocated buffer space
-   (potentially by quite a lot; up to 4 times the amount required) but,
-   from 1.5.4 on, resulted in a png_error (John Bowler).
-  Fixed some inconsequential cut-and-paste typos in png_set_cHRM_XYZ_fixed().
-  Clarified COPYRIGHT information to state explicitly that versions
-    are derived from previous versions.
-  Removed much of the long list of previous versions from png.h and
-    libpng.3.
+   libpng-1.6.20-README.txt
+   libpng-1.6.20-LICENSE.txt
+   libpng-1.6.20-*.asc (armored detached GPG signatures)
+
+Changes since the last public release (1.6.19):
+  Avoid potential pointer overflow/underflow in png_handle_sPLT() and
+    png_handle_pCAL() (Bug report by John Regehr).
+  Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
+    not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
+    vulnerability.
+  Backported tests from libpng-1.7.0beta69.
+  Fixed an error in handling of bad zlib CMINFO field in pngfix, found by
+    American Fuzzy Lop, reported by Brian Carpenter.  inflate() doesn't
+    immediately fault a bad CMINFO field; instead a 'too far back' error
+    happens later (at least some times).  pngfix failed to limit CMINFO to
+    the allowed values but then assumed that window_bits was in range,
+    triggering an assert. The bug is mostly harmless; the PNG file cannot
+    be fixed.
+  In libpng 1.6 zlib initialization was changed to use the window size
+    in the zlib stream, not a fixed value. This causes some invalid images,
+    where CINFO is too large, to display 'correctly' if the rest of the
+    data is valid.  This provides a workaround for zlib versions where the
+    error arises (ones that support the API change to use the window size
+    in the stream).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/src/3rdparty/libpng/CHANGES b/src/3rdparty/libpng/CHANGES
index 2e4d2bb292..28094fd26c 100644
--- a/src/3rdparty/libpng/CHANGES
+++ b/src/3rdparty/libpng/CHANGES
@@ -5409,11 +5409,43 @@ Version 1.6.19rc03 [November 3, 2015]
 
 Version 1.6.19rc04 [November 5, 2015]
   Fixed new bug with CRC error after reading an over-length palette
-    (bug report by Cosmin Truta).
+    (bug report by Cosmin Truta) (CVE-2015-8126).
 
 Version 1.6.19 [November 12, 2015]
   Cleaned up coding style in png_handle_PLTE().
 
+Version 1.6.20beta01 [November 20, 2015]
+  Avoid potential pointer overflow/underflow in png_handle_sPLT() and
+    png_handle_pCAL() (Bug report by John Regehr).
+
+Version 1.6.20beta02 [November 23, 2015]
+  Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
+    not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
+    vulnerability.
+
+Version 1.6.20beta03 [November 24, 2015]
+  Backported tests from libpng-1.7.0beta69.
+
+Version 1.6.20rc01 [November 26, 2015]
+  Fixed an error in handling of bad zlib CMINFO field in pngfix, found by
+    American Fuzzy Lop, reported by Brian Carpenter.  inflate() doesn't
+    immediately fault a bad CMINFO field; instead a 'too far back' error
+    happens later (at least some times).  pngfix failed to limit CMINFO to
+    the allowed values but then assumed that window_bits was in range,
+    triggering an assert. The bug is mostly harmless; the PNG file cannot
+    be fixed.
+
+Version 1.6.20rc02 [November 29, 2015]
+  In libpng 1.6 zlib initialization was changed to use the window size
+    in the zlib stream, not a fixed value. This causes some invalid images,
+    where CINFO is too large, to display 'correctly' if the rest of the
+    data is valid.  This provides a workaround for zlib versions where the
+    error arises (ones that support the API change to use the window size
+    in the stream).
+
+Version 1.6.20 [December 3, 2015]
+  No changes.
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/src/3rdparty/libpng/LICENSE b/src/3rdparty/libpng/LICENSE
index 11f6ffe5db..82dbe117f6 100644
--- a/src/3rdparty/libpng/LICENSE
+++ b/src/3rdparty/libpng/LICENSE
@@ -10,7 +10,7 @@ this sentence.
 
 This code is released under the libpng license.
 
