LIBPNG: PNG reference library / News: Recent posts

IMPORTANT licensing update: libpng license v2

The new libpng license comprises the terms and conditions from the zlib
license, and the disclaimer from the Boost license.

The legacy libpng license, used until libpng-1.6.35, is appended to the
new license, following the precedent established in the Python Software
Foundation License version 2.

From now on, the list of contributing authors shall be maintained in a
separate AUTHORS file. The lists of previous contributing authors,
mentioned in the legacy libpng license and considered to be an integral
part of that license, are kept intact, with no further updates.... read more

Here is the list of changes since the last public release (1.6.34):

• Restored 21 of the contrib/pngsuite/i*.png, which do not cause test failures. Placed the remainder in contrib/pngsuite/interlaced/i*.png.
• Added calls to png_set_*() transforms commonly used by browsers to the fuzzer.
• Removed some unnecessary brackets in pngrtran.c
• Fixed miscellaneous typos (Patch by github user "luzpaz").
• Change "ASM C" to "C ASM" in CMakeLists.txt
• Fixed incorrect handling of bKGD chunk in sub-8-bit files
• Added hardware optimization directories to zip and 7z distributions.
• Fixed incorrect bitmask for options.
• Fixed many spelling typos.
• Make png_get_iCCP consistent with man page (allow compression-type argument to be NULL, bug report by Lenard Szolnoki).
• Replaced the remaining uses of png_size_t with size_t
• Fixed the calculation of row_factor in png_check_chunk_length (reported by Thuan Pham in SourceForge issue #278)
• Added missing parentheses to a macro definition (suggested by "irwir" in GitHub issue #216)

libpng-1.6.29 adds optimized code for PowerPC, and moves the optimized code for Intel into the main libpng directory.

libpng-1.6.28 has been released to fix a bug exposed when attempting to build with zlib-1.2.9 or 1.2.10

New versions released to fix CVE-2016-10087

Libpng-1.5.26, 1.4.19, 1.2.56, and 1.0.66 fix an out-of-range read in png_check_keyword(), CVE-2015-8540.

The bugfix of CVE-2015-8126 in the previous versions was incomplete; it defended against malevolent PNG files that are read via png_handle_PLTE but did not detect applications that use png_set_PLTE to set an over-length palette. This set of releases completes the bugfix, fixing CVE-2015-8472.

libpng-1.6.19, libpng-1.5.24, libpng-1.2.54, libpng-1.4.17, and libpng-1.0.64 have been released to fix a potential out-of-bounds read in png_set_tIME/png_convert_to_rfc1123 (CVE-2014-9425) and a potential out-of-bounds write in png_get_PLTE/png_set_PLTE (CVE-2015-8126).

libpng-1.6.18 and 1.5.23 were released last week. Due to the outage, they aren't available yet in the SourceForge File Release System. They are, however, available from the glennrp/libpng-releases repository at github. This is a cleanup release that fixes some harmless Coverity defects and removes some unused code.

libpng-1.6.17 and 1.5.22 have been released. They "harden" the library against attacks using very wide images by imposing a default limit of 1 million columns. Users who truly need to process wider images can override this limit.

libpng-1.7.0beta49 has been released, to test some changes to the filter-selection procedure to use a single "try_row" buffer instead of separate "sub_row, up_row, avg_row, and paeth_row" buffers. Please try it out and report back; if all goes well I'll port it back to libpng15 and libpng16 soon.

libpng-1.6.16 has been released to fix two potential overflows while reading very wide images.

libpng-1.6.14 has been released. This is mostly a code cleanup, with a minor bugfix to the iTXt chunk handler.

libpng-1.6.13 and libpng-1.5.19 have been released. These are simple code-cleanup releases without any security issues or new features.

libpng-1.6.12 has been released to relocate an out-of-order statement introduced in libpng-1.6.11.

libpng-1.6.10 avoids an infinite loop while reading a datastream whose first IDAT chunk is of zero-length. This fixes CERT VU#684412 and CVE-2014-0333.

libpng-1.6.9 is a simple cleanup release.

Libpng-1.6.8 has been released. This fixes a potential NULL pointer dereference and is otherwise a simple cleanup release.

Libpng-1.6.7 adds ARMv8 support and improves/simplifies the unknown chunk handling, and has been made compatible with automake-1.14.

libpng-1.6.5 did not correct the error it was supposed to fix (two stray lines in arm/arm_init.c). The bad lines are removed from 1.6.6.

libpng-1.6.5 has been released, to remove two stray lines in arm/arm_init.c that caused libpng to fail to compile when ARM support is enabled.

libpng-1.6.4 has been released. It has some minor speed and footprint optimizations.

libpng-1.6.3 has been released. It has improved support for ARM platforms.

libpng-1.5.17 has been released. There are minor changes, mainly in the ARM support.

libpng public releases 1.2.50, 1.4.12, 1.5.16, and 1.6.2 now have PGP signatures signed by Glenn Randers-Pehrson. In the frs they are in libpngNN/libpng.x.y.z/Gnupg, and in the GIT repository there are signed tags libpng-1.2.50-signed, libpng-1.4.12-signed, libpng-1.5.16-signed, and libpng-1.6.2-signed. Future public releases (but not beta releases or intermediate GIT checkins) will be similarly signed. To verify a release you have downloaded, follow the instructions in Gnupg/libpng-x.y.z-gnupg-README.txt