Libpng 1.7.0beta79 - March 9, 2016 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. Files available for download: Source files with LF line endings (for Unix/Linux) and with a "configure" script 1.7.0beta79.tar.xz (LZMA-compressed, recommended) 1.7.0beta79.tar.gz Source files with CRLF line endings (for Windows), without the "configure" script /scratch/glennrp/Libpng17/lp170b79.7z (LZMA-compressed, recommended) /scratch/glennrp/Libpng17/lp170b79.zip Other information: 1.7.0beta79-README.txt 1.7.0beta79-LICENSE.txt libpng-1.7.0beta79-*.asc (armored detached GPG signatures) Changes since the last public release (1.6.0): Version 1.7.0alpha01 [December 15, 2012] Started 1.7.0 branch from libpng-1.6.0beta33. Made 8-bit compose and rgb_to_grayscale accuracy improvements. These changes cause 16-bit arithmetic to be used for 8-bit data in the gamma corrected compose and grayscale operations. The arithmetic errors have three sources all of which are fixed in this commit: 1) 8-bit linear calculations produce massive errors for lower intensity values. 2) The old 16-bit "16 to 8" gamma table code erroneously wrote the lowest output value into a table entry which corresponded to multiple output values (so where the value written should have been the closest to the transformed input value.) 3) In a number of cases the code to access the 16-bit table did not round; it did a simple shift, which was wrong and made the side effects of (2) even worse. The new gamma code does not have the 16-to-8 problem at the cost of slightly more calculations and the algorithm used to minimize the number of calculations has been extended to all the 16-bit tables; it has advantages for any significant gamma correction. Rearranged png_struct, remove unused members, change png_set_filter handling png_struct members rearranged - partly to reorder to avoid packing, partly to put frequently accessed members at the start and partly to make the grouping more clear. png_set_filter code has been rewritten and the code shared with png_write_start_row moved to a common function. Comments in png.h have been made more clear. Minor fixes to contrib/libtests/timepng.c and some of the png_*_tRNS logic, including more error detection in png_set_tRNS. Cleaned up USER_LIMITS feature, removing members from png_struct when not required. Rearranged ARM-NEON optimizations to isolate the machine specific code to the hardware subdirectory, and add comments to pngrutil.c so that implementors of other optimizations will know what to do. Fixed cases of unquoted DESTDIR in Makefile.am. Rebuilt Makefile.in, configure, etc., with autoconf-2.69 and automake-1.12.5. Version 1.7.0alpha02 [December 17, 2012] Removed functions that were deprecated in libpng-1.6.0: png_reset_zstream(), png_info_init_3(), and png_data_freer() and its associated flags. Removed some duplicated lines from contrib/tools/scale.c and png.c. Changed some instances of png_warning() to png_app_error(). Updated some left over "1.6.0beta32" in code sources. Fixed a "png_structp" prototype (should be png_structrp) in arm_init.c Updated the version-number hack in pngvalid.c Version 1.7.0alpha03 [December 19, 2012] Cleaned up and enhanced the configure option; libpng now correctly links and tests against zlib with a prefix; tests have been clarified; and irrelevant or obsolete things (as defined by the autotools man page) have been removed. Documented new PNG_ABORT behavior in the manual and commentary in pngerror.c Cleaned up whitespace in the synopsis portion of the manpage "libpng.3" Fixed previous support for Z_PREFIX in configure builds, corrected sCAL APIs; some of these use floating point arithmetic so they need to be disabled if floating point arithmetic is switched off. This is a quiet API change - previously it appeared that the APIs were supported if fixed point arithmetic was used internally, however they required certain APIs (floor, modf, frexp, atof) that are part of C floating point support. Changed png_fixed and the gamma code specific version of the same to avoid floor(), which may be a library function (not an intrinsic). Removed unused #if 0 code. Disassembled the version number in scripts/options.awk (necessary for building on SunOs). Version 1.7.0alpha04 [December 23, 2012] Added scripts/makefile.msys contributed by Christopher M. Wheeler Made default Zlib compression settings be configurable. This adds #defines to pnglibconf.h to control the defaults. Fixed Windows build issues, enabled ARM compilation. Various warnings issued by earlier versions of GCC fixed for Cygwin and Min/GW (which both use old GCCs.) ARM support is enabled by default in zlib.props (unsupported by Microsoft) and ARM compilation is made possible by deleting the check for x86. The test programs cannot be run because they are not signed. Version 1.7.0alpha05 [December 24, 2012] Discontinued distributing libpng-1.x.x.tar.bz2. Discontinued distributing libpng-1.7.0-1.6.0-diff.txt and similar. Version 1.7.0alpha06 [January 1, 2013] Fixed 'make distcheck' on SUN OS - libpng.so was not being removed Version 1.7.0alpha07 [January 10, 2013] Fixed conceivable but difficult to repro overflow. Also added two test programs to generate and test a PNG which should have the problem. Version 1.7.0alpha08 [January 17, 2013] Corrected previous attempt at overflow detection in png_set_unknown_chunks() (CVE-2013-7353). Added overflow detection in png_set_sPLT() and png_set_text_2() (CVE-2013-7354). Version 1.7.0alpha09 [January 21, 2013] Pulled changes to multi-chunk handling from libpng-1.6.0beta40. Version 1.7.0alpha10 [February 5, 2013] Make symbol prefixing work with the ARM neon optimizations. Also allow pngpriv.h to be included for preprocessor definitions only, so it can be used in non-C/C++ files. Added png_get_palette_max() function. Changed png_size_t to size_t throughout headers, make sRGB check numbers consistent. Fixed ARM support (Mans Rullgard). Removed stray out-of-order #endif and #ifdef (Mans Rullgard). Ported libpng 1.5 options.awk/dfn file handling to 1.7, fixed one bug. Rebuilt Makefile.in, configure, etc., with autoconf-2.69 and automake-1.13. Minor fixes to assembler changes, verified with a dummy .S file Removed cc -E workround, corrected png_get_palette_max API. Tested on SUN OS cc 5.9, which demonstrates the tokenization problem previously avoided by using /lib/cpp. Since all .dfn output is now protected in double quotes unless it is to be macro substituted the fix should work everywhere. Version 1.7.0beta01 [February 15, 2013] Enable parallel tests and rearrange TESTS order to take advantage of the massive speed improvements use a make capable of parallel builds on a multi-CPU machine and pass the right arguments to make (-j10000 for GNU make) to get the build to run in parallel. Fixed previous support for Z_PREFIX in configure builds, corrected sCAL APIs; some of these use floating point arithmetic so need to be disabled if floating point arithmetic is switched off. This is a quiet API change - previously it appeared that the APIs were supported if fixed point arithmetic was used internally, however they required certain APIs (floor, modf, frexp, atof) that are part of C floating point support. Changed png_fixed and the gamma code specific version of the same to avoid floor(), which may be a library function (not an intrinsic). Removed unused #if 0 code. Fixed make distcheck to skip over the test result files. They were being included because the whole of the 'tests' directory is included, fixed to just include the actual test files and tests/pngstest. Also reverted the previous erroneous change to remove the ${srcdir} from the front of contrib, scripts, projects and added an explanation of what is going on to Makefile.am Fixed missing dependency in --prefix builds. The intermediate internal 'prefix.h' file can only be generated correctly after pnglibconf.h, however the dependency was not in Makefile.am. The symptoms are unpredictable depending on the order make chooses to build pngprefix.h and pnglibconf.h, often the error goes unnoticed because there is a system pnglibconf.h to use instead. Accept "," as a separator in pnglibconf.dfa and allow for continuation lines. This adds to the syntax of "option" and "chunk" lines, allowing the elements to be separated by a "," at the end of an element and interpreting a "," at end of line as a continuation - so the following line is read. The new syntax is optional and solely provided for