-libpng versions 1.0.7, July 1, 2000, through 1.6.19, November 12, 2015, are
+libpng versions 1.0.7, July 1, 2000, through 1.6.20, December 3, 2015, are
 Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, are
 derived from libpng-1.0.6, and are distributed according to the same
 disclaimer and license as libpng-1.0.6 with the following individuals
@@ -109,4 +109,4 @@ the additional disclaimers inserted at version 1.0.7.
 
 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-November 12, 2015
+December 3, 2015
diff --git a/src/3rdparty/libpng/README b/src/3rdparty/libpng/README
index 17484e0fd7..59f1f918ae 100644
--- a/src/3rdparty/libpng/README
+++ b/src/3rdparty/libpng/README
@@ -1,4 +1,4 @@
-README for libpng version 1.6.19 - November 12, 2015 (shared library 16.0)
+README for libpng version 1.6.20 - December 3, 2015 (shared library 16.0)
 See the note about version numbers near the top of png.h
 
 See INSTALL for instructions on how to install libpng.
diff --git a/src/3rdparty/libpng/libpng-manual.txt b/src/3rdparty/libpng/libpng-manual.txt
index bc7a441cf2..87eeb2b583 100644
--- a/src/3rdparty/libpng/libpng-manual.txt
+++ b/src/3rdparty/libpng/libpng-manual.txt
@@ -1,6 +1,6 @@
 libpng-manual.txt - A description on how to use and modify libpng
 
- libpng version 1.6.19 - November 12, 2015
+ libpng version 1.6.20 - December 3, 2015
  Updated and distributed by Glenn Randers-Pehrson
  <glennrp at users.sourceforge.net>
  Copyright (c) 1998-2015 Glenn Randers-Pehrson
@@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng
 
  Based on:
 
- libpng versions 0.97, January 1998, through 1.6.19 - November 12, 2015
+ libpng versions 0.97, January 1998, through 1.6.20 - December 3, 2015
  Updated and distributed by Glenn Randers-Pehrson
  Copyright (c) 1998-2015 Glenn Randers-Pehrson
 
@@ -2960,6 +2960,7 @@ width, height, bit_depth, and color_type must be the same in each call.
                      (array of png_color)
     num_palette    - number of entries in the palette
 
+
     png_set_gAMA(png_ptr, info_ptr, file_gamma);
     png_set_gAMA_fixed(png_ptr, info_ptr, int_file_gamma);
 
@@ -4897,7 +4898,7 @@ a set of "safe" limits is applied in pngpriv.h.  These can be overridden by
 application calls to png_set_user_limits(), png_set_user_chunk_cache_max(),
 and/or png_set_user_malloc_max() that increase or decrease the limits.  Also,
 in libpng-1.5.10 the default width and height limits were increased
-from 1,000,000 to 0x7ffffff (i.e., made unlimited).  Therefore, the
+from 1,000,000 to 0x7fffffff (i.e., made unlimited).  Therefore, the
 limits are now
                                default      safe
    png_user_width_max        0x7fffffff    1,000,000
@@ -5323,7 +5324,7 @@ Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
 
 This is your unofficial assurance that libpng from version 0.71 and
-upward through 1.6.19 are Y2K compliant.  It is my belief that earlier
+upward through 1.6.20 are Y2K compliant.  It is my belief that earlier
 versions were also Y2K compliant.
 
 Libpng only has two year fields.  One is a 2-byte unsigned integer
diff --git a/src/3rdparty/libpng/png.c b/src/3rdparty/libpng/png.c
index 6fcfad72ec..c183e3f8fa 100644
--- a/src/3rdparty/libpng/png.c
+++ b/src/3rdparty/libpng/png.c
@@ -14,7 +14,7 @@
 #include "pngpriv.h"
 
 /* Generate a compiler error if there is an old png.h in the search path. */
-typedef png_libpng_version_1_6_19 Your_png_h_is_not_version_1_6_19;
+typedef png_libpng_version_1_6_20 Your_png_h_is_not_version_1_6_20;
 
