You can subscribe to this list here.
2005 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2006 |
Jan
|
Feb
|
Mar
(1) |
Apr
(3) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(1) |
2007 |
Jan
(2) |
Feb
|
Mar
|
Apr
(3) |
May
(2) |
Jun
|
Jul
(3) |
Aug
(1) |
Sep
(1) |
Oct
(2) |
Nov
(1) |
Dec
(1) |
2008 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
(7) |
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2009 |
Jan
|
Feb
(1) |
Mar
|
Apr
(1) |
May
(1) |
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
(1) |
Oct
|
Nov
|
Dec
(1) |
2010 |
Jan
(2) |
Feb
(2) |
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(1) |
2011 |
Jan
(1) |
Feb
(1) |
Mar
(1) |
Apr
(3) |
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
2012 |
Jan
|
Feb
(3) |
Mar
(2) |
Apr
|
May
|
Jun
(1) |
Jul
(3) |
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
2013 |
Jan
(1) |
Feb
(1) |
Mar
(2) |
Apr
(1) |
May
(1) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
(3) |
Oct
|
Nov
(1) |
Dec
(1) |
2014 |
Jan
|
Feb
(2) |
Mar
(1) |
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
(1) |
Sep
|
Oct
(1) |
Nov
(1) |
Dec
(1) |
2015 |
Jan
|
Feb
(2) |
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
(2) |
2016 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
(1) |
Jul
|
Aug
(2) |
Sep
(2) |
Oct
(1) |
Nov
|
Dec
(2) |
2017 |
Jan
(3) |
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
(4) |
Jul
(3) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
(1) |
2019 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2022 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
2023 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2024 |
Jan
(2) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
From: Cosmin T. <ct...@gm...> - 2024-09-13 00:56:33
|
Hi there, hello! As of today, the newest libpng release in the 1.6 line is out, business-as-usual. The release tag, named "v1.6.44", is GPG-signed. This is an accumulation of various fixes and improvements, in the libpng code, and in the build scripts. I don't have much to add besides what's in the ANNOUNCE file, but I do want to point out that we've been talking on the GitHub forums about forking off a branch from 1.6.44. Let's call it, tentatively, libpng18. There are still pull requests waiting in line, some of which are highly useful, yet hard to apply to the libpng16 branch without risking breakage in rather obscure areas of compatibility with existing build workflows. Tomorrow I'll fork off a new branch and start a new discussion on png-mng-implement. (It's been a while...) https://github.com/pnggroup/libpng/tree/v1.6.44/ https://sourceforge.net/projects/libpng/files/libpng16/1.6.44/ https://raw.githubusercontent.com/pnggroup/libpng/v1.6.44/ANNOUNCE Last but not least, I would like to publicly express my thanks to Travis CI and AppVeyor CI. We have been verifying our builds for years (on FreeBSD, Linux, Mac and Windows) thanks to their graceful support of our project. https://app.travis-ci.com/github/ctruta/libpng https://ci.appveyor.com/project/ctruta/libpng -- In the good old tradition of file authentication, here are the SHA-2-256 checksums of the published files: libpng-1.6.44.tar.gz 8c25a7792099a0089fa1cc76c94260d0bb3f1ec52b93671b572f8bb61577b732 libpng-1.6.44.tar.xz 60c4da1d5b7f0aa8d158da48e8f8afa9773c1c8baa5d21974df61f1886b8ce8e lpng1644.7z ba7aa9adf6d0d0b7f4afc5004d09607b4cb6afae1db9e295da5bcf9a9d27f171 lpng1644.zip 7d7571a1faa1898b69888716dfdea0e4d466f1a5cf518e6aa626df2242bbadbe -- Sincerely, Cosmin |
From: Cosmin T. <ct...@gm...> - 2024-02-23 21:23:23
|
Hi there, hello! As of today, the newest libpng release in the 1.6 line is out, business-as-usual. The release tag, named "v1.6.43", is GPG-signed. We now have support for eXIf chunks in the "push" reader, thanks to Chris Blume. On the topic of EXIF support: the "pngexifinfo" experiment, which had evolved together with the draft specification until it reached its final form known as "eXIf 2017-05-31", is now available at its new home in the new subdirectory contrib/pngexif. Interestingly, we have a fix that is applicable to the 16-bit platform builds of libpng (which, by the way, are not only still existing but also still functioning), thanks to John Bowler. And we have all kinds of fixes and improvements in the build scripts, in the test suite, and in the CI verification process. Notable among those improvements is the linting script (ci/ci_lint.sh), running automatically as a GitHub Action for all contributors. (Thanks, GitHub!) https://github.com/pnggroup/libpng/tree/v1.6.43/ https://sourceforge.net/projects/libpng/files/libpng16/1.6.43/ https://raw.githubusercontent.com/pnggroup/libpng/v1.6.43/ANNOUNCE https://github.com/pnggroup/libpng/actions/workflows/lint.yml Last but not least, I would like to publicly express my thanks to Travis CI and AppVeyor CI. We have been verifying our builds for years (on FreeBSD, Linux, Mac and Windows) thanks to their graceful support of our project. https://app.travis-ci.com/github/ctruta/libpng https://ci.appveyor.com/project/ctruta/libpng -- In the good old tradition of file authentication, here are the SHA-2-256 checksums of the published files: libpng-1.6.43.tar.gz e804e465d4b109b5ad285a8fb71f0dd3f74f0068f91ce3cdfde618180c174925 libpng-1.6.43.tar.xz 6a5ca0652392a2d7c9db2ae5b40210843c0bbc081cbd410825ab00cc59f14a6c lpng1643.7z cb6345a4babcd500775626c2f0500df4f14cacd5b06dd906d2c814f7491d9374 lpng1643.zip fc466a1e638e635d6c66363bdf3f38555b81b0141d0b06ba45b49ccca327436d -- Sincerely, Cosmin |