readability. Enclosed the new png_get_palette_max in #ifdef PNG_GET_PALETTE_MAX_SUPPORTED block, and revised pnglibconf.h and pnglibconf.h.prebuilt accordingly. Version 1.7.0beta02 [February 18, 2013] Fixed a race condition in the creation of the build 'scripts' directory while building with a parallel make. Use approved/supported Android method to check for NEON, use Linux/POSIX 1003.1 API to check /proc/self/auxv avoiding buffer allocation and other library calls (ported from libpng15). Use parentheses more consistently in "#if defined(MACRO)" tests. Folded long lines. Version 1.7.0beta03 [February 22, 2013] Reenabled code to allow zero length PLTE chunks for MNG. Fixed ALIGNED_MEMORY support. Allow run-time ARM NEON checking to be disabled. A new configure option: --enable-arm-neon=always will stop the run-time checks. New checks within arm/arm_init.c will cause the code not to be compiled unless __ARM_NEON__ is set. This should make it fail safe (if someone asks for it on then the build will fail if it can't be done.) Updated the INSTALL document. Version 1.7.0beta04 [February 27, 2013] Revised INSTALL to recommend using CPPFLAGS instead of INCLUDES. Revised scripts/makefile.freebsd to respect ZLIBLIB and ZLIBINC. Revised scripts/dfn.awk to work with the buggy MSYS awk that has trouble with CRLF line endings. Version 1.7.0beta05 [March 5, 2013] Avoid a possible memory leak in contrib/gregbook/readpng.c Changed user chunk callback API to respect global and per chunk defaults. Previously a return of 0 from a user chunk callback would result in the chunk being saved (if this was safe, even if the chunk was unsafe-to-copy); this change respects the defaults set by the application, so unknown chunks can be discarded by default and known-safe ones preserved. Corrected Android builds and corrected libpng.vers with symbol prefixing. This adds an API to set optimization options externally, providing an alternative and general solution for the non-portable run-time tests used by the ARM Neon code. It also makes those tests compile and link on Android. The order of settings vs options in pnglibconf.h is reversed to allow settings to depend on options and options can now set (or override) the defaults for settings. Version 1.7.0beta06 [March 13, 2013] Corrected simplified API default gamma for color-mapped output, added a flag to change default. In 1.6.0 when the simplified API was used to produce color-mapped output from an input image with no gamma information the gamma assumed for the input could be different from that assumed for non-color-mapped output. In particular 16-bit depth input files were assumed to be sRGB encoded, whereas in the 'direct' case they were assumed to have linear data. This was an error. The fix makes the simplified API treat all input files the same way and adds a new flag to the png_image::flags member to allow the application/user to specify that 16-bit files contain sRGB data rather than the default linear. Fixed bugs in the pngpixel and makepng test programs. Fixed CMakelists.txt to allow building a single variant of the library (Claudio Bley): Introduced a PNG_LIB_TARGETS variable that lists all activated library targets. It is an error if this variable ends up empty, ie. you have to build at least one library variant. Made the *_COPY targets only depend on library targets actually being build. Use PNG_LIB_TARGETS to unify a code path. Changed the CREATE_SYMLINK macro to expect the full path to a file as the first argument. When symlinking the filename component of that path is determined and used as the link target. Use copy_if_different in the CREATE_SYMLINK macro. Eliminated two warnings from the Intel C compiler. The warnings are technically valid, although a reasonable treatment of division would show it to be incorrect. Version 1.7.0beta07 [April 14, 2013] Updated documentation of 1.5.x to 1.6.x changes in iCCP chunk handling. Fixed incorrect warning of excess deflate data. End condition - the warning would be produced if the end of the deflate stream wasn't read in the last row. The warning is harmless. Corrected the test on user transform changes on read. It was in the png_set of the transform function, but that doesn't matter unless the transform function changes the rowbuf size, and that is only valid if transform_info is called. Corrected a misplaced closing bracket in contrib/libtests/pngvalid.c (Flavio Medeiros). Corrected length written to uncompressed iTXt chunks (Samuli Suominen). Version 1.7.0beta08 [April 18, 2013] Added contrib/tools/fixitxt.c, to repair the erroneous iTXt chunk length written by libpng-1.6.0 and 1.6.1. Disallow storing sRGB information when the sRGB is not supported. Version 1.7.0beta09 [April 24, 2013] Exposed PNG chunk types in png.h Modified png_uint_32 macros/code to make as few assumptions as possible Revised stack marking in arm/filter_neon.S and configure.ac Ensure that NEON filter stuff is completely disabled when switched 'off'. Previously the ARM NEON specific files were still built if the option was switched 'off' as opposed to being explicitly disabled. Version 1.7.0beta10 [April 24, 2013] Attempt to fix the PNG_ARM_NEON configuration mess. Version 1.7.0beta11 [April 26, 2013] Test for 'arm*', not just 'arm' in the host_cpu configure variable. Version 1.7.0beta12 [April 30, 2013] Added png_app_warning for out-of-range unknown chunk index in png_set_unknown_chunk_location(). Expanded manual paragraph about writing private chunks. Avoid dereferencing NULL pointer possibly returned from png_create_write_struct() (Andrew Church). Version 1.7.0beta13 [May 12, 2013] Revised contrib/pngminim/*/makefile to generate pnglibconf.h with the right zlib header files. Separated CPPFLAGS and CFLAGS in contrib/pngminim/*/makefile Updated contrib/pngminus/pnm2png.c (Paul Stewart): Check for EOF Ignore "#" delimited comments in input file to pnm2png.c. Fixed whitespace handling Added a call to png_set_packing() Initialize dimension values so if sscanf fails at least we have known invalid values. Calculate our own zlib windowBits when decoding rather than trusting the CMF bytes in the PNG datastream. Added an option to force maximum window size for inflating, which was the behavior of libpng15 and earlier. Added png-fix-itxt and png-fix-too-far-back to the built programs and removed warnings from the source code and timepng that are revealed as a result. Detect wrong libpng versions linked to png-fix-too-far-back, which currently only works with libpng versions that can be made to reliably fail when the deflate data contains an out-of-window reference. This means only 1.6 and later. Attempt to detect configuration issues with png-fix-too-far-back, which requires both the correct libpng and the correct zlib to function correctly. Check ZLIB_VERNUM for mismatches, enclose #error in quotes Added information in the documentation about problems with and fixes for the bad CRC and bad iTXt chunk situations. Version 1.7.0beta14 [June 8, 2013] Removed a redundant test in png_set_IHDR(). Added set(CMAKE_CONFIGURATION_TYPES ...) to CMakeLists.txt (Andrew Hundt) Deleted set(CMAKE_BUILD_TYPE) block from CMakeLists.txt Enclose the prototypes for the simplified write API in #ifdef STDIO/#endif Make ARM NEON support work at compile time (not just configure time). This moves the test on __ARM_NEON__ into pngconf.h to avoid issues when using a compiler that compiles for multiple architectures at one time. Removed PNG_FILTER_OPTIMIZATIONS and PNG_ARM_NEON_SUPPORTED from pnglibconf.h, allowing more of the decisions to be made internally (pngpriv.h) during the compile. Without this, symbol prefixing is broken under certain circumstances on ARM platforms. Now only the API parts of the optimizations ('check' vs 'api') are exposed in the public header files except that the new setting PNG_ARM_NEON_OPT documents how libpng makes the decision about whether or not to use the optimizations. Protect symbol prefixing against CC/CPPFLAGS/CFLAGS useage. Previous iOS/Xcode fixes for the ARM NEON optimizations moved the test on __ARM_NEON__ from configure time to compile time. This breaks symbol prefixing because the definition of the special png_init_filter_functions call was hidden at configure time if the relevant compiler arguments are passed in CFLAGS as opposed to CC. This change attempts to avoid all the confusion that would result by declaring the init function even when it is not used, so that it will always get