 /* Tells libpng that we have already handled the first "num_bytes" bytes
  * of the PNG file signature.  If the PNG data is embedded into another
@@ -775,13 +775,13 @@ png_get_copyright(png_const_structrp png_ptr)
 #else
 #  ifdef __STDC__
    return PNG_STRING_NEWLINE \
-      "libpng version 1.6.19 - November 12, 2015" PNG_STRING_NEWLINE \
+      "libpng version 1.6.20 - December 3, 2015" PNG_STRING_NEWLINE \
       "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
       "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
       "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
       PNG_STRING_NEWLINE;
 #  else
-   return "libpng version 1.6.19 - November 12, 2015\
+   return "libpng version 1.6.20 - December 3, 2015\
       Copyright (c) 1998-2015 Glenn Randers-Pehrson\
       Copyright (c) 1996-1997 Andreas Dilger\
       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
@@ -2343,7 +2343,7 @@ png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
           * Fall through to "no match".
           */
          png_chunk_report(png_ptr,
-             "Not recognizing known sRGB profile that has been edited", 
+             "Not recognizing known sRGB profile that has been edited",
              PNG_CHUNK_WARNING);
          break;
 # endif
diff --git a/src/3rdparty/libpng/png.h b/src/3rdparty/libpng/png.h
index c83051b1ca..4d03dfc136 100644
--- a/src/3rdparty/libpng/png.h
+++ b/src/3rdparty/libpng/png.h
@@ -1,7 +1,7 @@
 
 /* png.h - header file for PNG reference library
  *
- * libpng version 1.6.19, November 12, 2015
+ * libpng version 1.6.20, December 3, 2015
  *
  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
@@ -12,7 +12,8 @@
  * Authors and maintainers:
  *   libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
  *   libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger
- *   libpng versions 0.97, January 1998, through 1.6.19, November 12, 2015: Glenn
+ *   libpng versions 0.97, January 1998, through 1.6.20, December 3, 2015:
+ *     Glenn Randers-Pehrson.
  *   See also "Contributing Authors", below.
  */
 
@@ -24,7 +25,7 @@
  *
  * This code is released under the libpng license.
  *
- * libpng versions 1.0.7, July 1, 2000, through 1.6.19, November 12, 2015, are
+ * libpng versions 1.0.7, July 1, 2000, through 1.6.20, December 3, 2015, are
  * Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, are
  * derived from libpng-1.0.6, and are distributed according to the same
  * disclaimer and license as libpng-1.0.6 with the following individuals
@@ -185,7 +186,7 @@
  *    ...
  *    1.5.23                  15    10523  15.so.15.23[.0]
  *    ...
- *    1.6.19                  16    10619  16.so.16.19[.0]
+ *    1.6.20                  16    10620  16.so.16.20[.0]
  *
  *    Henceforth the source version will match the shared-library major
  *    and minor numbers; the shared-library major version number will be
@@ -213,13 +214,13 @@
  * Y2K compliance in libpng:
  * =========================
  *
- *    November 12, 2015
+ *    December 3, 2015
  *
  *    Since the PNG Development group is an ad-hoc body, we can't make
  *    an official declaration.
  *
  *    This is your unofficial assurance that libpng from version 0.71 and
- *    upward through 1.6.19 are Y2K compliant.  It is my belief that
+ *    upward through 1.6.20 are Y2K compliant.  It is my belief that
  *    earlier versions were also Y2K compliant.
  *
  *    Libpng only has two year fields.  One is a 2-byte unsigned integer
@@ -281,9 +282,9 @@
  */
 
 /* Version information for png.h - this should match the version in png.c */
-#define PNG_LIBPNG_VER_STRING "1.6.19"
+#define PNG_LIBPNG_VER_STRING "1.6.20"
 #define PNG_HEADER_VERSION_STRING \
-     " libpng version 1.6.19 - November 12, 2015\n"
+     " libpng version 1.6.20 - December 3, 2015\n"
 
 #define PNG_LIBPNG_VER_SONUM   16
 #define PNG_LIBPNG_VER_DLLNUM  16
@@ -291,7 +292,7 @@
 /* These should match the first 3 components of PNG_LIBPNG_VER_STRING: */
 #define PNG_LIBPNG_VER_MAJOR   1
 #define PNG_LIBPNG_VER_MINOR   6
-#define PNG_LIBPNG_VER_RELEASE 19
+#define PNG_LIBPNG_VER_RELEASE 20
 
 /* This should match the numeric part of the final component of
  * PNG_LIBPNG_VER_STRING, omitting any leading zero:
@@ -322,7 +323,7 @@
  * version 1.0.0 was mis-numbered 100 instead of 10000).  From
  * version 1.0.1 it's    xxyyzz, where x=major, y=minor, z=release
  */
-#define PNG_LIBPNG_VER 10619 /* 1.6.19 */
+#define PNG_LIBPNG_VER 10620 /* 1.6.20 */
 
 /* Library configuration: these options cannot be changed after
  * the library has been built.
@@ -432,7 +433,7 @@ extern "C" {
 /* This triggers a compiler error in png.c, if png.c and png.h
  * do not agree upon the version number.
  */
-typedef char* png_libpng_version_1_6_19;
+typedef char* png_libpng_version_1_6_20;
 
 /* Basic control structions.  Read libpng-manual.txt or libpng.3 for more info.
  *
diff --git a/src/3rdparty/libpng/pngconf.h b/src/3rdparty/libpng/pngconf.h
index f1b795b478..92f250000c 100644
--- a/src/3rdparty/libpng/pngconf.h
+++ b/src/3rdparty/libpng/pngconf.h
@@ -1,7 +1,7 @@
 
 /* pngconf.h - machine configurable file for libpng
  *
- * libpng version 1.6.19, July 23, 2015
+ * libpng version 1.6.20, December 3, 2015
  *
  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
diff --git a/src/3rdparty/libpng/pngerror.c b/src/3rdparty/libpng/pngerror.c
index 0781866a89..bdb959ee51 100644
--- a/src/3rdparty/libpng/pngerror.c
+++ b/src/3rdparty/libpng/pngerror.c
@@ -768,7 +768,7 @@ png_longjmp,(png_const_structrp png_ptr, int val),PNG_NORETURN)
 
    /* If control reaches this point, png_longjmp() must not return. The only
     * choice is to terminate the whole process (or maybe the thread); to do
-    * this the ANSI-C abort() function is used unless a different method is 
+    * this the ANSI-C abort() function is used unless a different method is
     * implemented by overriding the default configuration setting for
     * PNG_ABORT().
     */
diff --git a/src/3rdparty/libpng/pnginfo.h b/src/3rdparty/libpng/pnginfo.h
index c8c874dd1e..4bd264b869 100644
--- a/src/3rdparty/libpng/pnginfo.h
+++ b/src/3rdparty/libpng/pnginfo.h
@@ -223,7 +223,7 @@ defined(PNG_READ_BACKGROUND_SUPPORTED)
    /* Storage for unknown chunks that the library doesn't recognize. */
    png_unknown_chunkp unknown_chunks;
 
-   /* The type of this field is limited by the type of 
+   /* The type of this field is limited by the type of
     * png_struct::user_chunk_cache_max, else overflow can occur.
     */
    int                unknown_chunks_num;
diff --git a/src/3rdparty/libpng/pnglibconf.h b/src/3rdparty/libpng/pnglibconf.h
index 8b6da9eb2c..0dba5055f7 100644
--- a/src/3rdparty/libpng/pnglibconf.h
+++ b/src/3rdparty/libpng/pnglibconf.h
@@ -1,6 +1,6 @@
 /* pnglibconf.h - library build configuration */
 
-/* libpng version 1.6.19, July 23, 2015 */
+/* libpng version 1.6.20 - December 3, 2015 */
 
 /* Copyright (c) 1998-2014 Glenn Randers-Pehrson */
 
diff --git a/src/3rdparty/libpng/pngpread.c b/src/3rdparty/libpng/pngpread.c
index 9f68f99023..89ffc4018f 100644
--- a/src/3rdparty/libpng/pngpread.c
+++ b/src/3rdparty/libpng/pngpread.c
@@ -133,7 +133,7 @@ png_process_some_data(png_structrp png_ptr, png_inforp info_ptr)
 void /* PRIVATE */
 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr)
 {
-   png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */ 
+   png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */
        num_to_check = 8 - num_checked;
 
    if (png_ptr->buffer_size < num_to_check)
@@ -662,7 +662,7 @@ png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer,
        * change the current behavior (see comments in inflate.c
        * for why this doesn't happen at present with zlib 1.2.5).
        */
-      ret = inflate(&png_ptr->zstream, Z_SYNC_FLUSH);
+      ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH);
 
       /* Check for any failure before proceeding. */
       if (ret != Z_OK && ret != Z_STREAM_END)
diff --git a/src/3rdparty/libpng/pngpriv.h b/src/3rdparty/libpng/pngpriv.h
index f7a45477a4..c06deee68d 100644
--- a/src/3rdparty/libpng/pngpriv.h
+++ b/src/3rdparty/libpng/pngpriv.h
@@ -1229,6 +1229,14 @@ PNG_INTERNAL_FUNCTION(void,png_read_finish_row,(png_structrp png_ptr),
 /* Initialize the row buffers, etc. */
 PNG_INTERNAL_FUNCTION(void,png_read_start_row,(png_structrp png_ptr),PNG_EMPTY);
 
