We have been running address-sanitized CI verifications for a while.
We can finally afford to simplify pngtest.c by removing a compile-time
option and the associated code branches that used to serve (only to a
limited extent) the purpose of bounds checking.
Also change the brief description of pngtest.c at the top of the file.
This is no longer just a simple test program.
Improve:
The pngtest program used to be rather relaxed upon seeing invalid
parameters in callbacks: it either ignored them, or it bailed out
of the callbacks, essentially sweeping the bug under the rug.
But no more. Now it terminates with a severe `png_error`, in which
it says what's broken and where.
Improve:
`PNG_DEBUG`, defined externally at build time, and defaulting to zero,
was assumed to be non-negative. Now it's checked.
Clean up:
In a very distant past, the pngtest program used to "travel" across
libpng versions, on its own, not necessarily accompanied by the actual
library version that it was meant to test. However, this stopped being
the case, and now is as good a time as any to remove the compatibility
workarounds that had made the aforementioned "travel" possible.
Other chores include:
* The refactoring of the user-defined chunk handling routines;
* The cleanup of an unnecessary use of volatile;
* The various cosmetic improvements of code and comments.
This adds a new configuration file, 'contrib/conftest/basic.dfa' which
disables unused APIs on a test Linux-based system. So support the
configuration several fixes were necessary in the test programs so that
the tests are skipped correctly when APIs are not available.
The configuration has been tested on a range of common Linux apps
including web browser code (qtwebengine), image processing code (e.g.
ImageMagick) and general display code (X11, Qt5 and Qt6, KDE). Overall
this first step reduces libpng linked code and data size to about 2/3 of
the full configuration.
To use the new test simply copy basic.dfa to 'pngusr.dfa' in the root of
the source directory and build.
Signed-off-by: John Bowler <jbowler@acm.org>
This changes the mask used in the IHDR width check from ~7U to
~(png_alloc_size_t)7 which is a quantity at least as big as both
png_uint_32 and size_t whereas "7U" will be 16 bits on a 16 bit system.
The change both corrects a bug in the code (on 16 bit systems) and
removes compiler warnings about the test always being false on 64-bit
architectures.
Signed-off-by: John Bowler <jbowler@acm.org>
This was broken by the corrections to the 'palette max' handling; if
that is disabled the test of num_palette_max must be removed in pnread.c
Signed-off-by: John Bowler <jbowler@acm.org>
This fixes commit 27e548af2518ff8d278b45c40d11ad1bdd68eaa0.
The macro `png_check_sig` has been deprecated and remained untested
for decades. And yet, somehow it escaped from all past API cleanups.
Also update the libpng manual.
Reported-by: Matthieu Darbois
Many build scripts, ports and other third-party add-ons that are
circulating around appear to be distributed under the MIT License.
Examples include the Vcpkg build system (including the libpng port)
and the Meson build definitions (including the libpng definition).
I am, therefore, relicensing our CI scripts once more, as the sole
author (so far), just in case that any of the CI code might travel
from/to such projects. Hopefully, this one last license will stick.
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
From the libpng licensing point of view, the build projects, the build
scripts, the test scripts, the CI verification scripts, et cetera, have
not traditionally been part of libpng proper, although some of these,
including the CMake-based build, have been released under the libpng
license.
Considering how the CMake build grew as a result of many contributions
from many contributing authors over a long time, one may argue that it
almost became an individual piece of software in its own right.
Moving on, everything CMake-related shall be placed in the subdirectory
scripts/cmake/ (except, of course, the main CMakeLists.txt). Moreover,
contributing authors shall be acknowledged in scripts/cmake/AUTHORS.md.
Please see scripts/cmake/README.md for more information.
Bring the auto-generated scripts up to date with the autoconf upgrade
from version 2.71 to version 2.72.
Make the .gitignore exclusions better tailored to the autoconf- and
configure-generated artifacts.
Move all Autoconf macro files (except for those that need to be in
the top-level directory) to their own subdirectory scripts/autoconf/
In this commit, we introduce a better way to organize the scripts dir,
and we make a better separation between the build scripts under the
libpng license vs. the build scripts that fall under other licenses.
Please see scripts/autoconf/README.md for more information.