prefixed. Version 1.7.0beta15 [June 18, 2013] Revised libpng.3 so that "doclifter" can process it. Version 1.7.0beta16 [July 5, 2013] Revised example.c to illustrate use of PNG_DEFAULT_sRGB and PNG_GAMMA_MAC_18 as parameters for png_set_gamma(). These have been available since libpng-1.5.4. Renamed contrib/tools/png-fix-too-far-back.c to pngfix.c and revised it to check all compressed chunks known to libpng. Updated documentation to show default behavior of benign errors correctly. Added perfect hash code generation for lists of PNG chunks. This is a work in progress; checked in for use in pngfix.c Ported ARM no-read patch from libpng16. Ported pngfix.c patches from libpng16. Version 1.7.0beta17 [August 21, 2013] Revised manual about changes in iTXt chunk handling made in libpng-1.6.0. Added "/* SAFE */" comments in pngrutil.c and pngrtran.c where warnings may be erroneously issued by code-checking applications. Added information about png_set_options() to the manual. Delay calling png_init_filter_functions() until a row with nonzero filter is found. Version 1.7.0beta18 [September 16, 2013] Fixed inconsistent conditional compilation of png_chunk_unknown_handling() prototype, definition, and usage. Made it depend on PNG_HANDLE_AS_UNKNOWN_SUPPORTED everywhere. Version 1.7.0beta19 [September 30, 2013] Reverted the change to unknown handling #defines; the change breaks 'NOREAD' builds. Fixed default behavior of ARM_NEON_API. If the ARM NEON API option is compiled without the CHECK option it defaulted to on, not off. Catch up with recent libpng16 changes; unknown handling and spelling corrections Avoid up-cast warnings in pngvalid.c. On ARM the alignment requirements of png_modifier are greater than that of png_store and as a consequence compilation of pngvalid.c results in a warning about increased alignment requirements because of the bare cast to (png_modifier*). The code is safe, because the pointer is known to point to a stack allocated png_modifier, but this change avoids the warning. Fixed some grammatical changes and updated the png chunks list. Version 1.7.0beta20 [October 13, 2013] Made changes for compatibility with automake 1.14: 1) Added the 'compile' program to the list of programs that must be cleaned in autogen.sh 2) Added 'subdir-objects' which causes .c files in sub-directories to be compiled such that the corresponding .o files are also in the sub-directory. This is because automake 1.14 warns that the current behavior of compiling to the top level directory may be removed in the future. 3) Updated dependencies on pnglibconf.h to match the new .o locations and added all the files in contrib/libtests and contrib/tools that depend on pnglibconf.h 4) Added 'BUILD_SOURCES = pnglibconf.h'; this is the automake recommended way of handling the dependencies of sources that are machine generated; unfortunately it only works if the user does 'make all' or 'make check', so the dependencies (3) are still required. Cleaned up (char*) casts of zlib messages. The latest version of the Intel C compiler complains about casting a string literal as (char*), so copied the treatment of z_const from the library code into pngfix.c Simplified error message code in pngunknown. The simplification has the useful side effect of avoiding a bogus warning generated by the latest version of the Intel C compiler (it objects to condition ? string-literal : string-literal). Make autogen.sh work with automake 1.13 as well as 1.14. Do this by always removing the 1.14 'compile' script but never checking for it. Version 1.7.0beta21 [November 2, 2013] Added ARMv8 support (James Yu ). Added file arm/filter_neon_intrinsics.c; enable with -mfpu=neon. Revised pngvalid to generate size images with as many filters as it can manage, limited by the number of rows. Cleaned up ARM NEON compilation handling. The tests are now in pngpriv.h and detect the broken GCC compilers. Allow clang derived from older GCC versions to use ARM intrinsics. This causes all clang builds that use -mfpu=neon to use the intrinsics code, not the assembler code. This has only been tested on iOS 7. It may be necessary to exclude some earlier clang versions but this seems unlikely. Changed NEON implementation selection mechanism. This allows assembler or intrinsics to be turned on at compile time during the build by defining PNG_ARM_NEON_IMPLEMENTATION to the correct value (2 or 1). This macro is undefined by default and the build type is selected in pngpriv.h. Version 1.7.0beta22 [November 7, 2013] Fixed #include in filter_neon_intrinsics.c and ctype macros. The ctype char checking macros take an unsigned char argument, not a signed char. Version 1.7.0beta23 [November 24, 2013] Changed #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED in pngpread.c to #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED to be consistent with what is in pngpriv.h. Moved prototype for png_handle_unknown() in pngpriv.h outside of the #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED/#endif block. Added "-Wall" to CFLAGS in contrib/pngminim/*/makefile Conditionally compile some unused functions reported by -Wall in pngminim. Fixed 'minimal' builds. Various obviously useful minimal configurations don't build because of missing contrib/libtests test programs and overly complex dependencies in scripts/pnglibconf.dfa. This change adds contrib/conftest/*.dfa files that can be used in automatic build scripts to ensure that these configurations continue to build. Enabled WRITE_INVERT and WRITE_PACK in contrib/pngminim/encoder. Fixed pngvalid 'fail' function declaration on the Intel C Compiler. This reverts to the previous 'static' implementation and works round the 'unused static function' warning by using PNG_UNUSED(). Version 1.7.0beta24 [December 15, 2013] Removed or marked PNG_UNUSED some harmless "dead assignments" reported by clang scan-build. Changed tabs to 3 spaces in png_debug macros and changed '"%s"m' to '"%s" m' to improve portability among compilers. Changed png_free_default() to free() in pngtest.c Tidied up pngfix inits and fixed pngtest no-write builds. Bookkeeping: Moved functions around (no changes). Moved transform function definitions before the place where they are called so that they can be made static. Move the intrapixel functions and the grayscale palette builder out of the png?tran.c files. The latter isn't a transform function and is no longer used internally, and the former MNG specific functions are better placed in pngread/pngwrite.c Made transform implementation functions static. This makes the internal functions called by png_do_{read|write}_transformations static. On an x86-64 DLL build (Gentoo Linux) this reduces the size of the text segment of the DLL by 1208 bytes, about 0.6%. It also simplifies maintenance by removing the declarations from pngpriv.h and allowing easier changes to the internal interfaces. Handle zero-length PLTE chunk or NULL palette with png_error() instead of png_chunk_report(), which by default issues a warning rather than an error, leading to later reading from a NULL pointer (png_ptr->palette) in png_do_expand_palette(). This is CVE-2013-6954 and VU#650142. Libpng-1.6.1 through 1.6.7 and libpng-1.7.0beta03 through 1.7.0beta23 are vulnerable. Libpng-1.6.0 and earlier do not have the bug. Version 1.7.0beta25 [December 26, 2013] Merged files with version 1.6.8 that have not changed since then. Rebuilt configure scripts with automake-1.14.1 and autoconf-2.69 Version 1.7.0beta26 [January 1, 2014] Added libpng 1.5 checks to pngvalid.c Merged with 1.5 and 1.6 changes to create a single pngvalid.c Added dSIG to chunk list in png.h Removed #error macro from contrib/tools/pngfix.c (Thomas Klausner). Merged pngrio.c, pngtrans.c, and pngwio.c with libpng-1.6.9 Fixed test programs for interlace options. Made pngvalid.c and pngtest.c work correctly when READ_INTERLACING and/or WRITE_INTERLACING are switched off. Changed pngvalid.c to support libpng 1.5, which does not support the PNG_MAXIMUM_INFLATE_WINDOW option, so #define it out when appropriate in pngvalid.c Allow unversioned links created on install to be disabled in configure. In configure builds 'make install' changes/adds links like png.h and libpng.a to point to the newly installed, versioned, files (e.g. libpng17/png.h and libpng17.a). Three new configure options and some rearrangement of Makefile.am allow creation of these links to be disabled. Version 1.7.0beta27 [January 10, 2014] Removed potentially misleading warning from png_check_IHDR(). Version 1.7.0beta28 [January 20, 2014] Updated scripts/makefile.