+#if PNG_ZLIB_VERNUM >= 0x1240
+PNG_INTERNAL_FUNCTION(int,png_zlib_inflate,(png_structrp png_ptr, int flush),
+      PNG_EMPTY);
+#  define PNG_INFLATE(pp, flush) png_zlib_inflate(pp, flush)
+#else /* Zlib < 1.2.4 */
+#  define PNG_INFLATE(pp, flush) inflate(&(pp)->zstream, flush)
+#endif /* Zlib < 1.2.4 */
+
 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
 /* Optional call to update the users info structure */
 PNG_INTERNAL_FUNCTION(void,png_read_transform_info,(png_structrp png_ptr,
diff --git a/src/3rdparty/libpng/pngread.c b/src/3rdparty/libpng/pngread.c
index 48aae84881..9cb4d2e41d 100644
--- a/src/3rdparty/libpng/pngread.c
+++ b/src/3rdparty/libpng/pngread.c
@@ -2838,7 +2838,6 @@ png_image_read_colormap(png_voidp argument)
       default:
          png_error(png_ptr, "invalid PNG color type");
          /*NOT REACHED*/
-         break;
    }
 
    /* Now deal with the output processing */
diff --git a/src/3rdparty/libpng/pngrutil.c b/src/3rdparty/libpng/pngrutil.c
index ee584a8c40..6189251352 100644
--- a/src/3rdparty/libpng/pngrutil.c
+++ b/src/3rdparty/libpng/pngrutil.c
@@ -1,7 +1,7 @@
 
 /* pngrutil.c - utilities to read a PNG file
  *
- * Last changed in libpng 1.6.19 [November 12, 2015]
+ * Last changed in libpng 1.6.20 [December 3, 2015]
  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -377,10 +377,16 @@ png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
 
       if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) ==
           PNG_OPTION_ON)
+      {
          window_bits = 15;
+         png_ptr->zstream_start = 0; /* fixed window size */
+      }
 
       else
+      {
          window_bits = 0;
+         png_ptr->zstream_start = 1;
+      }
 # else
 #   define window_bits 0
 # endif
@@ -429,6 +435,31 @@ png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
 #endif
 }
 
+#if PNG_ZLIB_VERNUM >= 0x1240
+/* Handle the start of the inflate stream if we called inflateInit2(strm,0);
+ * in this case some zlib versions skip validation of the CINFO field and, in
+ * certain circumstances, libpng may end up displaying an invalid image, in
+ * contrast to implementations that call zlib in the normal way (e.g. libpng
+ * 1.5).
+ */
+int /* PRIVATE */
+png_zlib_inflate(png_structrp png_ptr, int flush)
+{
+   if (png_ptr->zstream_start && png_ptr->zstream.avail_in > 0)
+   {
+      if ((*png_ptr->zstream.next_in >> 4) > 7)
+      {
+         png_ptr->zstream.msg = "invalid window size (libpng)";
+         return Z_DATA_ERROR;
+      }
+
+      png_ptr->zstream_start = 0;
+   }
+
+   return inflate(&png_ptr->zstream, flush);
+}
+#endif /* Zlib >= 1.2.4 */
+
 #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
 /* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
  * allow the caller to do multiple calls if required.  If the 'finish' flag is
@@ -522,7 +553,7 @@ png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
           * the previous chunk of input data.  Tell zlib if we have reached the
           * end of the output buffer.
           */
-         ret = inflate(&png_ptr->zstream, avail_out > 0 ? Z_NO_FLUSH :
+         ret = PNG_INFLATE(png_ptr, avail_out > 0 ? Z_NO_FLUSH :
              (finish ? Z_FINISH : Z_SYNC_FLUSH));
       } while (ret == Z_OK);
 
@@ -771,7 +802,7 @@ png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
           * the available output is produced; this allows reading of truncated
           * streams.
           */
-         ret = inflate(&png_ptr->zstream,
+         ret = PNG_INFLATE(png_ptr,
             *chunk_bytes > 0 ? Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
       }
       while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0));
@@ -1670,7 +1701,7 @@ png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
    ++entry_start;
 