Previously the 'make check' test pngtest-all looked for given messages
at EOL. The match failed with Windows/MSYS2 because of the Windows
<cr><lf> line endings output by pngtest. This changes the test to look
for the message anywhere in a line; this might give false matches but
the specific messages being searched for are not likely to cause this
problem.
Signed-off-by: John Bowler <jbowler@acm.org>
The test always failed on systems with no support for zlib
inflateValidate and on systems where the png_set_option setting was
disabled, however pngtest-all succeeded because the failure was ignored.
The latter is now fixed so the badadler.png check needs to use --xfail,
not --relaxed.
Signed-off-by: John Bowler <jbowler@acm.org>
This corrects contrib/testpngs/badpal/regression-palette-8.png. Despite
the comment in commit da109d3e the file checked in had 255 PLTE entries
so failed to perform the regression test. This version of the PNG has
254 entries.
Signed-off-by: John Bowler <jbowler@acm.org>
The last byte of each row was ignored in a function that was executed
under the build flags `PNG_READ_CHECK_FOR_INVALID_INDEX_SUPPORTED` and
`PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED`.
This is a revert of a change previously applied in libpng-1.6.33beta01.
See SourceForge bug #269 at https://sourceforge.net/p/libpng/bugs/269/
Reviewed-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
This change is only verifiable in configure builds; cmake only executes
the basic test.
The previous version of tests/pngtest-all only returned the status code
of the final test. Apparently it could never fail. This adds checking
of all return status codes.
The change also adds a basic approach for regression testing with PNGs
that should fail a test; --strict ensures that PNGs which are valid do
not start to be reported as erroneous, this is the inverse.
At present the code (minimal traditional Bourne shell) only tests the
palette index checking code, a potentially important check if apps rely
on it.
The changes have been tested using the configure build both with a
regression which causes the libpng checking to cease to work and with a
corrected (reverted regression). The regression test verifies that the
intended check works as expected.
Signed-off-by: John Bowler <jbowler@acm.org>
This removes the default build of an undocumented feature to disable
Adler32 checksums on those systems where it was the default.
The PR is motived by github #187 however it fixes a much more general
problem (#187 is limited to an issue where libpng "crashes" on some
manufacturer systems). The fix is based on a suggestion by @sgowdev who
is the originator of the issue.
When libpng disables the checking of Adler32 checksums it does so by an
undocumented and therefore possibly unsupported call to a zlib function
which does not exist in some versions of zlib.
Fortunately libpng only does this if the caller of libpng explicitly
asks for it to happen. Unfortunately the call to the undocumented
function is still in the compiled and built libpng and this means that
on some systems (as identified in #187) libpng can fail to load or maybe
even crash.
The libpng authors are currently unaware of any program or system that
uses this feature and none has been identified by the contributors to
In this fix an option is added to *enable* the code so that by default
the code is *disabled* - this is a simple generalization of the
suggestion by @sgowdev.
BENEFITS: the problem is eliminated, users of the functionality, if any,
are idenfified, the functionality can be implemented correctly in the
future or it can be removed. Hardly anyone complains.
COSTS: someone will complain that they have to enable an option in a
libpng build to use a feature that never worked consistently in the
first place.
This patch has been tested both with the option enabled and with it
disabled via pngusr.dfa. Tests, checks pass with cmake and configure,
make distcheck passes on configure.
Reported-by: Stephen Gowen <dev.sgowen@gmail.com>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
This adds a file to regression-test the previously introduced off-by-one
error in the check on read for a colormapped PNG with an out-of-range
index (equal or greater than the length of the PLTE).
Previous tests covered all cases except the 8-bit palette case; the
"small" test file contains the "bad" entry at index 254, not 255 so it
passes even if the final byte is not checked. The new file has the
erroneous entry in the last byte.
Signed-off-by: John Bowler <jbowler@acm.org>
In a similar manner as zlib (https://github.com/madler/zlib/pull/895),
libpng contains a header configuration that's no longer valid and
hasn't been exercised for the macOS target.
- The target OS conditional macros are misused. Specifically
`TARGET_OS_MAC` covers all Apple targets, including iOS, and it
should not be checked with `#if defined` as they would always be
defined (to either 1 or 0) on Apple platforms.
- `#include <fp.h>` no longer works for the macOS target and results
in a compilation failure. macOS ships all required functions in
`math.h`, and clients should use `math.h` instead.
