libpng/ANNOUNCE
Glenn Randers-Pehrson 780d38b87d [libpng17]Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing
parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse).
2017-08-28 14:17:52 -05:00

1453 lines
81 KiB
Plaintext

Libpng 1.7.0beta90 - August 28, 2017
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
Files available for download:
Source files with LF line endings (for Unix/Linux) and with a
"configure" script
1.7.0beta90.tar.xz (LZMA-compressed, recommended)
1.7.0beta90.tar.gz
Source files with CRLF line endings (for Windows), without the
"configure" script
/scratch/glennrp/Libpng17/lp170b90.7z (LZMA-compressed, recommended)
/scratch/glennrp/Libpng17/lp170b90.zip
Other information:
1.7.0beta90-README.txt
1.7.0beta90-LICENSE.txt
libpng-1.7.0beta90-*.asc (armored detached GPG signatures)
Changes since the last public release (1.6.0):
Version 1.7.0alpha01 [December 15, 2012]
Started 1.7.0 branch from libpng-1.6.0beta33.
Made 8-bit compose and rgb_to_grayscale accuracy improvements. These
changes cause 16-bit arithmetic to be used for 8-bit data in the gamma
corrected compose and grayscale operations. The arithmetic errors have
three sources all of which are fixed in this commit:
1) 8-bit linear calculations produce massive errors for lower intensity
values.
2) The old 16-bit "16 to 8" gamma table code erroneously wrote the lowest
output value into a table entry which corresponded to multiple output
values (so where the value written should have been the closest to the
transformed input value.)
3) In a number of cases the code to access the 16-bit table did not round;
it did a simple shift, which was wrong and made the side effects of (2)
even worse.
The new gamma code does not have the 16-to-8 problem at the cost of slightly
more calculations and the algorithm used to minimize the number of
calculations has been extended to all the 16-bit tables; it has advantages
for any significant gamma correction.
Rearranged png_struct, remove unused members, change png_set_filter handling
png_struct members rearranged - partly to reorder to avoid packing, partly
to put frequently accessed members at the start and partly to make
the grouping more clear. png_set_filter code has been rewritten and the
code shared with png_write_start_row moved to a common function. Comments
in png.h have been made more clear. Minor fixes to
contrib/libtests/timepng.c and some of the png_*_tRNS logic, including
more error detection in png_set_tRNS.
Cleaned up USER_LIMITS feature, removing members from png_struct when not
required.
Rearranged ARM-NEON optimizations to isolate the machine specific code to
the hardware subdirectory, and add comments to pngrutil.c so that
implementors of other optimizations will know what to do.
Fixed cases of unquoted DESTDIR in Makefile.am.
Rebuilt Makefile.in, configure, etc., with autoconf-2.69 and automake-1.12.5.
Version 1.7.0alpha02 [December 17, 2012]
Removed functions that were deprecated in libpng-1.6.0:
png_reset_zstream(), png_info_init_3(), and png_data_freer() and its
associated flags.
Removed some duplicated lines from contrib/tools/scale.c and png.c.
Changed some instances of png_warning() to png_app_error().
Updated some left over "1.6.0beta32" in code sources.
Fixed a "png_structp" prototype (should be png_structrp) in arm_init.c
Updated the version-number hack in pngvalid.c
Version 1.7.0alpha03 [December 19, 2012]
Cleaned up and enhanced the configure option; libpng now correctly
links and tests against zlib with a prefix; tests have been clarified; and
irrelevant or obsolete things (as defined by the autotools man page) have
been removed.
Documented new PNG_ABORT behavior in the manual and commentary in pngerror.c
Cleaned up whitespace in the synopsis portion of the manpage "libpng.3"
Fixed previous support for Z_PREFIX in configure builds, corrected sCAL APIs;
some of these use floating point arithmetic so they need to be disabled if
floating point arithmetic is switched off. This is a quiet API change -
previously it appeared that the APIs were supported if fixed point
arithmetic was used internally, however they required certain APIs (floor,
modf, frexp, atof) that are part of C floating point support. Changed
png_fixed and the gamma code specific version of the same to avoid floor(),
which may be a library function (not an intrinsic). Removed unused #if 0
code.
Disassembled the version number in scripts/options.awk (necessary for
building on SunOs).
Version 1.7.0alpha04 [December 23, 2012]
Added scripts/makefile.msys contributed by Christopher M. Wheeler
Made default Zlib compression settings be configurable. This adds #defines to
pnglibconf.h to control the defaults.
Fixed Windows build issues, enabled ARM compilation. Various warnings issued
by earlier versions of GCC fixed for Cygwin and Min/GW (which both use old
GCCs.) ARM support is enabled by default in zlib.props (unsupported by
Microsoft) and ARM compilation is made possible by deleting the check for
x86. The test programs cannot be run because they are not signed.
Version 1.7.0alpha05 [December 24, 2012]
Discontinued distributing libpng-1.x.x.tar.bz2.
Discontinued distributing libpng-1.7.0-1.6.0-diff.txt and similar.
Version 1.7.0alpha06 [January 1, 2013]
Fixed 'make distcheck' on SUN OS - libpng.so was not being removed
Version 1.7.0alpha07 [January 10, 2013]
Fixed conceivable but difficult to repro overflow. Also added two test
programs to generate and test a PNG which should have the problem.
Version 1.7.0alpha08 [January 17, 2013]
Corrected previous attempt at overflow detection in png_set_unknown_chunks()
(CVE-2013-7353). Added overflow detection in png_set_sPLT() and
png_set_text_2() (CVE-2013-7354).
Version 1.7.0alpha09 [January 21, 2013]
Pulled changes to multi-chunk handling from libpng-1.6.0beta40.
Version 1.7.0alpha10 [February 5, 2013]
Make symbol prefixing work with the ARM neon optimizations. Also
allow pngpriv.h to be included for preprocessor definitions only, so
it can be used in non-C/C++ files.
Added png_get_palette_max() function.
Changed png_size_t to size_t throughout headers, make sRGB check numbers
consistent.
Fixed ARM support (Mans Rullgard).
Removed stray out-of-order #endif and #ifdef (Mans Rullgard).
Ported libpng 1.5 options.awk/dfn file handling to 1.7, fixed one bug.
Rebuilt Makefile.in, configure, etc., with autoconf-2.69 and automake-1.13.
Minor fixes to assembler changes, verified with a dummy .S file
Removed cc -E workround, corrected png_get_palette_max API. Tested on
SUN OS cc 5.9, which demonstrates the tokenization problem previously
avoided by using /lib/cpp. Since all .dfn output is now protected
in double quotes unless it is to be macro substituted the fix should work
everywhere.
Version 1.7.0beta01 [February 15, 2013]
Enable parallel tests and rearrange TESTS order to take advantage of
the massive speed improvements use a make capable of parallel builds
on a multi-CPU machine and pass the right arguments to make (-j10000
for GNU make) to get the build to run in parallel.
Fixed previous support for Z_PREFIX in configure builds, corrected
sCAL APIs; some of these use floating point arithmetic so need to be
disabled if floating point arithmetic is switched off. This is a quiet API
change - previously it appeared that the APIs were supported if fixed point
arithmetic was used internally, however they required certain APIs (floor,
modf, frexp, atof) that are part of C floating point support. Changed
png_fixed and the gamma code specific version of the same to avoid floor(),
which may be a library function (not an intrinsic). Removed unused #if 0
code.
Fixed make distcheck to skip over the test result files. They were
being included because the whole of the 'tests' directory is included,
fixed to just include the actual test files and tests/pngstest. Also
reverted the previous erroneous change to remove the ${srcdir} from the
front of contrib, scripts, projects and added an explanation of what is
going on to Makefile.am
Fixed missing dependency in --prefix builds. The intermediate
internal 'prefix.h' file can only be generated correctly after pnglibconf.h,
however the dependency was not in Makefile.am. The symptoms are
unpredictable depending on the order make chooses to build pngprefix.h and
pnglibconf.h, often the error goes unnoticed because there is a system
pnglibconf.h to use instead.
Accept "," as a separator in pnglibconf.dfa and allow for
continuation lines. This adds to the syntax of "option" and "chunk" lines,
allowing the elements to be separated by a "," at the end of an element and
interpreting a "," at end of line as a continuation - so the following line
is read. The new syntax is optional and solely provided for readability.
Enclosed the new png_get_palette_max in #ifdef PNG_GET_PALETTE_MAX_SUPPORTED
block, and revised pnglibconf.h and pnglibconf.h.prebuilt accordingly.
Version 1.7.0beta02 [February 18, 2013]
Fixed a race condition in the creation of the build 'scripts' directory
while building with a parallel make.
Use approved/supported Android method to check for NEON, use Linux/POSIX
1003.1 API to check /proc/self/auxv avoiding buffer allocation and other
library calls (ported from libpng15).
Use parentheses more consistently in "#if defined(MACRO)" tests.
Folded long lines.
Version 1.7.0beta03 [February 22, 2013]
Reenabled code to allow zero length PLTE chunks for MNG.
Fixed ALIGNED_MEMORY support.
Allow run-time ARM NEON checking to be disabled. A new configure option:
--enable-arm-neon=always will stop the run-time checks. New checks
within arm/arm_init.c will cause the code not to be compiled unless
__ARM_NEON__ is set. This should make it fail safe (if someone asks
for it on then the build will fail if it can't be done.)
Updated the INSTALL document.
Version 1.7.0beta04 [February 27, 2013]
Revised INSTALL to recommend using CPPFLAGS instead of INCLUDES.
Revised scripts/makefile.freebsd to respect ZLIBLIB and ZLIBINC.
Revised scripts/dfn.awk to work with the buggy MSYS awk that has trouble
with CRLF line endings.
Version 1.7.0beta05 [March 5, 2013]
Avoid a possible memory leak in contrib/gregbook/readpng.c
Changed user chunk callback API to respect global and per chunk defaults.
Previously a return of 0 from a user chunk callback would result in the
chunk being saved (if this was safe, even if the chunk was unsafe-to-copy);
this change respects the defaults set by the application, so unknown chunks
can be discarded by default and known-safe ones preserved.
Corrected Android builds and corrected libpng.vers with symbol
prefixing. This adds an API to set optimization options externally,
providing an alternative and general solution for the non-portable
run-time tests used by the ARM Neon code. It also makes those tests
compile and link on Android. The order of settings vs options in
pnglibconf.h is reversed to allow settings to depend on options and
options can now set (or override) the defaults for settings.
Version 1.7.0beta06 [March 13, 2013]
Corrected simplified API default gamma for color-mapped output, added
a flag to change default. In 1.6.0 when the simplified API was used
to produce color-mapped output from an input image with no gamma
information the gamma assumed for the input could be different from
that assumed for non-color-mapped output. In particular 16-bit depth
input files were assumed to be sRGB encoded, whereas in the 'direct'
case they were assumed to have linear data. This was an error. The
fix makes the simplified API treat all input files the same way and
adds a new flag to the png_image::flags member to allow the
application/user to specify that 16-bit files contain sRGB data
rather than the default linear.
Fixed bugs in the pngpixel and makepng test programs.
Fixed CMakelists.txt to allow building a single variant of the library
(Claudio Bley):
Introduced a PNG_LIB_TARGETS variable that lists all activated library
targets. It is an error if this variable ends up empty, ie. you have
to build at least one library variant.
Made the *_COPY targets only depend on library targets actually being build.
Use PNG_LIB_TARGETS to unify a code path.
Changed the CREATE_SYMLINK macro to expect the full path to a file as the
first argument. When symlinking the filename component of that path is
determined and used as the link target.
Use copy_if_different in the CREATE_SYMLINK macro.
Eliminated two warnings from the Intel C compiler. The warnings are
technically valid, although a reasonable treatment of division would
show it to be incorrect.
Version 1.7.0beta07 [April 14, 2013]
Updated documentation of 1.5.x to 1.6.x changes in iCCP chunk handling.
Fixed incorrect warning of excess deflate data. End condition - the
warning would be produced if the end of the deflate stream wasn't read
in the last row. The warning is harmless.
Corrected the test on user transform changes on read. It was in the
png_set of the transform function, but that doesn't matter unless the
transform function changes the rowbuf size, and that is only valid if
transform_info is called.
Corrected a misplaced closing bracket in contrib/libtests/pngvalid.c
(Flavio Medeiros).
Corrected length written to uncompressed iTXt chunks (Samuli Suominen).
Version 1.7.0beta08 [April 18, 2013]
Added contrib/tools/fixitxt.c, to repair the erroneous iTXt chunk length
written by libpng-1.6.0 and 1.6.1.
Disallow storing sRGB information when the sRGB is not supported.
Version 1.7.0beta09 [April 24, 2013]
Exposed PNG chunk types in png.h
Modified png_uint_32 macros/code to make as few assumptions as possible
Revised stack marking in arm/filter_neon.S and configure.ac
Ensure that NEON filter stuff is completely disabled when switched 'off'.
Previously the ARM NEON specific files were still built if the option
was switched 'off' as opposed to being explicitly disabled.
Version 1.7.0beta10 [April 24, 2013]
Attempt to fix the PNG_ARM_NEON configuration mess.
Version 1.7.0beta11 [April 26, 2013]
Test for 'arm*', not just 'arm' in the host_cpu configure variable.
Version 1.7.0beta12 [April 30, 2013]
Added png_app_warning for out-of-range unknown chunk index in
png_set_unknown_chunk_location().
Expanded manual paragraph about writing private chunks.
Avoid dereferencing NULL pointer possibly returned from
png_create_write_struct() (Andrew Church).
Version 1.7.0beta13 [May 12, 2013]
Revised contrib/pngminim/*/makefile to generate pnglibconf.h with the
right zlib header files.
Separated CPPFLAGS and CFLAGS in contrib/pngminim/*/makefile
Updated contrib/pngminus/pnm2png.c (Paul Stewart):
Check for EOF
Ignore "#" delimited comments in input file to pnm2png.c.
Fixed whitespace handling
Added a call to png_set_packing()
Initialize dimension values so if sscanf fails at least we have known
invalid values.
Calculate our own zlib windowBits when decoding rather than trusting the
CMF bytes in the PNG datastream.
Added an option to force maximum window size for inflating, which was
the behavior of libpng15 and earlier.
Added png-fix-itxt and png-fix-too-far-back to the built programs and
removed warnings from the source code and timepng that are revealed as
a result.
Detect wrong libpng versions linked to png-fix-too-far-back, which currently
only works with libpng versions that can be made to reliably fail when
the deflate data contains an out-of-window reference. This means only
1.6 and later.
Attempt to detect configuration issues with png-fix-too-far-back, which
requires both the correct libpng and the correct zlib to function
correctly.
Check ZLIB_VERNUM for mismatches, enclose #error in quotes
Added information in the documentation about problems with and fixes for
the bad CRC and bad iTXt chunk situations.
Version 1.7.0beta14 [June 8, 2013]
Removed a redundant test in png_set_IHDR().
Added set(CMAKE_CONFIGURATION_TYPES ...) to CMakeLists.txt (Andrew Hundt)
Deleted set(CMAKE_BUILD_TYPE) block from CMakeLists.txt
Enclose the prototypes for the simplified write API in #ifdef STDIO/#endif
Make ARM NEON support work at compile time (not just configure time).
This moves the test on __ARM_NEON__ into pngconf.h to avoid issues when
using a compiler that compiles for multiple architectures at one time.
Removed PNG_FILTER_OPTIMIZATIONS and PNG_ARM_NEON_SUPPORTED from
pnglibconf.h, allowing more of the decisions to be made internally
(pngpriv.h) during the compile. Without this, symbol prefixing is broken
under certain circumstances on ARM platforms. Now only the API parts of
the optimizations ('check' vs 'api') are exposed in the public header files
except that the new setting PNG_ARM_NEON_OPT documents how libpng makes the
decision about whether or not to use the optimizations.
Protect symbol prefixing against CC/CPPFLAGS/CFLAGS useage.
Previous iOS/Xcode fixes for the ARM NEON optimizations moved the test
on __ARM_NEON__ from configure time to compile time. This breaks symbol
prefixing because the definition of the special png_init_filter_functions
call was hidden at configure time if the relevant compiler arguments are
passed in CFLAGS as opposed to CC. This change attempts to avoid all
the confusion that would result by declaring the init function even when
it is not used, so that it will always get prefixed.
Version 1.7.0beta15 [June 18, 2013]
Revised libpng.3 so that "doclifter" can process it.
Version 1.7.0beta16 [July 5, 2013]
Revised example.c to illustrate use of PNG_DEFAULT_sRGB and PNG_GAMMA_MAC_18
as parameters for png_set_gamma(). These have been available since
libpng-1.5.4.
Renamed contrib/tools/png-fix-too-far-back.c to pngfix.c and revised it
to check all compressed chunks known to libpng.
Updated documentation to show default behavior of benign errors correctly.
Added perfect hash code generation for lists of PNG chunks. This is
a work in progress; checked in for use in pngfix.c
Ported ARM no-read patch from libpng16.
Ported pngfix.c patches from libpng16.
Version 1.7.0beta17 [August 21, 2013]
Revised manual about changes in iTXt chunk handling made in libpng-1.6.0.
Added "/* SAFE */" comments in pngrutil.c and pngrtran.c where warnings
may be erroneously issued by code-checking applications.
Added information about png_set_options() to the manual.
Delay calling png_init_filter_functions() until a row with nonzero filter
is found.
Version 1.7.0beta18 [September 16, 2013]
Fixed inconsistent conditional compilation of png_chunk_unknown_handling()
prototype, definition, and usage. Made it depend on
PNG_HANDLE_AS_UNKNOWN_SUPPORTED everywhere.
Version 1.7.0beta19 [September 30, 2013]
Reverted the change to unknown handling #defines; the change breaks 'NOREAD'
builds.
Fixed default behavior of ARM_NEON_API. If the ARM NEON API option is
compiled without the CHECK option it defaulted to on, not off.
Catch up with recent libpng16 changes; unknown handling and spelling
corrections
Avoid up-cast warnings in pngvalid.c. On ARM the alignment requirements of
png_modifier are greater than that of png_store and as a consequence
compilation of pngvalid.c results in a warning about increased alignment
requirements because of the bare cast to (png_modifier*). The code is
safe, because the pointer is known to point to a stack allocated
png_modifier, but this change avoids the warning.
Fixed some grammatical changes and updated the png chunks list.
Version 1.7.0beta20 [October 13, 2013]
Made changes for compatibility with automake 1.14:
1) Added the 'compile' program to the list of programs that must be cleaned
in autogen.sh
2) Added 'subdir-objects' which causes .c files in sub-directories to be
compiled such that the corresponding .o files are also in the
sub-directory. This is because automake 1.14 warns that the
current behavior of compiling to the top level directory may be removed
in the future.
3) Updated dependencies on pnglibconf.h to match the new .o locations and
added all the files in contrib/libtests and contrib/tools that depend
on pnglibconf.h
4) Added 'BUILD_SOURCES = pnglibconf.h'; this is the automake recommended
way of handling the dependencies of sources that are machine generated;
unfortunately it only works if the user does 'make all' or 'make check',
so the dependencies (3) are still required.
Cleaned up (char*) casts of zlib messages. The latest version of the Intel C
compiler complains about casting a string literal as (char*), so copied the
treatment of z_const from the library code into pngfix.c
Simplified error message code in pngunknown. The simplification has the
useful side effect of avoiding a bogus warning generated by the latest
version of the Intel C compiler (it objects to
condition ? string-literal : string-literal).
Make autogen.sh work with automake 1.13 as well as 1.14. Do this by always
removing the 1.14 'compile' script but never checking for it.
Version 1.7.0beta21 [November 2, 2013]
Added ARMv8 support (James Yu <james.yu at linaro.org>). Added file
arm/filter_neon_intrinsics.c; enable with -mfpu=neon.
Revised pngvalid to generate size images with as many filters as it can
manage, limited by the number of rows.
Cleaned up ARM NEON compilation handling. The tests are now in pngpriv.h
and detect the broken GCC compilers.
Allow clang derived from older GCC versions to use ARM intrinsics. This
causes all clang builds that use -mfpu=neon to use the intrinsics code,
not the assembler code. This has only been tested on iOS 7. It may be
necessary to exclude some earlier clang versions but this seems unlikely.
Changed NEON implementation selection mechanism. This allows assembler
or intrinsics to be turned on at compile time during the build by defining
PNG_ARM_NEON_IMPLEMENTATION to the correct value (2 or 1). This macro
is undefined by default and the build type is selected in pngpriv.h.
Version 1.7.0beta22 [November 7, 2013]
Fixed #include in filter_neon_intrinsics.c and ctype macros. The ctype char
checking macros take an unsigned char argument, not a signed char.
Version 1.7.0beta23 [November 24, 2013]
Changed #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED in pngpread.c to
#ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED to be consistent with
what is in pngpriv.h.
Moved prototype for png_handle_unknown() in pngpriv.h outside of
the #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED/#endif block.
Added "-Wall" to CFLAGS in contrib/pngminim/*/makefile
Conditionally compile some unused functions reported by -Wall in
pngminim.
Fixed 'minimal' builds. Various obviously useful minimal configurations
don't build because of missing contrib/libtests test programs and
overly complex dependencies in scripts/pnglibconf.dfa. This change
adds contrib/conftest/*.dfa files that can be used in automatic build
scripts to ensure that these configurations continue to build.
Enabled WRITE_INVERT and WRITE_PACK in contrib/pngminim/encoder.
Fixed pngvalid 'fail' function declaration on the Intel C Compiler.
This reverts to the previous 'static' implementation and works round
the 'unused static function' warning by using PNG_UNUSED().
Version 1.7.0beta24 [December 15, 2013]
Removed or marked PNG_UNUSED some harmless "dead assignments" reported
by clang scan-build.
Changed tabs to 3 spaces in png_debug macros and changed '"%s"m'
to '"%s" m' to improve portability among compilers.
Changed png_free_default() to free() in pngtest.c
Tidied up pngfix inits and fixed pngtest no-write builds.
Bookkeeping: Moved functions around (no changes). Moved transform
function definitions before the place where they are called so that
they can be made static. Move the intrapixel functions and the
grayscale palette builder out of the png?tran.c files. The latter
isn't a transform function and is no longer used internally, and the
former MNG specific functions are better placed in pngread/pngwrite.c
Made transform implementation functions static. This makes the internal
functions called by png_do_{read|write}_transformations static. On an
x86-64 DLL build (Gentoo Linux) this reduces the size of the text
segment of the DLL by 1208 bytes, about 0.6%. It also simplifies
maintenance by removing the declarations from pngpriv.h and allowing
easier changes to the internal interfaces.
Handle zero-length PLTE chunk or NULL palette with png_error()
instead of png_chunk_report(), which by default issues a warning
rather than an error, leading to later reading from a NULL pointer
(png_ptr->palette) in png_do_expand_palette(). This is CVE-2013-6954
and VU#650142. Libpng-1.6.1 through 1.6.7 and libpng-1.7.0beta03
through 1.7.0beta23 are vulnerable. Libpng-1.6.0 and earlier do not
have the bug.
Version 1.7.0beta25 [December 26, 2013]
Merged files with version 1.6.8 that have not changed since then.
Rebuilt configure scripts with automake-1.14.1 and autoconf-2.69
Version 1.7.0beta26 [January 1, 2014]
Added libpng 1.5 checks to pngvalid.c
Merged with 1.5 and 1.6 changes to create a single pngvalid.c
Added dSIG to chunk list in png.h
Removed #error macro from contrib/tools/pngfix.c (Thomas Klausner).
Merged pngrio.c, pngtrans.c, and pngwio.c with libpng-1.6.9
Fixed test programs for interlace options. Made pngvalid.c and
pngtest.c work correctly when READ_INTERLACING and/or WRITE_INTERLACING
are switched off.
Changed pngvalid.c to support libpng 1.5, which does not support
the PNG_MAXIMUM_INFLATE_WINDOW option, so #define it out when
appropriate in pngvalid.c
Allow unversioned links created on install to be disabled in configure.
In configure builds 'make install' changes/adds links like png.h
and libpng.a to point to the newly installed, versioned, files (e.g.
libpng17/png.h and libpng17.a). Three new configure options and some
rearrangement of Makefile.am allow creation of these links to be disabled.
Version 1.7.0beta27 [January 10, 2014]
Removed potentially misleading warning from png_check_IHDR().
Version 1.7.0beta28 [January 20, 2014]
Updated scripts/makefile.* to use CPPFLAGS (Cosmin).
Added clang attribute support (Cosmin).
Version 1.7.0beta29 [January 30, 2014]
Quiet an uninitialized memory warning from VS2013 in png_get_png().
Version 1.7.0beta30 [February 2, 2014]
Fixed a large number of instances where PNGCBAPI was omitted from
function definitions.
Added pngimage test program for png_read_png and png_write_png. This
is a work-in-progress; no tests are run automatically at present and
the program by virtue of exhaustively testing all the transforms is
very slow.
Version 1.7.0beta31 [February 6, 2014]
Make png_read_png() and png_write_png() prototypes in png.h depend
upon PNG_READ_SUPPORTED and PNG_WRITE_SUPPORTED.
Removed dependence on !PNG_READ_EXPAND_SUPPORTED for calling
png_set_packing() in png_read_png().
Completed full working pngimage test program and added two test scripts.
Fixed combination of ~alpha with shift. On read invert alpha, processing
occurred after shift processing, which causes the final values to be
outside the range that should be produced by the shift. Reversing the
order on read makes the two transforms work together correctly and mirrors
the order used on write.
Do not read invalid sBIT chunks. Previously libpng only checked sBIT
values on write, so a malicious PNG writer could therefore cause
the read code to return an invalid sBIT chunk, which might lead to
application errors or crashes. Such chunks are now skipped (with
chunk_benign_error).
Restored a line, "c = b;", that was inadvertently deleted from the
PAETH filtering code from libpng-1.7.0beta24/pngrutil.c. Deleted
the other instance of "c = b;" which is the one that triggered a
scan-build warning.
Support builds with unsupported PNG_TRANSFORM_* values. All of the
PNG_TRANSFORM_* values are always defined in png.h and, because they
are used for both read and write in some cases, it is not reliable
to #if out ones that are totally unsupported. This change adds error
detection in png_read_image() and png_write_image() to do a
png_app_error() if the app requests something that cannot be done
and it adds corresponding code to pngimage.c to handle such options
by not attempting to test them.
Version 1.7.0beta32 [February 26, 2014]
Moved redefines of png_error(), png_warning(), png_chunk_error(),
and png_chunk_warning() from pngpriv.h to png.h to make them visible
to libpng-calling applications.
Moved OS dependent code from arm/arm_init.c, to allow the included
implementation of the ARM NEON discovery function to be set at
build-time and provide sample implementations from the current code in the
contrib/arm-neon subdirectory. The __linux__ code has also been changed to
compile and link on Android by using /proc/cpuinfo, and the old linux code
is in contrib/arm-neon/linux-auxv.c. The new code avoids POSIX and Linux
dependencies apart from opening /proc/cpuinfo and is C90 compliant.
Check for info_ptr == NULL early in png_read_end() so we don't need to
run all the png_handle_*() and depend on them to return if info_ptr == NULL.
This improves the performance of png_read_end(png_ptr, NULL) and makes
it more robust against future programming errors.
Check for __has_extension before using it in pngconf.h, to
support older Clang versions (Jeremy Sequoia).
Use a user warning handler in contrib/gregbook/readpng2.c instead of default,
so warnings will be put on stderr even if libpng has CONSOLE_IO disabled.
Added png_ptr->process_mode = PNG_READ_IDAT_MODE in png_push_read_chunk
after recognizing the IDAT chunk, which avoids an infinite loop while
reading a datastream whose first IDAT chunk is of zero-length.
This fixes CERT VU#684412 and CVE-2014-0333.
Don't recognize known sRGB profiles as sRGB if they have been hacked,
but don't reject them and don't issue a copyright violation warning.
Minor editing of contrib/arm-neon/README and contrib/examples/*.c
Moved some documentation from png.h to libpng.3 and libpng-manual.txt
Version 1.7.0beta33 [February 27, 2014]
Fixed typos in the manual and in scripts/pnglibconf.dfa (CFLAGS -> CPPFLAGS
and PNG_USR_CONFIG -> PNG_USER_CONFIG).
Version 1.7.0beta34 [March 17, 2014]
Treat CRC error handling with png_set_crc_action(), instead of with
png_set_benign_errors(), which has been the case since libpng-1.6.0beta18.
Use "if (value != 0)" instead of "if (value)" consistently.
Changed ZlibSrcDir from 1.2.5 to 1.2.8 in projects/vstudio.
Moved configuration information from the manual to the INSTALL file.
Version 1.7.0beta35 [August 6, 2014]
Removed #if/#else/#endif from inside two pow() calls in pngvalid.c because
they were handled improperly by Portland Group's PGI-14.1 - PGI-14.3
when using its "__builtin_pow()" function.
Silence 'unused parameter' build warnings (Cosmin).
$(CP) is now used alongside $(RM_F). Also, use 'copy' instead
of 'cp' where applicable, and applied other minor makefile changes.
Don't warn about invalid dimensions exceeding user limits.
Allow an easy replacement of the default pre-built configuration
header with a custom header, via the make PNGLIBCONF_H_PREBUILT
macro.
Fixed a typo in pngrutil.c, introduced in libpng-1.5.6, that interferes
with "blocky" expansion of sub-8-bit interlaced PNG files (Eric Huss).
Removed scripts/makefile.elf. It has not worked since libpng-1.5.0beta14
due to elimination of the PNG_FUNCTION_EXPORT and PNG_DATA_EXPORT
definitions from pngconf.h.
Ensure that CMakeLists.txt makes the target "lib" directory before making
symbolic link into it (SourceForge bug report #226 by Rolf Timmermans).
Added opinion that the ECCN (Export Control Classification Number) for
libpng is EAR99 to the README file.
Version 1.7.0beta36 [September 27, 2014]
Updated scripts/makefiles from libpng-1.6.13beta04.
Minor updates to the manual from libpng-1.6.14beta04.
Fixed incorrect handling of the iTXt compression flag in pngrutil.c
(bug report by Shunsaku Hirata). Bug was introduced in libpng-1.6.0.
Version 1.7.0beta37 [September 28, 2014]
Merged scripts/*, pngvalid.c and pngfix.c with libpng-1.6.14beta04.
Version 1.7.0beta38 [October 17, 2014]
Added "option READ_iCCP enables READ_COMPRESSED_TEXT" to pnglibconf.dfa
Removed unused "text_len" parameter from private function png_write_zTXt().
Conditionally compile some code in png_deflate_claim(), when
PNG_WARNINGS_SUPPORTED and PNG_ERROR_TEXT_SUPPORTED are disabled.
Replaced repeated code in pngpread.c with PNG_PUSH_SAVE_BUFFER_IF_FULL.
Added "chunk iTXt enables TEXT" and "chunk zTXt enables TEXT"
to pnglibconf.dfa.
Removed "option READ_COMPRESSED_TEXT enables READ_TEXT" from pnglibconf.dfa,
to make it possible to configure a libpng that supports iCCP but not TEXT.
Removed "option WRITE_COMPRESSED_TEXT enables WRITE_TEXT" from pnglibconf.dfa
Only mark text chunks as written after successfully writing them.
Version 1.7.0beta39 [November 1, 2014]
Ported cosmetic changes from libpng-1.6.15beta02.
Version 1.7.0beta40 [November 6, 2014]
Made a one-line revision to configure.ac to support ARM on aarch64
(bug report by Marcin Juszkiewicz, fix by John Bowler).
Use png_get_libpng_ver(NULL) instead of PNG_LIBPNG_VER_STRING in
example.c, pngtest.c, and applications in the contrib directory.
Avoid out-of-bounds memory access in png_user_version_check().
Simplified and future-proofed png_user_version_check().
Fixed GCC unsigned int->float warnings. Various versions of GCC
seem to generate warnings when an unsigned value is implicitly
converted to double. This is probably a GCC bug but this change
avoids the issue by explicitly converting to (int) where safe.
Free all allocated memory in pngimage. The file buffer cache was left
allocated at the end of the program, harmless but it causes memory
leak reports from clang.
Fixed array size calculations to avoid warnings. At various points
in the code the number of elements in an array is calculated using
sizeof. This generates a compile time constant of type (size_t) which
is then typically assigned to an (unsigned int) or (int). Some versions
of GCC on 64-bit systems warn about the apparent narrowing, even though
the same compiler does apparently generate the correct, in-range,
numeric constant. This adds appropriate, safe, casts to make the
warnings go away.
Version 1.7.0beta41 [November 7, 2014]
Added #ifdef PNG_16BIT_SUPPORTED/#endif around png_log16bit() and
png_do_swap().
Changed all "#endif /* PNG_FEATURE_SUPPORTED */" to "#endif /* FEATURE */"
Version 1.7.0beta42 [November 20, 2014]
The macros passed in the command line to Borland make were ignored if
similarly-named macros were already defined in makefiles. This behavior
is different from POSIX make and other make programs. Surround the
macro definitions with ifndef guards (Cosmin).
Added "-D_CRT_SECURE_NO_WARNINGS" to CFLAGS in scripts/makefile.vcwin32.
Removed the obsolete $ARCH variable from scripts/makefile.darwin.
Merged clang no-warning fix from libpng-1.6.13: png_digit was defined
but never used in pngerror.c.
Version 1.7.0beta43 [December 18, 2014]
Added ".align 2" to arm/filter_neon.S to support old GAS assemblers that
don't do alignment correctly.
Revised Makefile.am and scripts/*.dfn to work with MinGW/MSYS;
renamed scripts/*.dfn to scripts/*.c (Bob Friesenhahn and John Bowler).
Quiet a "comparison always true" warning in pngstest.c (John Bowler).
Version 1.7.0beta44 [December 23, 2014]
Restored a test on width that was removed from png.c at libpng-1.6.9
(Bug report by Alex Eubanks, CVE-2015-0973).
Fixed an overflow in png_combine_row() with very wide interlaced images
(Bug report and fix by John Bowler, CVE-2014-9495).
Corrected the width limit calculation in png_check_IHDR().
Removed extraneous handling of PNG_SAFE_LIMITS_SUPPORTED from pngconf.h
Version 1.7.0beta45 [December 28, 2014]
Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
and 1-million-row default limits in pnglibconf.dfa, that can be reset
by the user at build time or run time. This provides a more robust
defense against DOS and as-yet undiscovered overflows.
Removed user limits from pngfix. Also pass NULL pointers to
png_read_row to skip the unnecessary row de-interlace stuff.
Added testing of png_set_packing() to pngvalid.c
Version 1.7.0beta46 [January 2, 2015]
Regenerated configure scripts in the tar distributions with libtool-2.4.4
Implement previously untested cases of libpng transforms in pngvalid.c
Fixed byte order in 2-byte filler, in png_do_read_filler().
Allow user to call png_get_IHDR() with NULL arguments (Reuben Hawkins).
Version 1.7.0beta47 [January 29, 2015]
Made the check for out-of-range values in png_set_tRNS() detect
values that are exactly 2^bit_depth, and work on 16-bit platforms.
Added PNG_SKIP_sRGB_CHECK_PROFILE choice for png_set_option().
Report all IHDR errors before exiting png_check_IHDR().
Merged some parts of libpng-1.6.17beta01 and libpng-1.7.0beta47.
Added #ifndef __COVERITY__ where needed in png.c, pngrutil.c and
pngset.c to avoid warnings about dead code.
Version 1.7.0beta48 [February 7, 2015]
Work around one more Coverity-scan dead-code warning.
Do not build png_product2() when it is unused.
Version 1.7.0beta49 [February 11, 2015]
Combined sub_row, up_row, avg_row, and paeth_row buffers into a
single try_row buffer.
Added PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED macro, on by default.
Consolidated redundant code in pngwutil.c
Deal with integer overflow of sum in pngwutil.c
Version 1.7.0beta50 [February 15, 2015]
Combined sub_row, up_row, avg_row, and paeth_row buffers into a
single try_row buffer and in cases where two or more of those are
being tested, a second tst_row buffer. This improves CPU speed
over that achieved by libpng-1.7.0beta49.
Version 1.7.0beta51 [February 17, 2015]
Combined similar parts of png_write_find_filter() into a png_increase_lmins()
function.
Display user limits in the output from pngtest.
Replaced test for harmless integer overflow (wraparound) in pngwutil.c
with a method that prevents overflow and does not increase cpu usage
significantly.
Version 1.7.0beta52 [February 21, 2015]
Added information about setjmp/simplified API interaction in the
manual page and INSTALL file. Added information about using
row_pointers with a single height*width*bpp allocated block
Rebuilt configure scripts with automake-1.15 and libtool-2.4.6
Version 1.7.0beta53 [February 23, 2015]
Restored compiling of png_reciprocal2 with PNG_NO_16BIT.
Version 1.7.0beta54 [March 4, 2015]
Moved png_set_filter() prototype into a PNG_WRITE_SUPPORTED block
of png.h.
Conditionally compile a small amount of code in pngwutil.c
Avoid runtime checks when converting integer to png_byte with
Visual Studio (Sergey Kosarevsky)
Merged pngwrite.c with libpng-1.6.17beta06/pngwrite.c
Version 1.7.0beta55 [March 9, 2015]
Removed some comments that the configure script did not handle
properly from scripts/pnglibconf.dfa and pnglibconf.h.prebuilt.
Spelling fixes ("then", "occured") reported by Lauri Nurmi.
Added more error reporting in png_default_read_data().
Merged png_free_data() with libpng-1.6.17rc02.
Version 1.7.0beta56 [March 11, 2015]
Updated CMakeLists.txt to add OSX framework, change YES/NO to ON/OFF
for consistency, and remove some useless tests (Alexey Petruchik).
Version 1.7.0beta57 [March 16, 2015]
Remove pnglibconf.h, pnglibconf.c, and pnglibconf.out instead of
pnglibconf.* in "make clean" (Cosmin).
Fix bug in calculation of maxbits, in png_write_sBIT, introduced
in libpng-1.6.17beta01 (John Bowler).
Revert change to png_default_read_data() made in libpng-1.7.0beta55.
Version 1.7.0beta58 [March 25, 2015]
Implemented affirm() support and usage.
Remove pnglibconf.dfn and pnglibconf.pre with "make clean".
Added byte, short and other overflow checking
Added 'affirm' based overflow checking for debug builds for char
and short assignments. Simply ignore the error in release builds
(a truncated value will be used without warning). Controlled by
PNG_RANGE_CHECK_SUPPORTED.
Improved some overflow handling. PNG_RELEASE_BUILD replaces tests
where the code depended on the build base type and can be defined on
the command line, allowing testing in beta builds. Overflows previously
handled by png_warning in png.c have been changed to use new
macros/affirm functions so that beta builds will abort on overflow and
release builds will quietly ignore it. This avoids release builds
producing warnings that are of no use to end users.
Check (png_uint_16) casts for overflow. Also removed png_muldiv_warn,
added RELEASE/!RELEASE convenience macros. png_muldiv_warn was used in
only one place, and the overflow condition is a genuine warning not
an internal error. Four macros allow code or function parameters to be
condition on RELEASE (or not) builds and tidy up the #ifdef handling of
functions.
Version 1.7.0beta59 [April 19, 2015]
Transformed rewrite: changed row_info, added checks. This introduces an
internal struct (png_transform_control) to replace row_info and uses
that to implement affirms correctly. The change also adds checks on
the rowbytes calculation and additional checks on most transform
implementations.
Added png_uint_16 range checking, pngvalid tRNS, fixed png_uint_16:
review of previous checks, removal of some where SAFE. pngvalid: add
testing of tRNS for better code coverage pngvalid: correct rgb-to-gray
error calculations. Code coverage is still incomplete: see /*UNTESTED*/
in pngrtran.c. This fixes some arithmetic errors that caused some tests
to fail on some 32-bit platforms (Bug reports by Peter Breitenlohner [i686]
and Petr Gajdos [i586]).
Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler
(Bug report by Viktor Szaka'ts).
Version 1.7.0beta60 [May 6, 2015]
Replaced "unexpected" with an integer (0xabadca11) in pngset.c
where a long was expected, to avoid a compiler warning when PNG_DEBUG > 1.
Version 1.7.0beta61 [May 31, 2015]
Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c
Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug
report from Christopher Ferris).
Changed png_voidcast(), etc., to voidcast(), etc., in contrib/tools/pngfix.c
to avoid confusion with the libpng private macros.
Fixed old cut&paste bug in the weighted filter selection code in
pngwutil.c, introduced in libpng-0.95, March 1997.
Version 1.7.0beta62 [June 1, 2015]
Removed the experimental WRITE_WEIGHTED_FILTERED code, to save a few
kbytes of the compiled library size. It never worked properly and as
far as we can tell, no one uses it. The png_set_filter_heuristics() and
png_set_filter_heuristics_fixed() APIs are retained but deprecated.
Version 1.7.0beta63 [June 6, 2015]
Quieted some Coverity issues in pngfix.c, png-fix-itxt.c, pngvalid.c,
pngstest.c, and pngimage.c. Most seem harmless, but png-fix-itxt
would only work with iTXt chunks with length 255 or less.
Fixed cexcept.h in which GCC 5 reported that one of the auto
variables in the Try macro needs to be volatile to prevent value
being lost over the setjmp, and fixed g++ build breaks (John Bowler).
Moved READ_GAMMA to pngrtran.c. This makes everything in pngrtrans.c
depend on READ_TRANSFORMS and moves all the transform gamma (READ_GAMMA)
code from elsewhere to png_tran.c. There are no code changes.
There is one remaining use of the gamma (16-bit) code in the simplified
API in pngread.c but that is because of a long-standing libpng bug,
namely that the gamma corrected palette is no produced by
png_read_update_info (John Bowler).
Completed AArch64 support. The previous change to recognize __ARM_NEON
didn't touch all the required preprocessor lines. This change removes
support for __ARM_NEON__ completely and makes this consistent.
Added #ifdef's to contrib/examples programs so people don't try
to compile them without the minimum required support enabled
(suggested by Flavio Medeiros).
Version 1.7.0beta64 [July 26, 2015]
Removed non-working progressive reader 'skip' function. This
function has apparently never been used. It was implemented
to support back-door modification of png_struct in libpng-1.4.x
but (because it does nothing and cannot do anything) was apparently
never tested (John Bowler).
Eliminated the final two Coverity defects (insecure temporary file
handling in contrib/libtests/pngstest.c; possible overflow of
unsigned char in contrib/tools/png-fix-itxt.c). To use the "secure"
file handling, define PNG_USE_MKSTEMP, otherwise "tmpfile()" will
be used.
Removed some unused WEIGHTED_FILTER macros from png.h and pngstruct.h
Rearranged png.h to put the major sections in the same order as
in libpng16.
Belatedly added Mans Rullgard and James Yu to the list of Contributing
Authors.
Version 1.7.0beta65 [September 16, 2015]
Use nanosleep() instead of usleep() in contrib/gregbook/rpng2-x.c
because usleep() is deprecated (port from libpng16).
Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
Fixed uninitialized variable in contrib/gregbook/rpng2-x.c
Moved config.h.in~ from the "libpng_autotools_files" list to the
"libpng_autotools_extra" list in autogen.sh because it was causing a
false positive for missing files (bug report by Robert C. Seacord).
Fixed some bad links in the man page.
Renamed the arm subdirectory to contrib/neon.
Made minor fixes to the test scripts:
pngimage: add --list-combos pngunknown: add --strict to catch warnings
pngvalid-standard: remove the spurious --progressive read (compare with
pngvalid-progressive-standard!) (John Bowler).
Implemented a new chunk parse implementation that can be shared. It
is currently shared by the progressive reader and the sequential one
(but not yet by the writer) (John Bowler).
Implemented shared transform handling that is used throughout (John Bowler).
Version 1.7.0beta66 [October 2, 2015]
Enabled the low-bit-depth gray tests that were disabled in prior versions
of libpng because of problems that should have been fixed by the recent
changes to libpng17. Enabling the tests revealed bugs in those changes
which are now corrected.
Replaced the memcpy of png_transform_background with a structure copy
which is safer since it doesn't depend on knowing the first member to
be copied, also the copies are improved to copy the transform args too;
not required at present but it may prevent a bug being introduced in
the future.
Fixed some new Coverity defects that were introduced in 1.7.0beta65.
Fixed makepng.c so that it compiles with GCC 5.1.0.
Added contrib/testspngs/: a directory for additional test png files
generated by makepng.
Fixed dead code reported by Coverity (John Bowler).
Limit the calls to crc32 to ZLIB_IO_MAX, although it is not clear that
this is optimal (John Bowler).
Make pngstest error limits version specific. Splitting the machine
generated error structs out to a file allows the values to be updated
without changing pngstest.c itself. Since libpng 1.6 and 1.7 have
slightly different error limits this simplifies maintenance. The
makepngs.sh script has also been updated to more accurately reflect
current problems in libpng 1.7 (John Bowler).
Fixed gamma-handling issues. One serious bug is that 8 was forced
as a bit depth when caching a palette, even though the palette had been
expanded. One less serious bug, the optimization for avoiding gamma
correction introduced significant errors if the app subsequently
did further corrections, only shown by using files with gAMA 1/1.52 in
pngstest (John Bowler).
Suppressed bogus Coverity issues in pngrutil.c and pngwutil.c.
Corrected sRGB gamma handling in the Simplified API (John Bowler).
If a gamma encoded file that has a gamma not matching that of sRGB is
passed to the simplified API the previous code simply interpreted it as
a power law encoding. However old Mac files had a power law correction
of 1.45 built in to the encoding, even though the display devices were
consistent with sRGB. Assuming a power law encoding results in
substantial differences in the interpretation of low 8-bit values;
below 10. For example an Apple '5' which is equivalent to an sRGB '17'
ends up as the value '8'. This patch provides some measure of correction
for this by making the gamma correction done within the simplified API
assume that any encoded data is encoded relative to an sRGB-like transfer
function; the data is corrected back to the PNG-nominal 2.2 value then
decoded to linear (if required) using the sRGB transfer function.
This reduces the errors reported by pngstest for such files (colormapped
ones) but still leaves the issue with files where the standard libpng
code does the gamma decoding. To cope with the latter cases there is a
new pngstest-errors which allows the result; however, this is still a
work-in-progress; a better solution is possible.
Added a '--small' option to 'makepng' to allow the generation of smaller
images that also give better test case coverage. Also added copyright
and licence to the generated images, reflecting the fact that they are
original works of the author of the code. The licence used is the
Creative Commons Public Domain (CC0-1.0) one, which is appropriate
for non-source-code works. The resultant images were used to generate
the recently-updated pngstest-errors.h file (John Bowler).
Added test files generated by "contrib/testpngs/makepngs.sh --small"
with MAKEPNG set to the makepng compiled from the current
contrib/libtests/makepngs.sh, to the "contrib/testpngs" directory.
Made png_rgb_to_gray() optimization fixes. This fixes the code
that optimizes RGB to Gray transformations that only selected on
channel and clarifies the handling of max_depth in the transform
code (John Bowler).
Incorporated new test PNG files into make check. tests/pngstest-*
are changed so that the new test files are divided into 8 groups by
gamma and alpha channel. These tests have considerably better code
and pixel-value coverage than contrib/pngsuite; however,coverage is
still incomplete (John Bowler).
Fixed png_set_tRNS_to_alpha for low-bit-depth gray and enabled
low-bit-depth gray tests in pngvalid (John Bowler).
Fixed sBIT handling in the low-bit-depth gray and pngstest cases,
extended sBIT handling to the colormap code in the simplified API
which is separately implemented in pngread.c (John Bowler).
Version 1.7.0beta67 [November 3, 2015]
Fixed 'pow' macros in pngvalid.c. It is legal for 'pow' to be a
macro, therefore the argument list cannot contain preprocessing
directives. Make sure pow is a function where this happens. This is
a minimal safe fix, the issue only arises in non-performance-critical
code (bug report by Curtis Leach, fix by John Bowler).
Added sPLT chunk support to pngtest.c
Prevent setting or writing over-length PLTE chunk (bug report by
Cosmin Truta) (CVE-2015-8126).
Silently truncate over-length PLTE chunk while reading.
Fixed some inconsequential cut-and-paste typos in png_set_cHRM_XYZ_fixed().
Clarified COPYRIGHT information to state explicitly that versions
are derived from previous versions.
Removed much of the long list of previous versions from png.h and
libpng.3.
Version 1.7.0beta68 [November 12, 2015]
Fixed new bug with CRC error after reading an over-length palette
(bug report by Cosmin Truta).
Cleaned up coding style in png_handle_PLTE().
Version 1.7.0beta69 [November 24, 2015]
Avoid potential pointer overflow/underflow in png_handle_sPLT() and
png_handle_pCAL() (Bug report by John Regehr).
Avoid conditionally compiling parts of statements in png.c (suggested
by flaviommedeiros).
Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
vulnerability.
Added pngvalid --transform --interlace test. This increases code
coverage by generating test cases with smaller length rows as a
result of the interlacing. Without this packswap handling was
incompletely tested.
Fixed NO_WRITE_INTERLACE in pngvalid.c. The support for writing
interlaced images directly from libpng 1.7 was unintentionally
disabled (INTERLACE_LAST was defined incorrectly, excluding the
interlaced images). This obscured the fact that the transform and
error test case generators lacked the support for writing interlaced
images from libpng.
Transform rewrite: perform transforms in small chunks. The intent
of this change is to reduce the memory footprint during transform
sequences by performing transforms in fixed (small) sized blocks of
pixels. The change is incomplete; the filter code still works
row-by-row, so the whole tranform also works row-by-row. The intent
is to fix this so that everything works in small(ish) chunks.
At present the change has no discernable effect on pngvalid --speed
or pngstest with (e.g.) rgb-8-1.8.png; user time and (minor) page
faults are the same in old and new versions. The same applies to
real-world 15MP PNG images; even on these the presence of the filter
code causes a cyclical progress through memory which will interfere
with any caching otherwise possible (useful word, 'otherwise'.)
Read row buffer changes. The read code now allocates one row buffer
of the size of the input PNG row and, only if required, one buffer of
the size of the output. The output buffer is required for the
progressive reader (always) and for the sequential reader if libpng
is de-interlacing an image (because the output row is used multiple
times if png_read_row is called with a display row parameter.) This
should reduce memory utilization by libpng significantly, but it has no
detectable effect on overall performance figures of the test programs;
these are probably dominated by memory allocations for the whole image
within the test programs.
Now that the code works consistently so that these just switch off
the support for having libpng do the interlace/deinterlace, the old
names make more sense. Restoring them avoids cruft in the configuration
file and avoids an unnecessary version specific change.
The reliance of png_read_png on interlace handling and some minor
issues in the test programs where they failed to correctly check for
interlace handling were exposed by the ability to write interlaced
images even if WRITE_INTERLACING is turned off. This is fixed here.
Changed the detection of invalid application behavior (too many
calls to png_read_row) from an affirm to a png_app_error.
Fixed the PNG_MAX_GAMMA_8 handling and png_set_rgb_to_gray, which
had bugs which were likely to expose end cases of rgb-to-gray conversion
errors. This might possibly explain some of the machine math dependencies
we are seeing.
Temporarily disabled filter selection while writing, and temporarily
replaced pngtest.png accordingly.
Version 1.7.0beta70 [December 3, 2015]
Fixed a simple bracket problem that prevented reading non-interlaced
PNG files with height == 1.
The code failed to zero out the row buffer at the start of a pass where
the AVG filter is used because 'row_number' is not always zero (on
interlaced images) and, apparently, the assertion that the buffer had
been zeroed when allocated was not always correct for non-interlaced
images. Revealed by pngvalid --size with a hack to make it always
use AVG.
Fixed an error in handling of bad zlib CMINFO field in pngfix, found by
American Fuzzy Lop, reported by Brian Carpenter. inflate() doesn't
immediately fault a bad CMINFO field; instead a 'too far back' error
happens later (at least some times). pngfix failed to limit CMINFO to
the allowed values but then assumed that window_bits was in range,
triggering an assert. The bug is mostly harmless; the PNG file cannot
be fixed.
Test the 'size' images in the sequential reader. The existing test
case only uses the progressive reader which means that important parts of
the filter code never got tested.
Improved pngvalid coverage of filter combinations, remove the (new in 1.7)
code which disabled previous-row filters on the first row of an image in
some cases.
Removed all trailing spaces from source files in contrib
Moved code round and changed the filter write interfaces that took
png_uint_32 buffer pixel counts to unsigned int. Also moved compression
code and definitions into pngwutil.c so that the compression code is
isolated from other definitions.
Unified the compression code so that inflate calls are localized to a common
routine. Ground work for filter selection support. Minor API changes to
use void* not byte* for data parameters. Unification of some of the
compression code with the decompression code; IDAT_size replaces
IDAT_read_size and zbuffer_size, IDAT reading and writing is no longer
controlled by the size of the compression buffer.
Separated png_compress_IDAT into write/compress, removed some
trailing spaces and cleaned up pnglibconf.
Removed the side-effect on the png_struct palette of calling png_set_PLTE()
or png_set_tRNS(). This is a quiet API change; it was previously possible
to alter the palette on a PNG image by using png_set_PLTE, but this was
unintended and inconsistent with the other png_set APIs. This fixes
CVE-2015-8472.
Fixed a bug in palette index checking; png_struct::num_palette could, in
principle, get changed by the transformations (e.g. png_set_quantize)
and this would invalidate the check. The palette checking init function
now makes a copy of png_struct::num_palette.
Fixed a bug in pngvalid error handling. A png_error in png_write_info is
not continuable (a valid image cannot necessarily be written afterward)
because the png_error aborts the write of subsequent pre-IDAT chunks.
In particular an abort as a result of a bogus colorspace information
(gAMA, cHRM, sBIT etc) prevents the write of the PLTE chunk.
Version 1.7.0beta71 [omitted]
Version 1.7.0beta72 [December 7, 2015]
Implemented new filter selection heuristic.
Attempted to make the selection options more intuitive.
Fixed a build break in no-write-filters cases.
Re-applied some recent patches to libpng-1.7.0beta70 that were
accidentally lost while publishing the beta70 tar distribution.
Fixed g++ builds, where enums (int), G++ objects (int) and (unsigned)
were being used together in ?:
Fixed stack smashing problem in write png_copy_row that was introduced
in libpng-1.7.0beta70. This also resulted in PNG data with random
row bytes.
Version 1.7.0beta73 [December 11, 2015]
Fixed syntax "$(command)" in tests/pngstest that some shells other than
bash could not parse (Bug report by Nelson Beebe). Use `command` instead.
Combined some redundant checks on info_ptr==NULL in png_handle_PLTE()
Changed png_struct->options from png_byte to png_uint_32, to hold
up to 16 2-bit options.
Version 1.7.0beta74 [December 19, 2015]
Fixed copyright years in source files.
Removed LE/BE dependencies in pngvalid, to 'fix' the current problem
in the BigEndian tests by not testing it, making the BE code the same
as the LE version.
Fixes to pngvalid for various reduced build configurations (eliminate unused
statics) and a fix for the case in rgb_to_gray when the digitize option
reduces graylo to 0, producing a large error.
Widened the 'limit' check on the internally calculated error limits in
the 'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error
checks) and changed the check to only operate in non-release builds
(base build type not RC or RELEASE.)
Fixed undefined behavior in pngvalid.c, undefined because
(png_byte) << shift is undefined if it changes the signed bit
(because png_byte is promoted to int). The libpng exported functions
png_get_uint_32 and png_get_uint_16 handle this. (Bug reported by
David Drysdale as a result of reports from UBSAN in clang 3.8).
This changes pngvalid to use BE random numbers; this used to produce
errors but these should not be fixed as a result of the previous changes.
Implemented a prototype of filter selection. This rewrites the code
used previously in the heuristics to make it easier to debug and
introduces the 'methodical' method, which is intended to be an
expensive but reliable way of reducing image size. The code in this
commit does not work; the 'methodical' test for success does not take
account of data buffered inside zlib and, anyway, it changes the
results of pngtest so that the test fails. This is just a checkpoint
of the current state
Disabled 'methodical' filter selection code. It is incomplete; it works
but does not do anything useful except, maybe, on really enormous images.
Added .travis.yml configuration file to control Travis continuous
integration testing (David Drysdale).
Version 1.7.0beta75 [December 21, 2015]
Fixed duplicate tIME chunk from png_write_png.
Added an example program, pngcp.c, that illustrates the problem when
used to copy pngtest.png (the result is an invalid PNG because the
tIME chunk is duplicated.)
Re-enabled 'methodical' filter selection code.
Added an accurate 'methodical' measure.
Fixed incorrect references to 'pngimage' in pngcp.
Fixed incorrect debug macro in release builds.
Reversed the order of tests in png_zlib_compress_validate(().
Undefined behaviour sanitizer currently fires for this test
with an error about member access within null pointer to
struct; put the check that relies on pz->list being non-NULL
second (David Drysdale).
Version 1.7.0beta76 [January 7, 2016]
Corrected the options handling. Setting the new, higher, option
bits triggered the byte check (which is no longer necessary).
Added NULL pz->list test to png_zlib_compress_validate(). This seems
safer; in fact, a NULL dereference never happens because the test
ends up just doing arithmetic on NULL but it seems possible that the
undefined arithmetic can still happen if there is a bug elsewhere.
Added code to pngcp.c to iterate through the command line options when
non-list options have the 'all' parameter. This is used to rapidly
test the effect of different zlib options.
Revised the handling of tIME and text chunks on read to record the
location of the chunks relative to PLTE and IDAT. Behavior on write
is unchanged except that if the position was recorded on read it will
be re-used. This involves an ABI change to the png_text_struct; a
one byte location field is added (with the same meaning as the one
used to record unknown chunk location.) Because this field is only
used on read there is no API change unless a png_info from a libpng
read is passed to a subsequent libpng write (this did not work very
well before 1.7; the tIME chunk could get duplicated.) The new field
is ignored by png_set_text(), resetting it to the current position
in the read or write stream. On write the position is set to the
next location to be written unless the write has not started (the
position is before the signature) in which case the location is set
to PNG_HAVE_PLTE|PNG_AFTER_IDAT. When the chunk is written the
position is set to the actual write location (effectively the position
is frozen.)
Relocated assert() in contrib/tools/pngfix.c, bug found by American
Fuzzy Lop, reported by Brian Carpenter.
Marked 'limit' UNUSED in transform_range_check(). This only affects
release builds.
Fixed new Coverity defect, potential NULL dereference of "ps" in pngwutil.c
Added temporary workaround for Coverity "Dead code" defect.
Version 1.7.0beta77 [January 16, 2016]
Fixed new Coverity defect, another NULL dereference of "ps" in pngwutil.c
Prevent the CMINFO optimization code from running twice on any PNG IDAT
stream longer than 2048 bytes; the second time could overwrite bytes
2048,2049, invalidating the output.
Fixed a (debug) checks that was slightly wrong (< when <= should have been
used) and this caused write to abort maybe 1 out of 2048 times.
Improved the contrib/examples/pngcp search mode. This is still a
work-in-progress, but it seems fairly stable (if not exactly 100%
optimal). pngcp now allows 'all' for some options which iterates
through all possible settings (this reliably produces the smallest
IDAT that libpng can produce with those settings.) It also contains
a "--search" command line option that attempts to optimize this by
skipping pointless tests; it is close, most of the time, but not perfect.
Fixed write problem with reduced size IDAT chunks.
png_set_compression_buffer_size would result in a spurious debug assert
if the compression buffer size was set to something other than a multiple
of PNG_ROW_BUFFER_SIZE; the debug test failed to add the buffer 'start'
The sequential read code failed to read to the end of the IDAT stream in
about 1 of 820 cases, resulting in a spurious warning. The
png_set_compression_buffer_size API also would not work (or do bad things)
if the size of a zlib uInt was less than 32 bits.
Added pngcp IDAT size test and changed the order of the 'level'
and 'windowBits' searches to seach windowBits first; this favors
windowBits optimizations over compression level ones on the basis
that the latter should only affect the write code. This includes a
quiet API change to alter png_set_compression_buffer_size to use
a png_alloc_size_t, not png_size_t and implement the correct checks.
Fixed recently introduced palette sharing bug. The internal read
code change to stop sharing the palette was incompletely implemented.
The result is that unless palette index checking is turned off and
there are no read transformations the png_info palette gets deleted
when the png_struct is deleted. This is normally harmless (png_info
gets deleted first) but in the case of pngcp it results in
use-after-free of the palette and, therefore, palette corruption and
maybe on some operating systems and access violation.
Updated the pngcp 'search' mode to check a restricted range of memLevels;
there is an unrelated bug which means that lower zlib memLevels result
in memory corruption under some circumstances, probably less often
than 1:1000.
Attempted to work around a false-positive Coverity issue in pngvalid.c.
Version 1.7.0beta78 [January 23, 2016]
Changed PNG_USE_MKSTEMP to __COVERITY__ to select alternate
"tmpfile()" implementation in contrib/libtests/pngstest.c
Fixed NO_STDIO build of pngunknown.c to skip calling png_init_io()
if there is no stdio.h support.
Added a png_image_write_to_memory() API and a number of assist macros
to allow an application that uses the simplified API write to bypass
stdio and write directly to memory.
Added some warnings (png.h) and some check code to detect *possible*
overflow in the ROW_STRIDE and simplified image SIZE macros. This
disallows image width/height/format that *might* overflow. This is
a quiet API change that limits in-memory image size (uncompressed) to
less than 4GByte and image row size (stride) to less than 2GByte.
Revised Simplified API to use system appropriate types. This is
an API change for 1.7, albeit a quiet one; it may produce compiler
warnings but should not result in errors, unless warnings are treated
as errors. On 64-bit systems it widens the results of the various
PNG_IMAGE_ macros that return size values (component counts, byte sizes)
to 64 bits. It also changes the row_stride parameter, which is the
pointer difference between adjacent rows of the image buffer, to
the ANSI-C90 defined type ptrdiff_t. The existing (1.6.22) checks for
overflow are preserved but now accomodate images that require more than
32 bits of address space when size_t/ptrdiff_t are 64 bit types.
Revised workaround for false-positive Coverity issue in pngvalid.c.
Version 1.7.0beta79 [March 9, 2016]
Only use exit(77) in configure builds.
Corrected error in PNG_IMAGE_PNG_SIZE_MAX. This new macro underreported
the palette size because it failed to take into account that the memory
palette has to be expanded to full RGB when it is written to PNG.
Updated CMakeLists.txt, added supporting scripts/gen*.cmake.in
and test.cmake.in (Roger Leigh).
Revised pngstest to (by default) make random backgrounds on a per-file,
not per-session, basis.
Refined pngcp with better (more consistent) reporting of the "--search"
results plus changes so that when compiled against libpng 1.6 the program
correctly copies text chunks; previously when a search option caused
multiple copies of the same file the copies after the first would not
have the text chunks.
Expanded search logging in pngcp to output results during the search;
sufficient for basic tests on zlib parameters.
More sophisticated default write compression options, which helps
significantly for some files along with code to make it easier to control
the compression defaults and to make the settings honor the API calls
the application makes (previously low windowBits settings would get reset
to higher values.)
Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h
(Robert C. Seacord). Various other flags in png.h made unsigned as well.
Fixed some misleading indentation (Krishnaraj Bhat).
Version 1.7.0beta80 [May 6, 2016]
Fixed typo (missing underscore) in #define PNG_READ_16_TO_8_SUPPORTED
Bug report by (Y.Ohashik).