    /* A sample depth should follow the separator, and we should be on it  */
-   if (entry_start > buffer + length - 2)
+   if (length < 2U || entry_start > buffer + (length - 2U))
    {
       png_warning(png_ptr, "malformed sPLT chunk");
       return;
@@ -2174,7 +2205,7 @@ png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
    /* We need to have at least 12 bytes after the purpose string
     * in order to get the parameter information.
     */
-   if (endptr <= buf + 12)
+   if (endptr - buf <= 12)
    {
       png_chunk_benign_error(png_ptr, "invalid");
       return;
@@ -4039,7 +4070,7 @@ png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
        *
        * TODO: deal more elegantly with truncated IDAT lists.
        */
-      ret = inflate(&png_ptr->zstream, Z_NO_FLUSH);
+      ret = PNG_INFLATE(png_ptr, Z_NO_FLUSH);
 
       /* Take the unconsumed output back. */
       if (output != NULL)
diff --git a/src/3rdparty/libpng/pngset.c b/src/3rdparty/libpng/pngset.c
index 05a2134dbb..8fd7965fca 100644
--- a/src/3rdparty/libpng/pngset.c
+++ b/src/3rdparty/libpng/pngset.c
@@ -520,8 +520,8 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
    if (png_ptr == NULL || info_ptr == NULL)
       return;
 
-   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
-      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+   max_palette_length = (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << info_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
 
    if (num_palette < 0 || num_palette > (int) max_palette_length)
    {
@@ -1573,7 +1573,7 @@ png_set_user_limits (png_structrp png_ptr, png_uint_32 user_width_max,
 {
    /* Images with dimensions larger than these limits will be
     * rejected by png_set_IHDR().  To accept any PNG datastream
-    * regardless of dimensions, set both limits to 0x7ffffff.
+    * regardless of dimensions, set both limits to 0x7fffffff.
     */
    if (png_ptr == NULL)
       return;
diff --git a/src/3rdparty/libpng/pngstruct.h b/src/3rdparty/libpng/pngstruct.h
index c8c0e46e8b..d0bcc7914a 100644
--- a/src/3rdparty/libpng/pngstruct.h
+++ b/src/3rdparty/libpng/pngstruct.h
@@ -263,6 +263,9 @@ struct png_struct_def
                               /* pixel depth used for the row buffers */
    png_byte transformed_pixel_depth;
                               /* pixel depth after read/write transforms */
+#if PNG_ZLIB_VERNUM >= 0x1240
+   png_byte zstream_start;    /* at start of an input zlib stream */
+#endif /* Zlib >= 1.2.4 */
 #if defined(PNG_READ_FILLER_SUPPORTED) || defined(PNG_WRITE_FILLER_SUPPORTED)
    png_uint_16 filler;           /* filler bytes for pixel expansion */
 #endif
diff --git a/src/3rdparty/libpng/pngwutil.c b/src/3rdparty/libpng/pngwutil.c
index adc4729c24..0ee102b5fb 100644
--- a/src/3rdparty/libpng/pngwutil.c
+++ b/src/3rdparty/libpng/pngwutil.c
@@ -2563,7 +2563,7 @@ png_write_find_filter(png_structrp png_ptr, png_row_infop row_info)
    if (filter_to_do == PNG_FILTER_SUB)
    /* It's the only filter so no testing is needed */
    {
-      (void) png_setup_sub_row(png_ptr, bpp, row_bytes, mins); 
+      (void) png_setup_sub_row(png_ptr, bpp, row_bytes, mins);
       best_row = png_ptr->try_row;
    }
 
@@ -2572,7 +2572,7 @@ png_write_find_filter(png_structrp png_ptr, png_row_infop row_info)
       png_size_t sum;
       png_size_t lmins = mins;
 
-      sum = png_setup_sub_row(png_ptr, bpp, row_bytes, lmins); 
+      sum = png_setup_sub_row(png_ptr, bpp, row_bytes, lmins);
 
       if (sum < mins)
       {
@@ -2598,7 +2598,7 @@ png_write_find_filter(png_structrp png_ptr, png_row_infop row_info)
       png_size_t sum;
       png_size_t lmins = mins;
 
-      sum = png_setup_up_row(png_ptr, row_bytes, lmins); 
+      sum = png_setup_up_row(png_ptr, row_bytes, lmins);
 
       if (sum < mins)
       {