This problem has not been noticed until a recent extension in clang
(https://github.com/llvm/llvm-project/pull/74676) exposed the issue
and broke libpng builds on Apple platforms. The failure can be
reproduced now by adding `#include <TargetConditionals.h>` before the
block.
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
When compiling on the MIPS platform using the following command:
./configure --enable-hardware-optimizations && make
The options '-mmsa -mfp64' are not being passed.
PNG_MIPS_MSA_IMPLEMENTATION is defined as 2, leading to
the initialization of unimplemented MSA interfaces.
`png_safe_execute` called `setjmp` in a context where the result was
undefined (an assignment statement). This corrects the code and removes
volatile statements that were introduced previously to quell warnings
from earlier versions of GCC.
Co-authored-by: John Bowler <jbowler@acm.org>
Mark the initialization of `png_signature[]` as static const inside the
function `png_sig_cmp`. This might be helpful to optimizing compilers.
Initialize the arrays `number_buf[]`, `digits[]` and `buffer[]` inside
the functions `png_convert_to_rfc1123_buffer`, `png_ascii_from_fixed`,
`png_warning_parameter_unsigned` and `png_warning_parameter_signed`.
Although these initializations are redundant, compilers such as gcc-13
fail to see the redundancy.
The PNG IDAT did not include a '255' entry, the highest entry is '254',
this corrects the test PNG to have a palette with only 254 entries so
that it triggers the palette index checks.
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
The write palette check is off-by-one when checking the maximum palette
index against the number of entries however, because of the
implementation, the simple correction would fail if no palette check had
been performed (for example for a non-palette image). This corrects
both errors so that the code outputs a warning (but not an error) if a
user of libpng writes an image with a PLTE which is one entry short.
The write palette check can be turned off on colour type 3 images
(colour mapping images) but this is done by setting the 'maximum'
palette index in the image to (-1). The ammended code works because it
only executes for paletted images, it is dependent on palette checks
being compiled in and they will always be checked unless the stored
'max' value is less than 0.
Signed-off-by: John Bowler <jbowler@acm.org>
The palette index checking function is called by default but only if
some *other* transformation is happening. This makes the 'get palette
max' public API disfunctional (sometimes it works, sometimes it returns
0) and causes the supposed default behaviour of checking the palette
index only to work sometimes. It works in pngtest, it doesn't work in
pngcp.
The check in pngread also has an off-by-one error; the number recorded
is the highest index found so it should be checked to ensure that it is
less than the palette length but it was checked for being greater.
The pull request includes a set of 8 files which all have the full range
of possible indices including one (the highest) which is invalid because
the PLTE chunk is one short of the maximum for each bit depth.
Signed-off-by: John Bowler <jbowler@acm.org>
This removes pragmas and the controlling code that quelled warnings
generated by GCC7.1 (only) with -Wstrict-overflow=3 and possibly other
levels. Tested with GCC13.2, GCC7.1 is no longer the current version of
GCC7 (GCC7.5) and GCC7.1 was replaced by GCC7.2 on August 14, 2017.
Signed-off-by: John Bowler <jbowler@acm.org>
Previously pngfix had been made warning-free in GCC7.1 by marking auto
variables (volatile). This prevented the arithmetic optimizations which
caused warnings from GCC7.1 with higher values -Wstrict-overflow=<n>
GCC has moved on a lot since 7.1 and pngfix.c now compiles with just one
warning using -Wstrict-overflow=5. The change includes a change to make
this go away by performing the rearrangement GCC was using in the code:
i == ndigits-1
becomes:
i+1 == ndigits
i is initialized to ndigits and has been decremented at least once so
this is fine.
Test, configure:
CFLAGS="-Wall -Wextra -Wno-maybe-uninitialized -Wstrict-overflow=5" \
../configure --enable-werror
make
make cehck
Test, cmake:
cmake ..
make
make test
Signed-off-by: John Bowler <jbowler@acm.org>
Prior versons of the GCC warned about the 'dest' parameter of
contrib/tools/pngcp.c not being volatile, which isn't necessary because
it isn't modified. This removes the GCC specific fixup.
The function which calls setjmp, cppng() also relied on undefined
behavior because it assigned the result of setjmp() to a variable; this
is not one of the four uses of setjmp permitted by ANSI-C. This passes
the result previously returned by longjmp via (struct display). It's
very very unlikely that any compiler could have got the code wrong but
it is technically undefined.