From: Cosmin T. <ct...@gm...> - 2024-01-30 19:05:43
|
Hi there, hello! Thanks to Matthieu Darbois who reported an API+ABI breakage in the macro function png_check_sig(), accidentally introduced in libpng-1.6.41, we are having an earlier-than-anticipated release version 1.6.42. https://github.com/pnggroup/libpng/tree/v1.6.42/ https://sourceforge.net/projects/libpng/files/libpng16/1.6.42/ https://raw.githubusercontent.com/pnggroup/libpng/v1.6.42/ANNOUNCE The answer to the (quote-unquote) "that question" is always yes, meaning that we always need more testing. As for the details about the broken-and-fixed png_check_sig(), according to the change log, this function was declared obsolete in libpng-1.0.2a (in January 1999), removed in libpng-1.4.0beta1 (in April 2006), restored again in libpng-1.5.0beta16 (in April 2010), and it's been in there, as a macro pretending to be a function, untested and considered obsolete until today. -- In the good old tradition of file authentication, here are the SHA-2-256 checksums of the published files: libpng-1.6.42.tar.gz eaa27b655f2cd37a3677372d7dfc646263401ef79d4f433345f24429ec60334a libpng-1.6.42.tar.xz c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450 lpng1642.7z c86fc3a2b27b6be0953acefb44cbfac7a4340566c869b37da3918a450e9de905 lpng1642.zip 0c4ca632d1f6880aea2be0490e5902dfe1737f53f95fb83980564e9e99b9b137 -- Sincerely, Cosmin |
From: Cosmin T. <ct...@gm...> - 2024-01-25 04:04:18
|
Hi there, hello! In preparation for the up-and-coming PNG version 3, the up-and-coming "libpng-ng" branch in our reference library, and the up-and-coming "pngmuseum" repository, I would like to make one BIG ANNOUNCEMENT: Glenn's repo at GitHub https://github.com/glennrp/libpng is now moved entirely (with all past and present tickets and pull requests and everything) to its new home https://github.com/pnggroup/libpng Also very importantly, not to mention very conveniently, the references to the old repo are automatically redirected to the new one. Many thanks to GitHub for their cooperation. I would also like to publicly express my thanks to Travis CI and AppVeyor CI. We have been verifying our builds for years (on FreeBSD, Linux, Mac and Windows) thanks to their graceful support of our project. https://app.travis-ci.com/github/ctruta/libpng https://ci.appveyor.com/project/ctruta/libpng --- And now, to our usual business. libpng-1.6.41 is officially out of the door and into our world. https://github.com/pnggroup/libpng/tree/v1.6.41/ https://sourceforge.net/projects/libpng/files/libpng16/1.6.41/ https://raw.githubusercontent.com/pnggroup/libpng/v1.6.41/ANNOUNCE This is a regular maintenance release in which we added, most notably, SIMD-optimized code for the Loongarch LSX architecture. Many thanks to the fine folks at Loongson Technology for their contribution. And now, we're on to libpng-1.6.42.git and to the integration of the next-in-line submissions: the SIMD-optimized code for RISC-V. --- In the good old tradition of file authentication, here are the SHA-2-256 checksums of the published files: libpng-1.6.41.tar.gz f00a11840f60616bdced9056d0f4cf2e4897697db039f15ce911704f957d3c5d libpng-1.6.41.tar.xz d6a49a7a4abca7e44f72542030e53319c081fea508daccf4ecc7c6d9958d190f lpng1641.7z 051ac439f2dff1a11af599770769aadaccfa2fb567457cf5bf0a93a4944017f1 lpng1641.zip 00555bfc39d0999e318512267134df03673676836d041b11c1342fed6e086a28 --- Sincerely, Cosmin |
From: Cosmin T. <ct...@gm...> - 2023-06-22 02:58:56
|
Happy summer solstice, everyone! libpng-1.6.40 is officially out of our door and into our world. https://github.com/pnggroup/libpng/tree/v1.6.40/ <https://github.com/pnggroup/libpng/tree/v1.6.39/> https://sourceforge.net/projects/libpng/files/libpng16/1.6.40/ <https://sourceforge.net/projects/libpng/files/libpng16/1.6.39/> This is a maintenance release, consisting entirely of fixes and cleanups. Most notably, it contains a fix for the multiplicity check in eXIf processing, a fix for a memory leak in pCAL processing, and a fix for the reporting of tRNS validity. Many thanks to all contributors! https://github.com/pnggroup/libpng/blob/v1.6.40/ANNOUNCE <https://github.com/pnggroup/libpng/blob/v1.6.39/ANNOUNCE> --- In the good old tradition of file authentication, here are the SHA-2-256 checksums of the published files: libpng-1.6.40.tar.gz 8f720b363aa08683c9bf2a563236f45313af2c55d542b5481ae17dd8d183bb42 libpng-1.6.40.tar.xz 535b479b2467ff231a3ec6d92a525906fb8ef27978be4f66dbe05d3f3a01b3a1 lpng1640.7z 14ab95ec9abc05c1a48e72b61084b969ed82be387a2106439affed1eaf5c30a6 lpng1640.zip 0b05310afd15c4f5ccbbae13b4eec4573ee519dc1c76c411c8c10998ea93f107 --- Sincerely, Cosmin |
From: Cosmin T. <ct...@gm...> - 2022-11-21 16:01:21
|
Hello, everyone, Without too much ado: libpng-1.6.39 is officially out of our door and into our world. https://github.com/pnggroup/libpng/tree/v1.6.39/ https://sourceforge.net/projects/libpng/files/libpng16/1.6.39/ This is a maintenance release, with one little non-breaking API change (in which large PNG chunks are signalled as benign errors rather than hard errors), and with a bunch of fixes and improvements. The externally-contributed tools pngcp and pngfix are finally fixed as well. Many thanks to all contributors! https://github.com/pnggroup/libpng/blob/v1.6.39/ANNOUNCE -- In the good old tradition of file authentication, here are the SHA-2-256 checksums of the published files: libpng-1.6.39.tar.gz af4fb7f260f839919e5958e5ab01a275d4fe436d45442a36ee62f73e5beb75ba libpng-1.6.39.tar.xz 1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937 lpng1639.7z 2364ef4713131e5747bb12fccdf5f2fbed9593b34d9a20a825f45bc57ee5f414 lpng1639.zip 66463f0a54041c99de104dff70c190aa497dcf1517f218a29df5265ce57b170f --- Sincerely, Cosmin |
From: Cosmin T. <ct...@gm...> - 2022-09-15 03:25:40
|
Dear libpng users, After a long delay, I am very pleased to announce that libpng-1.6.38 is available for download at its usual SourceForge location: https://sourceforge.net/projects/libpng/files/libpng16/1.6.38/ This is a maintenance release, with no new features, but with numerous fixes and improvements of various kinds. The ANNOUNCE file, found in the archive, contains the brief description of additions, while the Git log will show you the entire list of changes from the previous tag (v1.6.37) to the current tag (v1.6.38). The process of ever-improving this library is still ongoing. Most notably, externally-contributed tools like pngcp and pngfix still need fixing. Patches to these tools have been available in Glenn's repository on GitHub for a while, and they are next in line to be applied. Moreover, Glenn's repository will need to be transferred to its new home at https://github.com/pnggroup and that will be the subject of a separate discussion. On a personal note, I am aware that my long absence has been noticed. It was hard for me to be away, but I am glad to announce that I'm back and I'm able to continue. I would like to dedicate this release to my daughter -- happy birthday, Maria! --- In the good old tradition of file authentication, here are the SHA-2-256 checksums of the published files: libpng-1.6.38.tar.gz e2b5e1b4329650992c041996cf1269681b341191dc07ffed816c555769cceb77 libpng-1.6.38.tar.xz b3683e8b8111ebf6f1ac004ebb6b0c975cd310ec469d98364388e9cedbfa68be lpng1638.7z b0f8777ed16b484fdf2f7bceeae4b457b7be3e74df7d367e4520fcca05650957 lpng1638.zip b3dc7ca5ff67a7346ffd8454a463cfbfe6aee09f4b7ebf0a6c1cb17d886120d6 --- Sincerely, Cosmin |
From: Cosmin T. <ct...@gm...> - 2019-04-16 05:12:14
|
Dear libpng users, I am pleased to announce that libpng-1.6.37 is available for download at its usual SourceForge location: https://sourceforge.net/projects/libpng/files/libpng16/1.6.37/ This is largely a bugfix-only release. Most importantly, it contains a fix for a use-after-free vulnerability (CVE-2019-7317) affecting the simplified libpng API, and a fix for a memory leak affecting the ARM NEON implementation of the palette-to-RGB(A) expansion. For authentication purposes, here are the SHA256 checksums: libpng-1.6.37.tar.gz daeb2620d829575513e35fecc83f0d3791a620b9b93d800b763542ece9390fb4 libpng-1.6.37.tar.xz 505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca lpng1637.7z 1f1e8fc10d3575c9694a72d63c49752d2251d9683b6030850d806acc5e5e86fa lpng1637.zip 3b4b1cbd0bae6822f749d39b1ccadd6297f05e2b85a83dd2ce6ecd7d09eabdf2 For the complete list of changes, see https://sourceforge.net/p/libpng/code/ci/v1.6.37/tree/ANNOUNCE -- Sincerely, Cosmin |
From: Cosmin T. <ct...@gm...> - 2018-12-02 08:13:21
|
Dear libpng users, I am pleased to announce that libpng-1.6.36 is available for download at its usual SourceForge location: https://sourceforge.net/projects/libpng/files/libpng16/1.6.36/ == IMPORTANT licensing update: libpng license version 2 == The new libpng license comprises the terms and conditions from the zlib license, and the disclaimer from the Boost license. The legacy libpng license, used until libpng-1.6.35, is appended to the new license, following the precedent established in the Python Software Foundation License version 2. >From now on, the list of contributing authors shall be maintained in a separate AUTHORS file. The lists of previous contributing authors, mentioned in the legacy libpng license and considered to be an integral part of that license, are kept intact, with no further updates. https://sourceforge.net/projects/libpng/files/libpng16/1.6.36/LICENSE.md https://sourceforge.net/projects/libpng/files/libpng16/1.6.36/AUTHORS.md https://sourceforge.net/projects/libpng/files/libpng16/1.6.36/TRADEMARK.md == CHANGES since the previous public release (version 1.6.35) == * Optimized png_do_expand_palette for ARM processors. Improved performance by around 10-22% on a recent ARM Chromebook. (Contributed by Richard Townsend, ARM Holdings) * Fixed manipulation of machine-specific optimization options. (Contributed by Vicki Pfau) * Used memcpy instead of manual pointer arithmetic on Intel SSE2. (Contributed by Samuel Williams) * Fixed build errors with MSVC on ARM64. (Contributed by Zhijie Liang) * Fixed detection of libm in CMakeLists. (Contributed by Cameron Cawley) * Fixed incorrect creation of pkg-config file in CMakeLists. (Contributed by Kyle Bentley) * Fixed the CMake build on Windows MSYS by avoiding symlinks. * Fixed a build warning on OpenBSD. (Contributed by Theo Buehler) * Fixed various typos in comments. (Contributed by "luz.paz") * Raised the minimum required CMake version from 3.0.2 to 3.1. * Removed yet more of the vestigial support for pre-ANSI C compilers. * Removed ancient makefiles for ancient systems that have been broken across all previous libpng-1.6.x versions. * Removed the Y2K compliance statement and the export control information. * Applied various code style and documentation fixes. Enjoy! Sincerely, Cosmin |
From: Cosmin T. <ct...@gm...> - 2018-10-22 18:01:54
|
Dear PNG users, developers and contributors, I am deeply saddened to inform you that Glenn Randers-Pehrson, our long-time group lead, passed away last weekend, following a long and painful illness. Glenn is one of the original designers of the PNG format, and a co-founder of the PNG Development Group, back in the mid-90's. He took good care of the PNG Specification, as a contributing author for PNG version 1.0, and as the main editor for all of the subsequent editions through PNG 1.1 and 1.2, until the current W3C/ISO/IEC standard PNG Specification, Second Edition. In addition, all of the related Specifications, i.e., the registered PNG extensions, and the companion MNG Specification version 1.0 and JNG Specification version 1.0, had Glenn at the front as the main editor and moderator-in-chief. How many of us know that the first-ever images in the format that we currently know as "PNG" have been produced by Glenn? Here is an entry from the "News and History of the PNG Development Group from 1995" page, available at http://www.libpng.org/pub/png/png1995.html 7 March 1995 Glenn Randers-Pehrson posts the very first PNG images to the Web, followed a couple of weeks later by Lee Daniel Crocker. Indeed, Glenn was at the forefront of producing the first draft implementations and test images, back in 1995. Then, in 1998, he took over the PNG Reference Library, or "libpng". He took good care of it, too, all across the last two decades. I am humbled by the honor of having worked with Glenn. He was a person with a great talent as a computer programmer, and with an exceptional ability to drive a specification from the roughest collection of various ideas to the most polished completion. Glenn's core contributions to the PNG image format -- the creation, the development, the drive towards success and towards its firm establishment among the fundamental web technologies -- shall continue to live on. We are all greatly indebted. Farewell, Glenn! Sincerely, Cosmin |
From: Glenn Randers-P. <gl...@gm...> - 2017-08-24 21:14:59
|
libpng-1.0.68, 1.2.58, 1.4.21, 1.5.29, and 1.6.32 are available from https://ftp-osl.osuosl.org/pub/libpng/src/ ftp://ftp-osl.osuosl.org/pub/libpng/src/ http://libpng.download/src/ and from http://libpng.sf.net Libpng-1.0.68 Changes since the last public release (1.0.67): Added png_check_chunk_length() function, and check all chunks except IDAT against the default 8MB limit; check IDAT against the maximum size computed from IHDR parameters. Check for 0 return from png_get_rowbytes() and added some (size_t) typecasts in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706, and 162707). Libpng-1.2.58 Changes since the last public release (1.2.57): Added png_check_chunk_length() function, and check all chunks except IDAT against the default 8MB limit; check IDAT against the maximum size computed from IHDR parameters. Check for 0 return from png_get_rowbytes() and added some (size_t) typecasts in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706, and 162707). Libpng-1.4.21 Changes since the last public release (1.4.20): Moved chunk-name and chunk-length checks into PNG_EXTERN private png_check_chunk_name() and png_check_chunk_length() functions (Suggested by Max Stepin). Check for 0 return from png_get_rowbytes() in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706, and 162707). Libpng-1.5.29 Changes since the last public release (1.5.28): Suppress clang warnings about implicit sign changes in png.c Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer). Added missing "$(CPPFLAGS)" to the compile line for c.pic.o in makefile.linux and makefile.solaris-x86 (Cosmin). Silence clang -Wcomma warnings (Viktor Szakats). Update Sourceforge URLs in documentation (https instead of http). Moved chunk-name and chunk-length checks into PNG_EXTERN private png_check_chunk_name() and png_check_chunk_length() functions (Suggested by Max Stepin). Merged pngtest.c with libpng-1.6.32. Check for 0 return from png_get_rowbytes() in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706, and 162707). Libpng-1.6.32 Changes since the last public release (1.6.31): Avoid possible NULL dereference in png_handle_eXIf when benign_errors are allowed. Avoid leaking the input buffer "eXIf_buf". Eliminated png_ptr->num_exif member from pngstruct.h and added num_exif to arguments for png_get_eXIf() and png_set_eXIf(). Added calls to png_handle_eXIf(() in pngread.c and png_write_eXIf() in pngwrite.c, and made various other fixes to png_write_eXIf(). Changed name of png_get_eXIF and png_set_eXIf() to png_get_eXIf_1() and png_set_eXIf_1(), respectively, to avoid breaking API compatibility with libpng-1.6.31. Updated contrib/libtests/pngunknown.c with eXIf chunk. Initialized btoa[] in pngstest.c Stop memory leak when returning from png_handle_eXIf() with an error (Bug report from the OSS-fuzz project). Replaced local eXIf_buf with info_ptr-eXIf_buf in png_handle_eXIf(). Update libpng.3 and libpng-manual.txt about eXIf functions. Restored png_get_eXIf() and png_set_eXIf() to maintain API compatability. Removed png_get_eXIf_1() and png_set_eXIf_1(). Check length of all chunks except IDAT against user limit to fix an OSS-fuzz issue. Check length of IDAT against maximum possible IDAT size, accounting for height, rowbytes, interlacing and zlib/deflate overhead. Restored png_get_eXIf_1() and png_set_eXIf_1(), because strlen(eXIf_buf) does not work (the eXIf chunk data can contain zeroes). Require cmake-2.8.8 in CMakeLists.txt. Revised symlink creation, no longer using deprecated cmake LOCATION feature (Clifford Yapp). Fixed five-byte error in the calculation of IDAT maximum possible size. Moved chunk-length check into a png_check_chunk_length() private function (Suggested by Max Stepin). Moved bad pngs from tests to contrib/libtests/crashers Moved testing of bad pngs into a separate tests/pngtest-badpngs script Added the --xfail (expected FAIL) option to pngtest.c. It writes XFAIL in the output but PASS for the libpng test. Require cmake-3.0.2 in CMakeLists.txt (Clifford Yapp). Fix "const" declaration info_ptr argument to png_get_eXIf_1() and the num_exif argument to png_get_eXIf_1() (Github Issue 171). Added "eXIf" to "chunks_to_ignore[]" in png_set_keep_unknown_chunks(). Added huge_IDAT.png and empty_ancillary_chunks.png to testpngs/crashers. Make pngtest --strict, --relax, --xfail options imply -m (multiple). Removed unused chunk_name parameter from png_check_chunk_length(). Relocated setting free_me for eXIf data, to stop an OSS-fuzz leak. Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue. Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR. Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue. Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account for the minimum 'deflate' stream, and relocate the test to a point after the keyword has been read. Check that the eXIf chunk has at least 2 bytes and begins with "II" or "MM". Added a set of "huge_xxxx_chunk.png" files to contrib/testpngs/crashers, one for each known chunk type, with length = 2GB-1. Check for 0 return from png_get_rowbytes() and added some (size_t) typecasts in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706, and 162707). Renamed chunks in contrib/testpngs/crashers to avoid having files whose names differ only in case; this causes problems with some platforms (github issue #172). Added contrib/oss-fuzz directory which contains files used by the oss-fuzz project (https://github.com/google/oss-fuzz/tree/master/projects/libpng). Glenn |
From: Glenn Randers-P. <gl...@gm...> - 2017-07-27 12:36:41
|
libpng-1.6.31 is available from https://ftp-osl.osuosl.org/pub/libpng/src/libpng16 ftp://ftp-osl.osuosl.org/pub/libpng/src/libpng16 http://libpng.download/src/libpng16 and from http://libpng.sf.net Changes since the last public release (1.6.30): Guard the definition of _POSIX_SOURCE in pngpriv.h (AIX already defines it; bug report by Michael Felt). Revised pngpriv.h to work around failure to compile arm/filter_neon.S ("typedef" directive is unrecognized by the assembler). The problem was introduced in libpng-1.6.30beta01. Added "Requires: zlib" to libpng.pc.in (Pieter Neerincx). Added special case for FreeBSD in arm/filter_neon.S (Maya Rashish). Added instructions for disabling hardware optimizations in INSTALL. Added "--enable-hardware-optimizations" configuration flag to enable or disable all hardware optimizations with one flag. Updated CMakeLists.txt to add INTEL_SSE and MIPS_MSA platforms. Changed "int" to "png_size_t" in intel/filter_sse2.c to prevent possible integer overflow (Bug report by John Bowler). Quieted "declaration after statement" warnings in intel/filter_sse2.c. Added scripts/makefile-linux-opt, which has hardware optimizations enabled. Removed one of the GCC-7.1.0 'strict-overflow' warnings that result when integers appear on both sides of a compare. Worked around the others by forcing the strict-overflow setting in the relevant functions to a level where they are not reported (John Bowler). Changed "FALL THROUGH" comments to "FALLTHROUGH" because GCC doesn't like the space. Worked around some C-style casts from (void*) because g++ 5.4.0 objects to them. Increased the buffer size for 'sprint' to pass the gcc 7.1.0 'sprint overflow' check that is on by default with -Wall -Wextra. Added eXIf chunk support. Added a minimal eXIf chunk (with Orientation and FocalLengthIn35mmFilm tags) to pngtest.png. Glenn |
From: Glenn Randers-P. <gl...@gm...> - 2017-07-15 18:04:07
|
Updated PNG Extensions and PNG Regitered Chunks documentrs are available at http://libpng.download/documents/ pngreg-1.5.0.html pngext-1.5.0.html They are updated to add the eXIf chunk and to change URLs from ftp://ftp.simplesystems.org/pub/png/documents/ to http://libpng.download/documents/ Glenn |
From: Glenn Randers-P. <gl...@gm...> - 2017-07-13 15:37:15
|
By my count there are nine YES votes and no NO votes. I am told that there is one more vote awaiting the list moderator's approval, but it won't affect the outcome. Therefore, the eXIf chunk proposal is approved. Glenn On Thu, Jun 29, 2017 at 11:31 AM, Glenn Randers-Pehrson <gl...@gm...> wrote: > CALL for VOTE > eXIf 2017-06-15 > http://libpng.download/documents/proposals/eXIf/ > png-proposed-eXIf-chunk-2017-06-15.html > Glenn Randers-Pehrson <gl...@gm...> > > also available at > https://ftp-osl.osuosl.org/pub/libpng/documents/proposals/eXIf/png-proposed-eXIf-chunk-2017-06-15.html > and > http://www.simplesystems.org/png-group/proposals/eXIf/png-proposed-eXIf-chunk-2017-06-15.html > > Voting occurs on the png...@li... list. The > voting procedure is described in > http://libpng.download/documents/proposals/PngReg/png-registration-draft-2017-02-28.txt > The voting period begins with receipt of this message by the > png-mng-misc list processor and ends two weeks after that. > > Glenn |
From: Glenn Randers-P. <gl...@gm...> - 2017-06-29 15:32:02
|
CALL for VOTE eXIf 2017-06-15 http://libpng.download/documents/proposals/eXIf/ png-proposed-eXIf-chunk-2017-06-15.html Glenn Randers-Pehrson <gl...@gm...> also available at https://ftp-osl.osuosl.org/pub/libpng/documents/proposals/eXIf/png-proposed-eXIf-chunk-2017-06-15.html and http://www.simplesystems.org/png-group/proposals/eXIf/png-proposed-eXIf-chunk-2017-06-15.html Voting occurs on the png...@li... list. The voting procedure is described in http://libpng.download/documents/proposals/PngReg/png-registration-draft-2017-02-28.txt The voting period begins with receipt of this message by the png-mng-misc list processor and ends two weeks after that. Glenn |
From: Glenn Randers-P. <gl...@gm...> - 2017-06-28 19:21:36
|
libpng-1.6.30 is available from https://ftp-osl.osuosl.org/pub/libpng/src/libpng16 ftp://ftp-osl.osuosl.org/pub/libpng/src/libpng16 http://libpng.download/src/libpng16 and from http://libpng.sf.net Changes since the last public release (1.6.29): Added missing "$(CPPFLAGS)" to the compile line for c.pic.o in makefile.linux and makefile.solaris-x86 (Cosmin). Revised documentation of png_get_error_ptr() in the libpng manual. Silence clang -Wcomma and const drop warnings (Viktor Szakats). Update Sourceforge URLs in documentation (https instead of http). Document need to check for integer overflow when allocating a pixel buffer for multiple rows in contrib/gregbook, contrib/pngminus, example.c, and in the manual (suggested by Jaeseung Choi). This is similar to the bug reported against pngquant in CVE-2016-5735. Removed reference to the obsolete PNG_SAFE_LIMITS macro in the documentation. Check for integer overflow in contrib/visupng and contrib/tools/genpng. Do not double evaluate CMAKE_SYSTEM_PROCESSOR in CMakeLists.txt. Test CMAKE_HOST_WIN32 instead of WIN32 in CMakeLists.txt. Fix some URL in documentation. Avoid writing an empty IDAT when the last IDAT exactly fills the compression buffer (bug report by Brian Baird). This bug was introduced in libpng-1.6.0. Update copyright year in pnglibconf.h, make ltmain.sh executable. Add a reference to the libpng.download site in README. Glenn |
From: Glenn Randers-P. <gl...@gm...> - 2017-06-21 13:22:27
|
For those who find the new URLs overly complex and hard-to-remember, the following are also available now: http://libpng.download/documents http://libpng.download/documents/proposals These will redirect to https://ftp-osl.osuosl.org/pub/libpng/documents/ https://ftp-osl.osuosl.org/pub/libpng/documents/proposals/ respectively. Glenn On Tue, Jun 13, 2017 at 1:42 PM, Glenn Randers-Pehrson <gl...@gm...> wrote: > Files from ftp.simplesystems.org:pub/png/documents > are now at > > https://ftp-osl.osuosl.org/pub/libpng/documents > http://ftp-osl.osuosl.org/pub/libpng/documents > ftp://ftp-osl.osuosl.org/pub/libpng/documents > > Files from ftp.simplesystems.org:pub/png-group/documents > are now at > > https://ftp-osl.osuosl.org/pub/libpng/documents/proposals > http://ftp-osl.osuosl.org/pub/libpng/documents/proposals > ftp://ftp-osl.osuosl.org/pub/libpng/documents/proposals > > Use "https" in preference to "http" or anonymous "ftp", if > you can. > > I'll continue to maintain the copies at ftp.simplesystems.org as > well, but you should find that OSUOSL provides much > faster downloads. > > Glenn |
From: Glenn Randers-P. <gl...@gm...> - 2017-06-13 17:43:32
|
Files from ftp.simplesystems.org:pub/png/documents are now at https://ftp-osl.osuosl.org/pub/libpng/documents http://ftp-osl.osuosl.org/pub/libpng/documents ftp://ftp-osl.osuosl.org/pub/libpng/documents Files from ftp.simplesystems.org:pub/png-group/documents are now at https://ftp-osl.osuosl.org/pub/libpng/documents/proposals http://ftp-osl.osuosl.org/pub/libpng/documents/proposals ftp://ftp-osl.osuosl.org/pub/libpng/documents/proposals Use "https" in preference to "http" or anonymous "ftp", if you can. I'll continue to maintain the copies at ftp.simplesystems.org as well, but you should find that OSUOSL provides much faster downloads. Glenn |
From: Glenn Randers-P. <gl...@gm...> - 2017-04-22 14:50:33
|
I'm pleased to announce a new ftp site for libpng tarball distributions, thanks to Oregon State University's Open Software Laboratory. It is able to deliver at a rate that is twenty or more times as fast as ftp.simplesystems.org, and will respond to http and https requests as well as anonymous ftp requests. https://ftp-osl.osuosl.org/pub/libpng http://ftp-osl.osuosl.org/pub/libpng ftp://ftp-osl.osuosl.org/pub/libpng The history files are arranged differently. At simplesystems, it was pub/png/src libpngNN current *tar.xz, *tar.gz, *7z, *zip, *.asc history libpngNN old *.tar.xz, *tar.gz, *7z, *zip, *.asc pub/png-group/src libpngNN current beta and rc *.tar.gz. *.tar.xz, *.7z, *.zip history libpngNN old beta and rc *.tar.gz. *.tar.xz, *.7z, *.zip At OSU-OSL, it's ftp/pub/libpng/src libpngNN current *tar.xz, *tar.gz, *7z, *zip, *.asc beta libpngNN current beta *tar.xz, *tar.gz, *7z, *zip. *.asc archive xz libpngNN *.tar.xz, *.xz.asc gz libpngNN *.tar.gz, *.gz.asc 7z libpngNN *.7z, *.7z.asc zip libpngNN *.zip, *.zip.asc I'm putting a link of the currently active files immediately into the "archive" directory, so any particular version gets a permanent home right away, instead of waiting until a new version is released to move it into "history". There's no distinguishing between "png" and "png-group" as previously; instead the public releases, betas, and rcs all appear together in the archive directory. But for navigation convenience, the active releases also appear at the top of the file structure in "libpngNN" and "beta" directories. All archives have digital GPG signatures (*.asc) instead of just the public releases. If you manage a distro that is currently sending build scripts that hit ftp.simplesystems.org, please revise your scripts to use ftp-osl.osuosl.org instead. Glenn |
From: Glenn Randers-P. <gl...@gm...> - 2017-03-16 15:13:01
|
libpng-1.6.29 is available from ftp://ftp.simplesystems.org/pub/png/src/libpng16/ and from http://libpng.sf.net Changes from libpng-1.6.28: Readded "include(GNUInstallDirs)" to CMakeLists.txt (Gianfranco Costamagna). Moved SSE2 optimization code into the main libpng source directory. Configure libpng with "configure --enable-intel-sse" or compile libpng with "-DPNG_INTEL_SSE" in CPPFLAGS to enable it. Simplified conditional compilation in pngvalid.c, for AIX (Michael Felt). Avoid conditional directives that break statements in pngrutil.c (Romero Malaquias) The contrib/examples/pngtopng.c recovery code was in the wrong "if" branches; the comments were correct. Added code for PowerPC VSX optimisation (Vadim Barkov). Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer). Change test ZLIB_VERNUM >= 0x1281 to ZLIB_VERNUM >= 0x1290 in pngrutil.c because Solaris 11 distributes zlib-1.2.8.f that is older than 1.2.8.1. Suppress clang warnings about implicit sign changes in png.c Glenn |
From: Glenn Randers-P. <gl...@gm...> - 2017-01-30 19:36:04
|
CALL for VOTE PNG Registration 2017-0125 ftp://ftp.simplesystems.org/pub/png-group/documents png-registration-2017-0125.txt Glenn Randers-Pehrson <gl...@gm...> also available at http://www.simplesystems.org/png-group/proposals/ png-registration-2017-0125.txt This is a call for votes on the PNG proposal PNG Registration 2017-0125 To vote on this proposal, send a message to png...@li... The subject line of your message must contain the words VOTE YES|NO|ABSTAIN: PNG Registration 2017-0125 and must NOT contain the string "Re:" (i.e. do not try to cast your vote by "replying" to this message. You must manually construct the proper subject line). The body of your message must contain the following five lines, which must appear first in the message. YES | NO | ABSTAIN PNG Registration 2017-0125 ftp://ftp.simplesystems.org/pub/png-group/documents png-registration-2017-0125.txt Your Name <yourusername at yourhost.yourdomain> After these five lines you can add an explanation of your vote, if you desire. Providing the rationale for a NO vote is particularly encouraged. The voting period closes exactly two weeks after the time that this message was received by the png-mng-misc list server (png...@li...) You can change your vote by submitting a new message. Only the last message sent by you and received by the png-mng-misc list server prior to the close of the voting period will be counted. Your messages can be sent from different e-mail accounts, but the fifth line of all of your messages, containing your name and your preferred e-mail address, must be identical. You are eligible to vote if your earliest message to png-mng-misc or png-mng-implement was received at least 180 days earlier than the close of the voting period. regards, Glenn Randers-Pehrson |
From: Glenn Randers-P. <gl...@gm...> - 2017-01-29 16:37:02
|
Reminder We will be voting soon on proposals available at ftp://ftp.simplesystems.org/pub/png-group/documents/ 1. the PNG chunk registration procedure png-registration-2017-0125.txt Discussion opened 2006 or earlier, Last substantive modification was 16 Jan 2017. I'll issue a call for votes on or after 30 January 2017 19:00 UTC 2. the eXIf chunk (raw uncompressed Exif profile) png-proposed-eXIf-chunk-2017-0119.html Discussion opened 31 Dec 2016 ("Modern Compressor) thread Last substantive modification Friday 20 January 2017 01:22 UTC I'll issue a call for votes on or after Friday, 3 February 2017 01:30 UTC 3. the zXIf chunk (same as eXIf but with optional deflate compression) png-proposed-zXIf-chunk-2017-0128.html discussion opened December 31, 2016 in "Modern Compressor" thread on png-mng-misc list last substantive modification Saturday 28 Jan 16:15:51 UTC I'll issue a call for votes no earlier than Saturday, 11 February 2017, depending upon the outcome of the eXIf chunk vote. 4. the COMP/coMp chunk (compressed version of any chunk) No formal document other than in the message opening the discussion discussion opened Sat, 31 Dec 2016 18:23:18 -0800, in thread [png-mng-misc] EXIF support in PNG [was: Modern compressor] We'll vote no sooner than a formal document has been posted and finalized. Voting will occur on png...@li... Glenn |
From: Glenn Randers-P. <gl...@gm...> - 2017-01-05 17:01:20
|
lbpng-1.6.28 is available from ftp://ftp.simplesystems.org/pub/png/src/libpng16 and from http://libpng.sf.net Fixed arm/aarch64 detection in CMakeLists.txt (Gianfranco Costamagna). Added option to Cmake build allowing a custom location of zlib to be specified in a scenario where libpng is being built as a subproject alongside zlib by another project (Sam Serrels). Changed png_ptr->options from a png_byte to png_uint_32, to accomodate up to 16 options. The change to png_ptr->options is due to a new bug exposed by building libpng with zlib-1.2.9 or zlib-1.2.10. Glenn |
From: Glenn Randers-P. <gl...@gm...> - 2016-12-30 18:43:20
|
Use CVE-2016-10087 for this vulnerabilty. Glenn On Thu, Dec 29, 2016 at 10:08 AM, Glenn Randers-Pehrson <gl...@gm...> wrote: > libpng-1.6.27, 1.5.28, and 1.2.57, plus legacy libpng-1.0.67 and 1.4.20, > and > 1.7.0beta86 are available from ftp://ftp.simplesystems.org/pub/png/src > and from http://libpng.sf.net > > These all fix a potential "NULL dereference" bug that has existed in libpng > since version 0.71 of June 26, 1995. > |
From: Glenn Randers-P. <gl...@gm...> - 2016-12-29 15:08:14
|
libpng-1.6.27, 1.5.28, and 1.2.57, plus legacy libpng-1.0.67 and 1.4.20, and 1.7.0beta86 are available from ftp://ftp.simplesystems.org/pub/png/src and from http://libpng.sf.net These all fix a potential "NULL dereference" bug that has existed in libpng since version 0.71 of June 26, 1995. To be vulnerable, an application has to load a text chunk into the png structure, then delete all text, then add another text chunk to the same png structure, which seems to be an unlikely sequence, but it has happened. libpng.3 synopses (Eric S. Raymond). Fixed undefined behavior in png_push_save_buffer(). Do not call memcpy() with a null source, even if count is zero (Leon Scroggins III). Fixed a potential null pointer dereference in png_set_text_2() (bug report and patch by Patrick Keshishian). Libpng 1.4.20 - December 29, 2016 Fix typos in libpng.3 synopses (Eric S. Raymond). Fixed undefined behavior in png_push_save_buffer(). Do not call memcpy() with a null source, even if count is zero (Leon Scroggins III). Fixed a potential null pointer dereference in png_set_text_2() (bug report and patch by Patrick Keshishian). Libpng 1.5.28 - December 29, 2016 Merged with current libpng16 gregbook, pngvalid.c, pngtest.c, pngminim, pngminus Added "Common linking failures" section to INSTALL. Fixed undefined behavior in png_push_save_buffer(). Do not call memcpy() with a null source, even if count is zero (Leon Scroggins III). Merge contrib/pngminim/*/makefile with libpng-1.6.24 Minor editing of INSTALL, (whitespace, added copyright line) Removed the use of a macro containing the pre-processor 'defined' operator. It is unclear whether this is valid; a macro that "generates" 'defined' is not permitted, but the use of the word "generates" within the C90 standard seems to imply more than simple substitution of an expression itself containing a well-formed defined operation. Previously the pngtrans.c code always resulted in an unsigned arithmetic overflow. This is well defined but produces errors from clang with the option to detect unsigned overflow. As the expression only gets evaluated once per row in this version of libpng it is easier just to rewrite it. The previous version of png.c produced a signed overflow as a result of both the "& 0xffff" on the most significant bits of a negative argument; this converted (-1) into 65535 which resulted in a subsequent overflow. Since signed overflow is undefined in C90 the code has been modified to correctly calculate a signed result. This requires changing the 'hi' result parameter to a signed value. Fixed a potential null pointer dereference in png_set_text_2() (bug report and patch by Patrick Keshishian). Libpng 1.6.27 - December 29, 2016 Control ADLER32 checking with new PNG_IGNORE_ADLER32 option. Removed the use of a macro containing the pre-processor 'defined' operator. It is unclear whether this is valid; a macro that "generates" 'defined' is not permitted, but the use of the word "generates" within the C90 standard seems to imply more than simple substitution of an expression itself containing a well-formed defined operation. Added ARM support to CMakeLists.txt (Andreas Franek). Fixed a potential null pointer dereference in png_set_text_2() (bug report and patch by Patrick Keshishian). Version 1.7.0beta86 [December 29, 2016] Ported CMakeLists.txt from libpng-1.6.27rc01. Fixed a potential null pointer dereference in png_set_text_2() (bug report and patch by Patrick Keshishian). Glenn |