[libpng17] Updated CHANGES and ANNOUNCE

2025-07-10 18:04:09 +02:00 · 2016-01-12 14:44:47 -06:00 · 2016-01-12 14:44:47 -06:00 · 6271b4fc78
commit 6271b4fc78
parent 3d024874a5
2 changed files with 27 additions and 3 deletions
--- a/16
+++ b/16
@ -1,5 +1,5 @@

-Libpng 1.7.0beta77 - January 11, 2016
+Libpng 1.7.0beta77 - January 12, 2016

 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@ -1172,7 +1172,7 @@ Version 1.7.0beta76 [January 7, 2016]
  Fixed new Coverity defect, potential NULL dereference of "ps" in pngwutil.c
  Added temporary workaround for Coverity "Dead code" defect.

-Version 1.7.0beta77 [January 11, 2016]
+Version 1.7.0beta77 [January 12, 2016]
  Fixed new Coverity defect, another NULL dereference of "ps" in pngwutil.c
  Prevent the CMINFO optimization code from running twice on any PNG IDAT
    stream longer than 2048 bytes; the second time could overwrite bytes
@ -1200,6 +1200,18 @@ Version 1.7.0beta77 [January 11, 2016]
    that the latter should only affect the write code. This includes a
    quiet API change to alter png_set_compression_buffer_size to use
    a png_alloc_size_t, not png_size_t and implement the correct checks.
+  Fixed recently introduced palette sharing bug.  The internal read
+    code change to stop sharing the palette was incompletely implemented.
+    The result is that unless palette index checking is turned off and
+    there are no read transformations the png_info palette gets deleted
+    when the png_struct is deleted.  This is normally harmless (png_info
+    gets deleted first) but in the case of pngcp it results in
+    use-after-free of the palette and, therefore, palette corruption and
+    maybe on some operating systems and access violation.
+  Updated the pngcp 'search' mode to check a restricted range of memLevels;
+    there is an unrelated bug which means that lower zlib memLevels result
+    in memory corruption under some circumstances, probably less often
+    than 1:1000.

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/14
+++ b/14
@ -5471,7 +5471,7 @@ Version 1.7.0beta76 [January 7, 2016]
  Fixed new Coverity defect, potential NULL dereference of "ps" in pngwutil.c
  Added temporary workaround for Coverity "Dead code" defect.

-Version 1.7.0beta77 [January 11, 2016]
+Version 1.7.0beta77 [January 12, 2016]
  Fixed new Coverity defect, another NULL dereference of "ps" in pngwutil.c
  Prevent the CMINFO optimization code from running twice on any PNG IDAT
    stream longer than 2048 bytes; the second time could overwrite bytes
@ -5499,6 +5499,18 @@ Version 1.7.0beta77 [January 11, 2016]
    that the latter should only affect the write code. This includes a
    quiet API change to alter png_set_compression_buffer_size to use
    a png_alloc_size_t, not png_size_t and implement the correct checks.
+  Fixed recently introduced palette sharing bug.  The internal read
+    code change to stop sharing the palette was incompletely implemented.
+    The result is that unless palette index checking is turned off and
+    there are no read transformations the png_info palette gets deleted
+    when the png_struct is deleted.  This is normally harmless (png_info
+    gets deleted first) but in the case of pngcp it results in
+    use-after-free of the palette and, therefore, palette corruption and
+    maybe on some operating systems and access violation.
+  Updated the pngcp 'search' mode to check a restricted range of memLevels;
+    there is an unrelated bug which means that lower zlib memLevels result
+    in memory corruption under some circumstances, probably less often
+    than 1:1000.

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit