Libpng 1.6.0beta17 - March 10, 2012 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. Files available for download: Source files with LF line endings (for Unix/Linux) and with a "configure" script 1.6.0beta17.tar.xz (LZMA-compressed, recommended) 1.6.0beta17.tar.gz 1.6.0beta17.tar.bz2 Source files with CRLF line endings (for Windows), without the "configure" script lp160b17.7z (LZMA-compressed, recommended) lp160b17.zip Other information: 1.6.0beta17-README.txt 1.6.0beta17-LICENSE.txt Changes since the last public release (1.5.7): Version 1.6.0beta01 [December 15, 2011] Removed machine-generated configure files from the GIT repository (they will continue to appear in the tarball distributions). Restored the new 'simplified' API, which was started in libpng-1.5.7beta02 but later deleted from libpng-1.5.7beta05. Added example programs for the new 'simplified' API. Added ANSI-C (C90) headers and require them, and take advantage of the change. Also fixed some of the projects/* and contrib/* files that needed updates for libpng16 and the move of pngvalid.c. With this change the required ANSI-C header files are assumed to exist: the implementation must provide float.h, limits.h, stdarg.h and stddef.h and libpng relies on limits.h and stddef.h existing and behaving as defined (the other two required headers aren't used). Non-ANSI systems that don't have stddef.h or limits.h will have to provide an appropriate fake containing the relevant types and #defines. The use of FAR/far has been eliminated and the definition of png_alloc_size_t is now controlled by a flag so that 'small size_t' systems can select it if necessary. Libpng 1.6 may not currently work on such systems -- it seems likely that it will ask 'malloc' for more than 65535 bytes with any image that has a sufficiently large row size (rather than simply failing to read such images). New tools directory containing tools used to generate libpng code. Fixed race conditions in parallel make builds. With higher degrees of parallelism during 'make' the use of the same temporary file names such as 'dfn*' can result in a race where a temporary file from one arm of the build is deleted or overwritten in another arm. This changes the temporary files for suffix rules to always use $* and ensures that the non-suffix rules use unique file names. Version 1.6.0beta02 [December 21, 2011] Correct configure builds where build and source directories are separate. The include path of 'config.h' was erroneously made relative in pngvalid.c in libpng 1.5.7. Version 1.6.0beta03 [December 22, 2011] Start-up code size improvements, error handler flexibility. These changes alter how the tricky allocation of the initial png_struct and png_info structures are handled. png_info is now handled in pretty much the same way as everything else, except that the allocations handle NULL return silently. png_struct is changed in a similar way on allocation and on deallocation a 'safety' error handler is put in place (which should never be required). The error handler itself is changed to permit mismatches in the application and libpng error buffer size; however, this means a silent change to the API to return the jmp_buf if the size doesn't match the size from the libpng compilation; libpng now allocates the memory and this may fail. Overall these changes result in slight code size reductions; however, this is a reduction in code that is always executed so is particularly valuable. Overall on a 64-bit system the libpng DLL decreases in code size by 1733 bytes. pngerror.o increases in size by about 465 bytes because of the new functionality. Version 1.6.0beta04 [December 30, 2011] Regenerated configure scripts with automake-1.11.2 Eliminated png_info_destroy(). It is now used only in png.c and only calls one other internal function and memset(). Enabled png_get_sCAL_fixed() if floating point APIs are enabled. Previously it was disabled whenever internal fixed point arithmetic was selected, which meant it didn't exist even on systems where FP was available but not preferred. Added pngvalid.c compile time checks for const APIs. Implemented 'restrict' for png_info and png_struct. Because of the way libpng works both png_info and png_struct are always accessed via a single pointer. This means adding C99 'restrict' to the pointer gives the compiler some opportunity to optimize the code. This change allows that. Moved AC_MSG_CHECKING([if libraries can be versioned]) later to the proper location in configure.ac (Gilles Espinasse). Changed png_memcpy to C assignment where appropriate. Changed all those uses of png_memcpy that were doing a simple assignment to assignments (all those cases where the thing being copied is a non-array C L-value). Added some error checking to png_set_*() routines. Removed the reference to the non-exported function png_memcpy() from example.c. Fixed the Visual C 64-bit build - it requires jmp_buf to be aligned, but it had become misaligned. Revised contrib/pngminus/pnm2png.c to avoid warnings when png_uint_32 and unsigned long are of different sizes. Version 1.6.0beta05 [January 15, 2012] Updated manual with description of the simplified API (copied from png.h) Fix bug in pngerror.c: some long warnings were being improperly truncated (CVE-2011-3464, bug introduced in libpng-1.5.3beta05). Version 