* to use CPPFLAGS (Cosmin). Added clang attribute support (Cosmin). Version 1.7.0beta29 [January 30, 2014] Quiet an uninitialized memory warning from VS2013 in png_get_png(). Version 1.7.0beta30 [February 2, 2014] Fixed a large number of instances where PNGCBAPI was omitted from function definitions. Added pngimage test program for png_read_png and png_write_png. This is a work-in-progress; no tests are run automatically at present and the program by virtue of exhaustively testing all the transforms is very slow. Version 1.7.0beta31 [February 6, 2014] Make png_read_png() and png_write_png() prototypes in png.h depend upon PNG_READ_SUPPORTED and PNG_WRITE_SUPPORTED. Removed dependence on !PNG_READ_EXPAND_SUPPORTED for calling png_set_packing() in png_read_png(). Completed full working pngimage test program and added two test scripts. Fixed combination of ~alpha with shift. On read invert alpha, processing occurred after shift processing, which causes the final values to be outside the range that should be produced by the shift. Reversing the order on read makes the two transforms work together correctly and mirrors the order used on write. Do not read invalid sBIT chunks. Previously libpng only checked sBIT values on write, so a malicious PNG writer could therefore cause the read code to return an invalid sBIT chunk, which might lead to application errors or crashes. Such chunks are now skipped (with chunk_benign_error). Restored a line, "c = b;", that was inadvertently deleted from the PAETH filtering code from libpng-1.7.0beta24/pngrutil.c. Deleted the other instance of "c = b;" which is the one that triggered a scan-build warning. Support builds with unsupported PNG_TRANSFORM_* values. All of the PNG_TRANSFORM_* values are always defined in png.h and, because they are used for both read and write in some cases, it is not reliable to #if out ones that are totally unsupported. This change adds error detection in png_read_image() and png_write_image() to do a png_app_error() if the app requests something that cannot be done and it adds corresponding code to pngimage.c to handle such options by not attempting to test them. Version 1.7.0beta32 [February 26, 2014] Moved redefines of png_error(), png_warning(), png_chunk_error(), and png_chunk_warning() from pngpriv.h to png.h to make them visible to libpng-calling applications. Moved OS dependent code from arm/arm_init.c, to allow the included implementation of the ARM NEON discovery function to be set at build-time and provide sample implementations from the current code in the contrib/arm-neon subdirectory. The __linux__ code has also been changed to compile and link on Android by using /proc/cpuinfo, and the old linux code is in contrib/arm-neon/linux-auxv.c. The new code avoids POSIX and Linux dependencies apart from opening /proc/cpuinfo and is C90 compliant. Check for info_ptr == NULL early in png_read_end() so we don't need to run all the png_handle_*() and depend on them to return if info_ptr == NULL. This improves the performance of png_read_end(png_ptr, NULL) and makes it more robust against future programming errors. Check for __has_extension before using it in pngconf.h, to support older Clang versions (Jeremy Sequoia). Use a user warning handler in contrib/gregbook/readpng2.c instead of default, so warnings will be put on stderr even if libpng has CONSOLE_IO disabled. Added png_ptr->process_mode = PNG_READ_IDAT_MODE in png_push_read_chunk after recognizing the IDAT chunk, which avoids an infinite loop while reading a datastream whose first IDAT chunk is of zero-length. This fixes CERT VU#684412 and CVE-2014-0333. Don't recognize known sRGB profiles as sRGB if they have been hacked, but don't reject them and don't issue a copyright violation warning. Minor editing of contrib/arm-neon/README and contrib/examples/*.c Moved some documentation from png.h to libpng.3 and libpng-manual.txt Version 1.7.0beta33 [February 27, 2014] Fixed typos in the manual and in scripts/pnglibconf.dfa (CFLAGS -> CPPFLAGS and PNG_USR_CONFIG -> PNG_USER_CONFIG). Version 1.7.0beta34 [March 17, 2014] Treat CRC error handling with png_set_crc_action(), instead of with png_set_benign_errors(), which has been the case since libpng-1.6.0beta18. Use "if (value != 0)" instead of "if (value)" consistently. Changed ZlibSrcDir from 1.2.5 to 1.2.8 in projects/vstudio. Moved configuration information from the manual to the INSTALL file. Version 1.7.0beta35 [August 6, 2014] Removed #if/#else/#endif from inside two pow() calls in pngvalid.c because they were handled improperly by Portland Group's PGI-14.1 - PGI-14.3 when using its "__builtin_pow()" function. Silence 'unused parameter' build warnings (Cosmin). $(CP) is now used alongside $(RM_F). Also, use 'copy' instead of 'cp' where applicable, and applied other minor makefile changes. Don't warn about invalid dimensions exceeding user limits. Allow an easy replacement of the default pre-built configuration header with a custom header, via the make PNGLIBCONF_H_PREBUILT macro. Fixed a typo in pngrutil.c, introduced in libpng-1.5.6, that interferes with "blocky" expansion of sub-8-bit interlaced PNG files (Eric Huss). Removed scripts/makefile.elf. It has not worked since libpng-1.5.0beta14 due to elimination of the PNG_FUNCTION_EXPORT and PNG_DATA_EXPORT definitions from pngconf.h. Ensure that CMakeLists.txt makes the target "lib" directory before making symbolic link into it (SourceForge bug report #226 by Rolf Timmermans). Added opinion that the ECCN (Export Control Classification Number) for libpng is EAR99 to the README file. Version 1.7.0beta36 [September 27, 2014] Updated scripts/makefiles from libpng-1.6.13beta04. Minor updates to the manual from libpng-1.6.14beta04. Fixed incorrect handling of the iTXt compression flag in pngrutil.c (bug report by Shunsaku Hirata). Bug was introduced in libpng-1.6.0. Version 1.7.0beta37 [September 28, 2014] Merged scripts/*, pngvalid.c and pngfix.c with libpng-1.6.14beta04. Version 1.7.0beta38 [October 17, 2014] Added "option READ_iCCP enables READ_COMPRESSED_TEXT" to pnglibconf.dfa Removed unused "text_len" parameter from private function png_write_zTXt(). Conditionally compile some code in png_deflate_claim(), when PNG_WARNINGS_SUPPORTED and PNG_ERROR_TEXT_SUPPORTED are disabled. Replaced repeated code in pngpread.c with PNG_PUSH_SAVE_BUFFER_IF_FULL. Added "chunk iTXt enables TEXT" and "chunk zTXt enables TEXT" to pnglibconf.dfa. Removed "option READ_COMPRESSED_TEXT enables READ_TEXT" from pnglibconf.dfa, to make it possible to configure a libpng that supports iCCP but not TEXT. Removed "option WRITE_COMPRESSED_TEXT enables WRITE_TEXT" from pnglibconf.dfa Only mark text chunks as written after successfully writing them. Version 1.7.0beta39 [November 1, 2014] Ported cosmetic changes from libpng-1.6.15beta02. Version 1.7.0beta40 [November 6, 2014] Made a one-line revision to configure.ac to support ARM on aarch64 (bug report by Marcin Juszkiewicz, fix by John Bowler). Use png_get_libpng_ver(NULL) instead of PNG_LIBPNG_VER_STRING in example.c, pngtest.c, and applications in the contrib directory. Avoid out-of-bounds memory access in png_user_version_check(). Simplified and future-proofed png_user_version_check(). Fixed GCC unsigned int->float warnings. Various versions of GCC seem to generate warnings when an unsigned value is implicitly converted to double. This is probably a GCC bug but this change avoids the issue by explicitly converting to (int) where safe. Free all allocated memory in pngimage. The file buffer cache was left allocated at the end of the program, harmless but it causes memory leak reports from clang. Fixed array size calculations to avoid warnings. At various points in the code the number of elements in an array is calculated using sizeof. This generates a compile time constant of type (size_t) which is then typically assigned to an (unsigned int) or (int). Some versions of GCC on 64-bit systems warn about the apparent narrowing, even though the same compiler does apparently generate the correct, in-range, numeric constant. This adds appropriate, safe, casts to make the warnings go away. Version 1.7.0beta41 [November 7, 2014] Added #ifdef PNG_16BIT_SUPPORTED/#endif around png_log16bit() and png_do_swap(). Changed all "#endif /* PNG_FEATURE_SUPPORTED */" to "#endif /* FEATURE */" Version 1.7.0beta42 [November 20, 2014] The