Quieted two Coverity issues in contrib/libtests/timepng.c.
Write code update (John Bowler):
Implemented better defaulting of zlib settings based on image properties.
Replaced pngtest.png with one compressed with the new zlib settings.
Implemented pass-through of png_write_rows when the rows can be used
directly (a common case) optimizing the handling of previous-row
buffering.
Removed the METHODICAL filter selection method and disabled the HEURISTIC
one. The first was ridiculously slow (though useful for experiments),
and the second didn't work. Filter selection is temporarily disabled (it
defaults to the lowest numbered filter in the list; typically 'none').
New handling of compression settings (incomplete), new PNG compression level
(not yet visible in an API).
Back ported 'PNG_FAST_FILTERS' from 1.6 (in png.h).
There are minimal API changes beyond removal of the selection options.
Work is still to be done to investigate a filter selection mechanism that
is at least as good as the previous one.
Minor write bug-fixes, remove unimplemented code. A debug() assert
fired if windowBits was set to 8 for the Huffman only and no-compression
cases. This commit changes it to do some extra checking. Removed
unreachable code in pz_default_settings and eliminated a spurious
warning in pngcp for small files.
Version 1.7.0beta81 [June 11, 2016]
Check for CLOCK_PROCESS_CPUTIME_ID when building /contrib/libtests/timepng.
Otherwise it does not build on platforms that don't supply clock_gettime().
Add check for clock_gettime() in Makefile.am and configure.ac
Reenabled filter selection (dummy). This implements the code for
row-by-row filter selection but does not provide an actual implementation;
the selection function just chooses the lowest set filter bit.
Fixed a signed/unsigned warning (GCC 4.8.5) in pngwutil.c
Implemented base filter selection with row buffering and a crude code-count
algorithm.
Added filter selection, palette index checks. Palette index checking:
checking on read was erroneously skipped. pngcp can now turn off the
palette index checking or fix the errors (mainly to allow comparison with
libpng 1.6, which defaulted to ignoring it). The API now documents how
the 'enabled' parameter works. On read the check is on by default (it
was apparently off in libpng 1.6) however now if explicitly turned on the
warning message is stopped; this provides better interaction with
get_palette_max at the cost of a small API change (may need to be reviewed.)
Palette size errors: invalid entries in the palette are now set to #beaded to
make the errors more obvious and allow easy detection in memory.
Read transform pipeline caching: changes to fix the palette index check
(which are erroneously cached), the pipeline can now contain multiple
caches, e.g., caching of packing of palette indices can be combined with
caching of palette RGB transforms.
Read code now checks for callbacks to read 0 data (and faults them).
Fixed the reading of PNGs with multiple 0 length IDATs that failed as a
result plus the handling of zero length unknown (which occurs, validly;
the spurious warning has been removed).
Filter selection: the 1.6 and earlier sum of absolute differences algorithm
has been reintroduced with an option to disfavor some filters over others
where the sums are close (not yet exposed). The selection code also logs
the last known occurence of each possible byte code across multiple lines.
This allows detection of PNG images with lower bit depth than the format
implies and, therefore, allows the filtering to be turned off in those
cases as well.
The default write zlib settings are still lower than libpng16. The
selection algorithm is being refined (the overall results are worse than
not doing any filtering).
Port contrib/libtests/pngvalid.c from libpng16.
PNG compression level setting API: this allows the various compression
settings controlling deflate, fitlering, and so on to be set via a single
setting with six values. This is currently documented in png.h ("Write
compression settings").
Internally the compression settings have been tuned both for the overall
setting and for any specific settings made by the original APIs.
APIs to control iCCP chunk compression separately have been added.
contrib/examples/pngcp.c has been modified to accomodate the new compression
setting and to include options for separate control of iCCP chunk
compression.
The new "png_setting" ABI has been modified to accomodate a wider range of
settings and most of the old compression control ABIs have been replaced by
function-like macros with the same API which call png_setting. This is an
API check in 1.7.0 for png_setting (alone). png_setting now handles all
of png_set_option. This eliminates 19 ABIs at the cost of adding 1
(png_setting).
CRC and benign error checking has been updated internally to use bit-fields
and the CRC calculation skip when the CRC is not used has been improved
slightly to avoid the initialization of the CRC. A new png_setting based
API allows more detailed control of benign error/warning messages (this
may change, the internal error handling seems too complex.) The
ERROR_NUMBERS support has been removed with the intent of implementing
proper i18n.
The memcpy-size-0 issue in png_push_fill_buffer has been fixed, with an
appropriate debug() assert if a fill for 0 bytes occurs.
Most PNG_FLAG_ values for png_struct::flags have been eliminated (as a
result of the benign error handling changes). Only one remains.
The LOW_MEMORY PNG_COMPRESSION option should not be setting HUFFMAN_ONLY or
using a low deflate 'level'; according to the comments in zconf.h only
windowBits and memLevel affect the memory. pngwutil.c has been changed
to use the same values as HIGH compression.
The COMPAT option turned on the old optimize_cmf code (now in fix_cinfo),
however there was a serious bug in that code; it put the wrong value in
z_cmf. The setting was also not handled correctly in
pz_compression_settings.
pngtest now verifies the operation of COMPAT and, as a result, pngtest.png
has been reverted to the libpng 1.6 (etc) version.
IDAT size handling has been improved; if not explicitly set values
appropriate to png_level are now chosen (in addition to the handling for
the COMPAT setting). HIGH and HIGH_READ_SPEED now create unlimited
(up to the PNG chunk-size limit of 2^31-1 bytes) size IDAT chunks,
which requires buffering the whole of the IDAT data in memory but
reflects what other programs and optimizers do.
Changed handling of PNG_IMAGE_FLAG_FAST in the simplified API to use
PNG_COMPRESSION_HIGH_SPEED, and PNG_COMPRESSION_HIGH otherwise.
Removed png_struct::flags which is no longer used.
Fixed implementations of png_app_error() and png_app_warning() which
previously were swapped.
Avoid potential overflow of the PNG_IMAGE_SIZE macro. This macro
is not used within libpng, but is used in some of the examples.
Version 1.7.0beta82 [July 4, 2016]
Put the SKIP definition in the correct place. It needs to come after the
png.h include (see all the other .c files in contrib/libtests) because it
depends on PNG_LIBPNG_VER.
Moved pngcp to contrib/tools and added pngcp to the build together
with a pngcp.dfa configuration test (John Bowler)
Added a "Common linking failures" section to the INSTALL document.
Relocated misplaced #endif in png.c sRGB profile checking.
Fixed two Coverity issues in pngcp.c.
Version 1.7.0beta83 [July 23, 2016]
Fixed some indentation to comply with our coding style.
Removed/rearranged certain png_struct fields that are only used
in reading.
Fixed debug test of output gamma.
Version 1.7.0beta84 [September 26, 2016]
Minor editing of INSTALL, (whitespace, added copyright line)
Don't install pngcp; it conflicts with pngcp in the pngtools package.
Fixed handling zero length IDAT in pngfix (bug report by Agostino Sarubbo,
bugfix by John Bowler).
Conditionally compile png_set_benign_errors() in pngread.c and pngtest.c
Changed PNG_ZLIB_VERNUM to ZLIB_VERNUM in pngrutil.c.
If CRC handling of critical chunks has been set to PNG_CRC_QUIET_USE,
ignore the ADLER32 checksum in the IDAT chunk as well as the chunk CRCs.
Issue png_benign_error() on ADLER32 checksum mismatch instead of png_error().
Add tests/badcrc.png and tests/badadler.png to tests/pngtest.
Version 1.7.0beta85 [December 27, 2016]
Updated the documentation about CRC and ADLER32 handling.
Quieted warnings from clang-3.8 in pngunknown.c and pngvalid.c.
Removed the use of a macro containing the pre-processor 'defined'
operator. It is unclear whether this is valid; a macro that
"generates" 'defined' is not permitted, but the use of the word
"generates" within the C90 standard seems to imply more than simple
substitution of an expression itself containing a well-formed defined
operation.
Version 1.7.0beta86 [December 29, 2016]
Ported CMakeLists.txt from libpng-1.6.27rc01.
Fixed a potential null pointer dereference in png_set_text_2() (bug report
and patch by Patrick Keshishian, CVE-2016-10087).
Version 1.7.0beta87 [April 1, 2017]
Fixed arm/aarch64 detection in CMakeLists.txt (Gianfranco Costamagna).
The contrib/examples/pngtopng.c recovery code was in the wrong "if"
branches; the comments were correct.
Added missing "$(CPPFLAGS)" to the compile line for c.pic.o in
makefile.linux and makefile.solaris-x86 (Cosmin).
Merged some recent changes from libpng-1.6.30beta01.
Version 1.7.0beta88 [August 7. 2017]
Added private png_check_chunk_name() and png_check_chunk_length()
functions.
Version 1.7.0beta89 [August 19, 2017]
Check for 0 return from png_get_rowbytes() in contrib/pngminus/*.c to stop
some Coverity issues (162705, 162706, and 162707).
Version 1.7.0beta90 [August 28, 2017]
Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing
parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement
to subscribe)
or to glennrp at users.sourceforge.net
Glenn R-P