1.6.0beta06 [January 24, 2012] Added palette support to the simplified APIs. This commit changes some of the macro definitions in png.h, app code may need corresponding changes. Increased the formatted warning buffer to 192 bytes. Added color-map support to simplified API. This is an initial version for review; the documentation has not yet been updated. Fixed Min/GW uninstall to remove libpng.dll.a Version 1.6.0beta07 [January 28, 2012] Eliminated Intel icc/icl compiler warnings. The Intel (GCC derived) compiler issues slightly different warnings from those issued by the current vesions of GCC. This eliminates those warnings by adding/removing casts and small code rewrites. Updated configure.ac from autoupdate: added --enable-werror option. Also some layout regularization and removal of introduced tab characters (replaced with 3-character indentation). Obsolete macros identified by autoupdate have been removed; the replacements are all in 2.59 so the pre-req hasn't been changed. --enable-werror checks for support for -Werror (or the given argument) in the compiler. This mimics the gcc configure option by allowing -Werror to be turned on safely; without the option the tests written in configure itself fail compilation because they cause compiler warnings. Rewrote autogen.sh to run autoreconf instead of running tools one-by-one. Conditionalize the install rules for MINGW and CYGWIN in CMakeLists.txt and set CMAKE_LIBRARY_OUTPUT_DIRECTORY to "lib" on all platforms (C. Yapp). Freeze libtool files in the 'scripts' directory. This version of autogen.sh attempts to dissuade people from running it when it is not, or should not, be necessary. In fact, autogen.sh does not work when run in a libpng directory extracted from atar distribution anymore. You must run it in a GIT clone instead. Added two images to contrib/pngsuite (1-bit and 2-bit transparent grayscale), and renamed three whose names were inconsistent with those in pngsuite/README.txt. Version 1.6.0beta08 [February 1, 2012] Fixed Image::colormap misalignment in pngstest.c Check libtool/libtoolize version number (2.4.2) in configure.ac Divide test-pngstest.sh into separate pngstest runs for basic and transparent images. Moved automake options to AM_INIT_AUTOMAKE in configure.ac Added color-tests, silent-rules (Not yet implemented in Makefile.am) and version checking to configure.ac Improved pngstest speed by not doing redundant tests and add const to the background parameter of png_image_finish_read. The --background option is now done automagically only when required, so that commandline option no longer exists. Cleaned up pngpriv.h to consistently declare all functions and data. Also eliminated PNG_CONST_DATA, which is apparently not needed but we can't be sure until it is gone. Added symbol prefixing that allows all the libpng external symbols to be prefixed (suggested by Reuben Hawkins). Updated "ftbb*.png" list in the owatcom and vstudio projects. Fixed 'prefix' builds on clean systems. The generation of pngprefix.h should not require itself. Updated INSTALL to explain that autogen.sh must be run in a GIT clone, not in a libpng directory extracted from a tar distribution. Version 1.6.0beta09 [February 1, 2012] Reverted the prebuilt configure files to libpng-1.6.0beta05 condition. Version 1.6.0beta10 [February 3, 2012] Added Z_SOLO for zlib-1.2.6+ and correct pngstest tests Updated list of test images in CMakeLists.txt Updated the prebuilt configure files to current condition. Revised INSTALL information about autogen.sh; it works in tar distributions. Version 1.6.0beta11 [February 16, 2012] Fix character count in pngstest command in projects/owatcom/pngstest.tgt Revised test-pngstest.sh to report PASS/FAIL for each image. Updated documentation about the simplified API. Corrected estimate of error in libpng png_set_rgb_to_gray API. The API is extremely inaccurate for sRGB conversions because it uses an 8-bit intermediate linear value and it does not use the sRGB transform, so it suffers from the known instability in gamma transforms for values close to 0 (see Poynton). The net result is that the calculation has a maximum error of 14.99/255; 0.5/255^(1/2.2). pngstest now uses 15 for the permitted 8-bit error. This may still not be enough because of arithmetic error. Removed some unused arrays (with #ifdef) from png_read_push_finish_row(). Fixed a memory overwrite bug in simplified read of RGB PNG with non-linear gamma Also bugs in the error checking in pngread.c and changed quite a lot of the checks in pngstest.c to be correct; either correctly written or not over-optimistic. The pngstest changes are insufficient to allow all possible RGB transforms to be passed; pngstest cmppixel needs to be rewritten to make it clearer which errors it allows and then changed to permit known inaccuracies. Removed tests for no-longer-used *_EMPTY_PLTE_SUPPORTED from pngstruct.h Fixed fixed/float API export conditionals. 1) If FIXED_POINT or FLOATING_POINT options were switched off, png.h ended up with lone ';' characters. This is not valid ANSI-C outside a function. The ';' characters have been moved inside the definition of PNG_FP_EXPORT and PNG_FIXED_EXPORT. 