macros passed in the command line to Borland make were ignored if similarly-named macros were already defined in makefiles. This behavior is different from POSIX make and other make programs. Surround the macro definitions with ifndef guards (Cosmin). Added "-D_CRT_SECURE_NO_WARNINGS" to CFLAGS in scripts/makefile.vcwin32. Removed the obsolete $ARCH variable from scripts/makefile.darwin. Merged clang no-warning fix from libpng-1.6.13: png_digit was defined but never used in pngerror.c. Version 1.7.0beta43 [December 18, 2014] Added ".align 2" to arm/filter_neon.S to support old GAS assemblers that don't do alignment correctly. Revised Makefile.am and scripts/*.dfn to work with MinGW/MSYS; renamed scripts/*.dfn to scripts/*.c (Bob Friesenhahn and John Bowler). Quiet a "comparison always true" warning in pngstest.c (John Bowler). Version 1.7.0beta44 [December 23, 2014] Restored a test on width that was removed from png.c at libpng-1.6.9 (Bug report by Alex Eubanks, CVE-2015-0973). Fixed an overflow in png_combine_row() with very wide interlaced images (Bug report and fix by John Bowler, CVE-2014-9495). Corrected the width limit calculation in png_check_IHDR(). Removed extraneous handling of PNG_SAFE_LIMITS_SUPPORTED from pngconf.h Version 1.7.0beta45 [December 28, 2014] Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column and 1-million-row default limits in pnglibconf.dfa, that can be reset by the user at build time or run time. This provides a more robust defense against DOS and as-yet undiscovered overflows. Removed user limits from pngfix. Also pass NULL pointers to png_read_row to skip the unnecessary row de-interlace stuff. Added testing of png_set_packing() to pngvalid.c Version 1.7.0beta46 [January 2, 2015] Regenerated configure scripts in the tar distributions with libtool-2.4.4 Implement previously untested cases of libpng transforms in pngvalid.c Fixed byte order in 2-byte filler, in png_do_read_filler(). Allow user to call png_get_IHDR() with NULL arguments (Reuben Hawkins). Version 1.7.0beta47 [January 29, 2015] Made the check for out-of-range values in png_set_tRNS() detect values that are exactly 2^bit_depth, and work on 16-bit platforms. Added PNG_SKIP_sRGB_CHECK_PROFILE choice for png_set_option(). Report all IHDR errors before exiting png_check_IHDR(). Merged some parts of libpng-1.6.17beta01 and libpng-1.7.0beta47. Added #ifndef __COVERITY__ where needed in png.c, pngrutil.c and pngset.c to avoid warnings about dead code. Version 1.7.0beta48 [February 7, 2015] Work around one more Coverity-scan dead-code warning. Do not build png_product2() when it is unused. Version 1.7.0beta49 [February 11, 2015] Combined sub_row, up_row, avg_row, and paeth_row buffers into a single try_row buffer. Added PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED macro, on by default. Consolidated redundant code in pngwutil.c Deal with integer overflow of sum in pngwutil.c Version 1.7.0beta50 [February 15, 2015] Combined sub_row, up_row, avg_row, and paeth_row buffers into a single try_row buffer and in cases where two or more of those are being tested, a second tst_row buffer. This improves CPU speed over that achieved by libpng-1.7.0beta49. Version 1.7.0beta51 [February 17, 2015] Combined similar parts of png_write_find_filter() into a png_increase_lmins() function. Display user limits in the output from pngtest. Replaced test for harmless integer overflow (wraparound) in pngwutil.c with a method that prevents overflow and does not increase cpu usage significantly. Version 1.7.0beta52 [February 21, 2015] Added information about setjmp/simplified API interaction in the manual page and INSTALL file. Added information about using row_pointers with a single height*width*bpp allocated block Rebuilt configure scripts with automake-1.15 and libtool-2.4.6 Version 1.7.0beta53 [February 23, 2015] Restored compiling of png_reciprocal2 with PNG_NO_16BIT. Version 1.7.0beta54 [March 4, 2015] Moved png_set_filter() prototype into a PNG_WRITE_SUPPORTED block of png.h. Conditionally compile a small amount of code in pngwutil.c Avoid runtime checks when converting integer to png_byte with Visual Studio (Sergey Kosarevsky) Merged pngwrite.c with libpng-1.6.17beta06/pngwrite.c Version 1.7.0beta55 [March 9, 2015] Removed some comments that the configure script did not handle properly from scripts/pnglibconf.dfa and pnglibconf.h.prebuilt. Spelling fixes ("then", "occured") reported by Lauri Nurmi. Added more error reporting in png_default_read_data(). Merged png_free_data() with libpng-1.6.17rc02. Version 1.7.0beta56 [March 11, 2015] Updated CMakeLists.txt to add OSX framework, change YES/NO to ON/OFF for consistency, and remove some useless tests (Alexey Petruchik). Version 1.7.0beta57 [March 16, 2015] Remove pnglibconf.h, pnglibconf.c, and pnglibconf.out instead of pnglibconf.* in "make clean" (Cosmin). Fix bug in calculation of maxbits, in png_write_sBIT, introduced in libpng-1.6.17beta01 (John Bowler). Revert change to png_default_read_data() made in libpng-1.7.0beta55. Version 1.7.0beta58 [March 25, 2015] Implemented affirm() support and usage. Remove pnglibconf.dfn and pnglibconf.pre with "make clean". Added byte, short and other overflow checking Added 'affirm' based overflow checking for debug builds for char and short assignments. Simply ignore the error in release builds (a truncated value will be used without warning). Controlled by PNG_RANGE_CHECK_SUPPORTED. Improved some overflow handling. PNG_RELEASE_BUILD replaces tests where the code depended on the build base type and can be defined on the command line, allowing testing in beta builds. Overflows previously handled by png_warning in png.c have been changed to use new macros/affirm functions so that beta builds will abort on overflow and release builds will quietly ignore it. This avoids release builds producing warnings that are of no use to end users. Check (png_uint_16) casts for overflow. Also removed png_muldiv_warn, added RELEASE/!RELEASE convenience macros. png_muldiv_warn was used in only one place, and the overflow condition is a genuine warning not an internal error. Four macros allow code or function parameters to be condition on RELEASE (or not) builds and tidy up the #ifdef handling of functions. Version 1.7.0beta59 [April 19, 2015] Transformed rewrite: changed row_info, added checks. This introduces an internal struct (png_transform_control) to replace row_info and uses that to implement affirms correctly. The change also adds checks on the rowbytes calculation and additional checks on most transform implementations. Added png_uint_16 range checking, pngvalid tRNS, fixed png_uint_16: review of previous checks, removal of some where SAFE. pngvalid: add testing of tRNS for better code coverage pngvalid: correct rgb-to-gray error calculations. Code coverage is still incomplete: see /*UNTESTED*/ in pngrtran.c. This fixes some arithmetic errors that caused some tests to fail on some 32-bit platforms (Bug reports by Peter Breitenlohner [i686] and Petr Gajdos [i586]). Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler (Bug report by Viktor Szaka'ts). Version 1.7.0beta60 [May 6, 2015] Replaced "unexpected" with an integer (0xabadca11) in pngset.c where a long was expected, to avoid a compiler warning when PNG_DEBUG > 1. Version 1.7.0beta61 [May 31, 2015] Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug report from Christopher Ferris). Changed png_voidcast(), etc., to voidcast(), etc., in contrib/tools/pngfix.c to avoid confusion with the libpng private macros. Fixed old cut&paste bug in the weighted filter selection code in pngwutil.c, introduced in libpng-0.95, March 1997. Version 1.7.0beta62 [June 1, 2015] Removed the experimental WRITE_WEIGHTED_FILTERED code, to save a few kbytes of the compiled library size. It never worked properly and as far as we can tell, no one uses it. The png_set_filter_heuristics() and png_set_filter_heuristics_fixed() APIs are retained but deprecated. Version 1.7.0beta63 [June 6, 2015] Quieted some Coverity issues in pngfix.c, png-fix-itxt.c, pngvalid.c, pngstest.c, and pngimage.c. Most seem harmless, but png-fix-itxt would only work with iTXt chunks with length 255 or less. Fixed cexcept.h in which GCC 5 reported that one of the auto variables in the Try macro needs to be volatile to prevent value being lost over the setjmp, and fixed g++ build breaks (John Bowler). Moved READ_GAMMA to pngrtran.c. This makes everything in pngrtrans.c depend on READ_TRANSFORMS and moves all the transform gamma (READ_GAMMA) code from elsewhere to png_tran.c. There are no code changes. There is one remaining use of the gamma (16-bit) code in the simplified API in pngread.c but that is because of a long-standing libpng bug, namely that the gamma corrected palette is no produced by png_read_update_info (John Bowler). Completed AArch64 support. The previous change to recognize __ARM_NEON didn't touch all the required preprocessor lines. This change removes support for __ARM_NEON__ completely and makes this consistent. Added #ifdef's to contrib/examples programs so people don't try to compile them without the minimum required support enabled (suggested by Flavio Medeiros). Version 1.7.0beta64 [July 26, 2015] Removed non-working progressive reader 'skip' function. This function has apparently never been used. It was implemented to support back-door modification of png_struct in libpng-1.4.x but (because it does nothing and cannot do anything) was apparently never tested (John Bowler). Eliminated the final two Coverity defects (insecure temporary file handling in contrib/libtests/pngstest.c; possible overflow of unsigned char in contrib/tools/png-fix-itxt.c). To use the "secure" file handling, define PNG_USE_MKSTEMP, otherwise "tmpfile()" will be used. Removed some unused WEIGHTED_FILTER macros from png.h and pngstruct.h Rearranged png.h to put the major sections in the same order as in libpng16. Belatedly added Mans Rullgard and James Yu to the list of Contributing Authors. Version 1.7.0beta65 [September 16, 2015] Use nanosleep() instead of usleep() in contrib/gregbook/rpng2-x.c because usleep() is deprecated (port from libpng16). Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c Fixed uninitialized variable in contrib/gregbook/rpng2-x.c Moved config.h.in~ from the "libpng_autotools_files" list to the "libpng_autotools_extra" list in autogen.sh because it was causing a false positive for missing files (bug report by Robert C. Seacord). Fixed some bad links in the man page. Renamed the arm subdirectory to contrib/neon. Made minor fixes to the test scripts: pngimage: add --list-combos pngunknown: add --strict to catch warnings pngvalid-standard: remove the spurious --progressive read (compare with pngvalid-progressive-standard!) (John Bowler). Implemented a new chunk parse implementation that can be shared. It is currently shared by the progressive reader and the sequential one (but not yet by the writer) (John Bowler). Implemented shared transform handling that is used throughout (John Bowler). Version 1.7.0beta66 [October 2, 2015] Enabled the low-bit-depth gray tests that were disabled in prior versions of libpng because of problems that should have been fixed by the recent changes to libpng17. Enabling the tests revealed bugs in those changes which are now corrected. Replaced the memcpy of png_transform_background with a structure copy which is safer since it doesn't depend on knowing the first member to be copied, also the copies are improved to copy the transform args too; not required at present but it may prevent a bug being introduced in the future. Fixed some new Coverity defects that were introduced in 1.7.0beta65. Fixed makepng.c so that it compiles with GCC 5.1.0. Added contrib/testspngs/: a directory for additional test png files generated by makepng. Fixed dead code reported by Coverity (John Bowler). Limit the calls to crc32 to ZLIB_IO_MAX, although it is not clear that this is optimal (John Bowler). Make pngstest error limits version specific. Splitting the machine generated error structs out to a file allows the values to be updated without changing pngstest.c itself. Since libpng 1.6 and 1.7 have slightly different error limits this simplifies maintenance. The makepngs.sh script has also been updated to more accurately reflect current problems in libpng 1.7 (John Bowler). Fixed gamma-handling issues. One serious bug is that 8 was forced as a bit depth when caching a palette, even though the palette had been expanded. One less serious bug, the optimization for avoiding gamma correction introduced significant errors if the app subsequently did further corrections, only shown by using files with gAMA 1/1.52 in pngstest (John Bowler). Suppressed bogus Coverity issues in pngrutil.c and pngwutil.c. Corrected sRGB gamma handling in the Simplified API (John Bowler). If a gamma encoded file that has a gamma not matching that of sRGB is passed to the simplified API the previous code simply interpreted it as a power law encoding. However old Mac files had a power law correction of 1.45 built in to the encoding, even though the display devices were consistent with sRGB. Assuming a power law encoding results in substantial differences in the interpretation of low 8-bit values; below 10. For example an Apple '5' which is equivalent to an sRGB '17' ends up as the value '8'. This patch provides some measure of correction for this by making the gamma correction done within the simplified API assume that any encoded data is encoded relative to an sRGB-like transfer function; the data is corrected back to the PNG-nominal 2.2 value then decoded to linear (if required) using the sRGB transfer function. This reduces the errors reported by pngstest for such files (colormapped ones) but still leaves the issue with files where the standard libpng code does the gamma decoding. To cope with the latter cases there is a new pngstest-errors which allows the result; however, this is still a work-in-progress; a better solution is possible. Added a '--small' option to 'makepng' to allow the generation of smaller images that also give better test case coverage. Also added copyright and licence to the generated images, reflecting the fact that they are original works of the author of the code. The licence used is the Creative Commons Public Domain (CC0-1.0) one, which is appropriate for non-source-code works. The resultant images were used to generate the recently-updated pngstest-errors.h file (John Bowler). Added test files generated by "contrib/testpngs/makepngs.sh --small" with MAKEPNG set to the makepng compiled from the current contrib/libtests/makepngs.sh, to the "contrib/testpngs" directory. Made png_rgb_to_gray() optimization fixes. This fixes the code that optimizes RGB to Gray transformations that only selected on channel and clarifies the handling of max_depth in the transform code (John Bowler). Incorporated new test PNG files into make check. tests/pngstest-* are changed so that the new test files are divided into 8 groups by gamma and alpha channel. These tests have considerably better code and pixel-value coverage than contrib/pngsuite; however,coverage is still incomplete (John Bowler). Fixed png_set_tRNS_to_alpha for low-bit-depth gray and enabled low-bit-depth gray tests in pngvalid (John Bowler). Fixed sBIT handling in the low-bit-depth gray and pngstest cases, extended sBIT handling to the colormap code in the simplified API which is separately implemented in pngread.c (John Bowler). Version 1.7.0beta67 [November 3, 2015] Fixed 'pow' macros in pngvalid.c. It is legal for 'pow' to be a macro, therefore the argument list cannot contain preprocessing directives. Make sure pow is a function where this happens. This is a minimal safe fix, the issue only arises in non-performance-critical code (bug report by Curtis Leach, fix by John Bowler). Added sPLT chunk support to pngtest.c Prevent setting or writing over-length PLTE chunk (bug report by Cosmin Truta) (CVE-2015-8126). Silently truncate over-length PLTE chunk while reading. Fixed some inconsequential cut-and-paste typos in png_set_cHRM_XYZ_fixed(). Clarified COPYRIGHT information to state explicitly that versions are derived from previous versions. Removed much of the long list of previous versions from png.h and libpng.3. Version 1.7.0beta68 [November 12, 2015] Fixed new bug with CRC error after reading an over-length palette (bug report by Cosmin Truta). Cleaned up coding style in png_handle_PLTE(). Version 1.7.0beta69 [November 24, 2015] Avoid potential pointer overflow/underflow in png_handle_sPLT() and png_handle_pCAL() (Bug report by John Regehr). Avoid conditionally compiling parts of statements in png.c (suggested by flaviommedeiros). Fixed incorrect implementation of png_set_PLTE() that uses png_ptr not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 vulnerability. Added pngvalid --transform --interlace test. This increases code coverage by generating test cases with smaller length rows as a result of the interlacing. Without this packswap handling was incompletely tested. Fixed NO_WRITE_INTERLACE in pngvalid.c. The support for writing interlaced images directly from libpng 1.7 was unintentionally disabled (INTERLACE_LAST was defined incorrectly, excluding the interlaced images). This obscured the fact that the transform and error test case generators lacked the support for writing interlaced images from libpng. Transform rewrite: perform transforms in small chunks. The intent of this change is to reduce the memory footprint during transform sequences by performing transforms in fixed (small) sized blocks of pixels. The change is incomplete; the filter code still works row-by-row, so the whole tranform also works row-by-row. The intent is to fix this so that everything works in small(ish) chunks. At present the change has no discernable effect on pngvalid --speed or pngstest with (e.g.) rgb-8-1.8.png; user time and (minor) page faults are the same in old and new versions. The same applies to real-world 15MP PNG images; even on these the presence of the filter code causes a cyclical progress through memory which will interfere with any caching otherwise possible (useful word, 'otherwise'.) Read row buffer changes. The read code now allocates one row buffer of the size of the input PNG row and, only if required, one buffer of the size of the output. The output buffer is required for the progressive reader (always) and for the sequential reader if libpng is de-interlacing an image (because the output row is used multiple times if png_read_row is called with a display row parameter.) This should reduce memory utilization by libpng significantly, but it has no detectable effect on overall performance figures of the test programs; these are probably dominated by memory allocations for the whole image within the test programs. Now that the code works consistently so that these just switch off the support for having libpng do the interlace/deinterlace, the old names make more sense. Restoring them avoids cruft in the configuration file and avoids an unnecessary version specific change. The reliance of png_read_png on interlace handling and some minor issues in the test programs where they failed to correctly check for interlace handling were exposed by the ability to write interlaced images even if WRITE_INTERLACING is turned off. This is fixed here. Changed the detection of invalid application behavior (too many calls to png_read_row) from an affirm to a png_app_error. Fixed the PNG_MAX_GAMMA_8 handling and png_set_rgb_to_gray, which had bugs which were likely to expose end cases of rgb-to-gray conversion errors. This might possibly explain some of the machine math dependencies we are seeing. Temporarily disabled filter selection while writing, and temporarily replaced pngtest.png accordingly. Version 1.7.0beta70 [December 3, 2015] Fixed a simple bracket problem that prevented reading non-interlaced PNG files with height == 1. The code failed to zero out the row buffer at the start of a pass where the AVG filter is used because 'row_number' is not always zero (on interlaced images) and, apparently, the assertion that the buffer had been zeroed when allocated was not always correct for non-interlaced images. Revealed by pngvalid --size with a hack to make it always use AVG. Fixed an error in handling of bad zlib CMINFO field in pngfix, found by American Fuzzy Lop, reported by Brian Carpenter. inflate() doesn't immediately fault a bad CMINFO field; instead a 'too far back' error happens later (at least some times). pngfix failed to limit CMINFO to the allowed values but then assumed that window_bits was in range, triggering an assert. The bug is mostly harmless; the PNG file cannot be fixed. Test the 'size' images in the sequential reader. The existing test case only uses the progressive reader which means that important parts of the filter code never got tested. Improved pngvalid coverage of filter combinations, remove the (new in 1.7) code which disabled previous-row filters on the first row of an image in some cases. Removed all trailing spaces from source files in contrib Moved code round and changed the filter write interfaces that took png_uint_32 buffer pixel counts to unsigned int. Also moved compression code and definitions into pngwutil.c so that the compression code is isolated from other definitions. Unified the compression code so that inflate calls are localized to a common routine. Ground work for filter selection support. Minor API changes to use void* not byte* for data parameters. Unification of some of the compression code with the decompression code; IDAT_size replaces IDAT_read_size and zbuffer_size, IDAT reading and writing is no longer controlled by the size of the compression buffer. Separated png_compress_IDAT into write/compress, removed some trailing spaces and cleaned up pnglibconf. Removed the side-effect on the png_struct palette of calling png_set_PLTE() or png_set_tRNS(). This is a quiet API change; it was previously possible to alter the palette on a PNG image by using png_set_PLTE, but this was unintended and inconsistent with the other png_set APIs. This fixes CVE-2015-8472. Fixed a bug in palette index checking; png_struct::num_palette could, in principle, get changed by the transformations (e.g. png_set_quantize) and this would invalidate the check. The palette checking init function now makes a copy of png_struct::num_palette. Fixed a bug in pngvalid error handling. A png_error in png_write_info is not continuable (a valid image cannot necessarily be written afterward) because the png_error aborts the write of subsequent pre-IDAT chunks. In particular an abort as a result of a bogus colorspace information (gAMA, cHRM, sBIT etc) prevents the write of the PLTE chunk. Version 1.7.0beta71 [omitted] Version 1.7.0beta72 [December 7, 2015] Implemented new filter selection heuristic. Attempted to make the selection options more intuitive. Fixed a build break in no-write-filters cases. Re-applied some recent patches to libpng-1.7.0beta70 that were accidentally lost while publishing the beta70 tar distribution. Fixed g++ builds, where enums (int), G++ objects (int) and (unsigned) were being used together in ?: Fixed stack smashing problem in write png_copy_row that was introduced in libpng-1.7.0beta70. This also resulted in PNG data with random row bytes. Version 1.7.0beta73 [December 11, 2015] Fixed syntax "$(command)" in tests/pngstest that some shells other than bash could not parse (Bug report by Nelson Beebe). Use `command` instead. Combined some redundant checks on info_ptr==NULL in png_handle_PLTE() Changed png_struct->options from png_byte to png_uint_32, to hold up to 16 2-bit options. Version 1.7.0beta74 [December 19, 2015] Fixed copyright years in source files. Removed LE/BE dependencies in pngvalid, to 'fix' the current problem in the BigEndian tests by not testing it, making the BE code the same as the LE version. Fixes to pngvalid for various reduced build configurations (eliminate unused statics) and a fix for the case in rgb_to_gray when the digitize option reduces graylo to 0, producing a large error. Widened the 'limit' check on the internally calculated error limits in the 'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error checks) and changed the check to only operate in non-release builds (base build type not RC or RELEASE.) Fixed undefined behavior in pngvalid.c, undefined because (png_byte) << shift is undefined if it changes the signed bit (because png_byte is promoted to int). The libpng exported functions png_get_uint_32 and png_get_uint_16 handle this. (Bug reported by David Drysdale as a result of reports from UBSAN in clang 3.8). This changes pngvalid to use BE random numbers; this used to produce errors but these should not be fixed as a result of the previous changes. Implemented a prototype of filter selection. This rewrites the code used previously in the heuristics to make it easier to debug and introduces the 'methodical' method, which is intended to be an expensive but reliable way of reducing image size. The code in this commit does not work; the 'methodical' test for success does not take account of data buffered inside zlib and, anyway, it changes the results of pngtest so that the test fails. This is just a checkpoint of the current state Disabled 'methodical' filter selection code. It is incomplete; it works but does not do anything useful except, maybe, on really enormous images. Added .travis.yml configuration file to control Travis continuous integration testing (David Drysdale). Version 1.7.0beta75 [December 21, 2015] Fixed duplicate tIME chunk from png_write_png. Added an example program, pngcp.c, that illustrates the problem when used to copy pngtest.png (the result is an invalid PNG because the tIME chunk is duplicated.) Re-enabled 'methodical' filter selection code. Added an accurate 'methodical' measure. Fixed incorrect references to 'pngimage' in pngcp. Fixed incorrect debug macro in release builds. Reversed the order of tests in png_zlib_compress_validate((). Undefined behaviour sanitizer currently fires for this test with an error about member access within null pointer to struct; put the check that relies on pz->list being non-NULL second (David Drysdale). Version 1.7.0beta76 [January 7, 2016] Corrected the options handling. Setting the new, higher, option bits triggered the byte check (which is no longer necessary). Added NULL pz->list test to png_zlib_compress_validate(). This seems safer; in fact, a NULL dereference never happens because the test ends up just doing arithmetic on NULL but it seems possible that the undefined arithmetic can still happen if there is a bug elsewhere. Added code to pngcp.c to iterate through the command line options when non-list options have the 'all' parameter. This is used to rapidly test the effect of different zlib options. Revised the handling of tIME and text chunks on read to record the location of the chunks relative to PLTE and IDAT. Behavior on write is unchanged except that if the position was recorded on read it will be re-used. This involves an ABI change to the png_text_struct; a one byte location field is added (with the same meaning as the one used to record unknown chunk location.) Because this field is only used on read there is no API change unless a png_info from a libpng read is passed to a subsequent libpng write (this did not work very well before 1.7; the tIME chunk could get duplicated.) The new field is ignored by png_set_text(), resetting it to the current position in the read or write stream. On write the position is set to the next location to be written unless the write has not started (the position is before the signature) in which case the location is set to PNG_HAVE_PLTE|PNG_AFTER_IDAT. When the chunk is written the position is set to the actual write location (effectively the position is frozen.) Relocated assert() in contrib/tools/pngfix.c, bug found by American Fuzzy Lop, reported by Brian Carpenter. Marked 'limit' UNUSED in transform_range_check(). This only affects release builds. Fixed new Coverity defect, potential NULL dereference of "ps" in pngwutil.c Added temporary workaround for Coverity "Dead code" defect. Version 1.7.0beta77 [January 16, 2016] Fixed new Coverity defect, another NULL dereference of "ps" in pngwutil.c Prevent the CMINFO optimization code from running twice on any PNG IDAT stream longer than 2048 bytes; the second time could overwrite bytes 2048,2049, invalidating the output. Fixed a (debug) checks that was slightly wrong (< when <= should have been used) and this caused write to abort maybe 1 out of 2048 times. Improved the contrib/examples/pngcp search mode. This is still a work-in-progress, but it seems fairly stable (if not exactly 100% optimal). pngcp now allows 'all' for some options which iterates through all possible settings (this reliably produces the smallest IDAT that libpng can produce with those settings.) It also contains a "--search" command line option that attempts to optimize this by skipping pointless tests; it is close, most of the time, but not perfect. Fixed write problem with reduced size IDAT chunks. png_set_compression_buffer_size would result in a spurious debug assert if the compression buffer size was set to something other than a multiple of PNG_ROW_BUFFER_SIZE; the debug test failed to add the buffer 'start' The sequential read code failed to read to the end of the IDAT stream in about 1 of 820 cases, resulting in a spurious warning. The png_set_compression_buffer_size API also would not work (or do bad things) if the size of a zlib uInt was less than 32 bits. Added pngcp IDAT size test and changed the order of the 'level' and 'windowBits' searches to seach windowBits first; this favors windowBits optimizations over compression level ones on the basis that the latter should only affect the write code. This includes a quiet API change to alter png_set_compression_buffer_size to use a png_alloc_size_t, not png_size_t and implement the correct checks. Fixed recently introduced palette sharing bug. The internal read code change to stop sharing the palette was incompletely implemented. The result is that unless palette index checking is turned off and there are no read transformations the png_info palette gets deleted when the png_struct is deleted. This is normally harmless (png_info gets deleted first) but in the case of pngcp it results in use-after-free of the palette and, therefore, palette corruption and maybe on some operating systems and access violation. Updated the pngcp 'search' mode to check a restricted range of memLevels; there is an unrelated bug which means that lower zlib memLevels result in memory corruption under some circumstances, probably less often than 1:1000. Attempted to work around a false-positive Coverity issue in pngvalid.c. Version 1.7.0beta78 [January 23, 2016] Changed PNG_USE_MKSTEMP to __COVERITY__ to select alternate "tmpfile()" implementation in contrib/libtests/pngstest.c Fixed NO_STDIO build of pngunknown.c to skip calling png_init_io() if there is no stdio.h support. Added a png_image_write_to_memory() API and a number of assist macros to allow an application that uses the simplified API write to bypass stdio and write directly to memory. Added some warnings (png.h) and some check code to detect *possible* overflow in the ROW_STRIDE and simplified image SIZE macros. This disallows image width/height/format that *might* overflow. This is a quiet API change that limits in-memory image size (uncompressed) to less than 4GByte and image row size (stride) to less than 2GByte. Revised Simplified API to use system appropriate types. This is an API change for 1.7, albeit a quiet one; it may produce compiler warnings but should not result in errors, unless warnings are treated as errors. On 64-bit systems it widens the results of the various PNG_IMAGE_ macros that return size values (component counts, byte sizes) to 64 bits. It also changes the row_stride parameter, which is the pointer difference between adjacent rows of the image buffer, to the ANSI-C90 defined type ptrdiff_t. The existing (1.6.22) checks for overflow are preserved but now accomodate images that require more than 32 bits of address space when size_t/ptrdiff_t are 64 bit types. Revised workaround for false-positive Coverity issue in pngvalid.c. Version 1.7.0beta79 [March 9, 2016] Only use exit(77) in configure builds. Corrected error in PNG_IMAGE_PNG_SIZE_MAX. This new macro underreported the palette size because it failed to take into account that the memory palette has to be expanded to full RGB when it is written to PNG. Updated CMakeLists.txt, added supporting scripts/gen*.cmake.in and test.cmake.in (Roger Leigh). Revised pngstest to (by default) make random backgrounds on a per-file, not per-session, basis. Refined pngcp with better (more consistent) reporting of the "--search" results plus changes so that when compiled against libpng 1.6 the program correctly copies text chunks; previously when a search option caused multiple copies of the same file the copies after the first would not have the text chunks. Expanded search logging in pngcp to output results during the search; sufficient for basic tests on zlib parameters. More sophisticated default write compression options, which helps significantly for some files along with code to make it easier to control the compression defaults and to make the settings honor the API calls the application makes (previously low windowBits settings would get reset to higher values.) Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h (Robert C. Seacord). Various other flags in png.h made unsigned as well. Fixed some misleading indentation (Krishnaraj Bhat). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement to subscribe) or to glennrp at users.sourceforge.net Glenn R-P