2) If either option was switched off, the declaration of the corresponding functions were completely omitted, even though some of them are still used internally. The result is still valid, but produces warnings from gcc with some warning options (including -Wall). The fix is to cause png.h to declare the functions with PNG_INTERNAL_FUNCTION when png.h is included from pngpriv.h. Check for invalid palette index while reading paletted PNG. When one is found, issue a warning and increase png_ptr->num_palette accordingly. Apps are responsible for checking to see if that happened. Version 1.6.0beta12 [February 18, 2012] Do not increase num_palette on invalid_index. Relocated check for invalid palette index to pngrtran.c, after unpacking the sub-8-bit pixels. Fixed CVE-2011-3026 buffer overrun bug. Deal more correctly with the test on iCCP chunk length. Also removed spurious casts that may hide problems on 16-bit systems. Version 1.6.0beta13 [February 24, 2012] Eliminated redundant png_push_read_tEXt|zTXt|iTXt|unknown code from pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c; now that png_ptr->buffer is inaccessible to applications, the special handling is no longer useful. Added PNG_SAFE_LIMITS feature to pnglibconf.dfa, pngpriv.h, and new pngusr.dfa to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined. To enable, use "CPPFLAGS=-DPNG_SAFE_LIMITS_SUPPORTED=1" on the configure command or put #define PNG_SAFE_LIMITS_SUPPORTED in pnglibconf.h.prebuilt and pnglibconf.h. Version 1.6.0beta14 [February 27, 2012] Added information about the new limits in the manual. Updated Makefile.in Version 1.6.0beta15 [March 2, 2012] Removed unused "current_text" members of png_struct and the png_free() of png_ptr->current_text from pngread.c Rewrote pngstest.c for substantial speed improvement. Fixed transparent pixel and 16-bit rgb tests in pngstest and removed a spurious check in pngwrite.c Added PNG_IMAGE_FLAG_FAST for the benefit of applications that store intermediate files, or intermediate in-memory data, while processing image data with the simplified API. The option makes the files larger but faster to write and read. pngstest now uses this by default; this can be disabled with the --slow option. Improved pngstest fine tuning of error numbers, new test file generator. The generator generates images that test the full range of sample values, allow the error numbers in pngstest to be tuned and checked. makepng also allows generation of images with extra chunks, although this is still work-in-progress. Added tests for invalid palette index while reading and writing (work in progress, the latter isn't finished). Fixed some bugs in ICC profile writing. The code should now accept all potentially valid ICC profiles and reject obviously invalid ones. It now uses png_error() to do so rather than casually writing a PNG without the necessary color data. Removed whitespace from the end of lines in all source files and scripts. Version 1.6.0beta16 [March 6, 2012] Relocated palette-index checking function from pngrutil.c to pngtrans.c Added palette-index checking while writing. Changed png_inflate() and calling routines to avoid overflow problems. This is an intermediate check-in that solves the immediate problems and introduces one performance improvement (avoiding a copy via png_ptr->zbuf.) Further changes will be made to make ICC profile handling more secure. Fixed build warnings (MSVC, GCC, GCC v3). Cygwin GCC with default options declares 'index' as a global, causing a warning if it is used as a local variable. GCC 64-bit warns about assigning a (size_t) (unsigned 64-bit) to an (int) (signed 32-bit). MSVC, however, warns about using the unary '-' operator on an unsigned value (even though it is well defined by ANSI-C to be ~x+1). The padding calculation was changed to use a different method. Removed the tests on png_ptr->pass. Added contrib/libtests/tarith.c to test internal arithmetic functions from png.c. This is a libpng maintainer program used to validate changes to the internal arithmetic functions. Made read 'inflate' handling like write 'deflate' handling. The read code now claims and releases png_ptr->zstream, like the write code. The bug whereby the progressive reader failed to release the zstream is now fixed, all initialization is delayed, and the code checks for changed parameters on deflate rather than always calling deflatedEnd/deflateInit. Validate the zTXt strings in pngvalid. Added code to validate the windowBits value passed to deflateInit2(). If the call to deflateInit2() is wrong a png_warning will be issued (in fact this is harmless, but the PNG data produced may be sub-optimal). Version 1.6.0beta17 [March 10, 2012] Fixed PNG_LIBPNG_BUILD_BASE_TYPE definition. Reject all iCCP chunks after the first, even if the first one is invalid. Deflate/inflate was reworked to move common zlib calls into single functions [rw]util.c. A new shared keyword check routine was also added and the 'zbuf' is no longer allocated on progressive read. It is now possible to call png_inflate() incrementally. If benign errors are disabled use maximum window on ancilliary inflate. This works round a bug introduced in 1.5.4 where compressed ancillary chunks could end up with a too-small windowBits value in the deflate header. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement to subscribe) or to glennrp at users.sourceforge.net Glenn R-P