Libpng 1.6.0beta28 - August 11, 2012 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. Files available for download: Source files with LF line endings (for Unix/Linux) and with a "configure" script 1.6.0beta28.tar.xz (LZMA-compressed, recommended) 1.6.0beta28.tar.gz 1.6.0beta28.tar.bz2 Source files with CRLF line endings (for Windows), without the "configure" script lp160b28.7z (LZMA-compressed, recommended) lp160b28.zip Other information: 1.6.0beta28-README.txt 1.6.0beta28-LICENSE.txt Changes since the last public release (1.5.7): Version 1.6.0beta01 [December 15, 2011] Removed machine-generated configure files from the GIT repository (they will continue to appear in the tarball distributions). Restored the new 'simplified' API, which was started in libpng-1.5.7beta02 but later deleted from libpng-1.5.7beta05. Added example programs for the new 'simplified' API. Added ANSI-C (C90) headers and require them, and take advantage of the change. Also fixed some of the projects/* and contrib/* files that needed updates for libpng16 and the move of pngvalid.c. With this change the required ANSI-C header files are assumed to exist: the implementation must provide float.h, limits.h, stdarg.h and stddef.h and libpng relies on limits.h and stddef.h existing and behaving as defined (the other two required headers aren't used). Non-ANSI systems that don't have stddef.h or limits.h will have to provide an appropriate fake containing the relevant types and #defines. The use of FAR/far has been eliminated and the definition of png_alloc_size_t is now controlled by a flag so that 'small size_t' systems can select it if necessary. Libpng 1.6 may not currently work on such systems -- it seems likely that it will ask 'malloc' for more than 65535 bytes with any image that has a sufficiently large row size (rather than simply failing to read such images). New tools directory containing tools used to generate libpng code. Fixed race conditions in parallel make builds. With higher degrees of parallelism during 'make' the use of the same temporary file names such as 'dfn*' can result in a race where a temporary file from one arm of the build is deleted or overwritten in another arm. This changes the temporary files for suffix rules to always use $* and ensures that the non-suffix rules use unique file names. Version 1.6.0beta02 [December 21, 2011] Correct configure builds where build and source directories are separate. The include path of 'config.h' was erroneously made relative in pngvalid.c in libpng 1.5.7. Version 1.6.0beta03 [December 22, 2011] Start-up code size improvements, error handler flexibility. These changes alter how the tricky allocation of the initial png_struct and png_info structures are handled. png_info is now handled in pretty much the same way as everything else, except that the allocations handle NULL return silently. png_struct is changed in a similar way on allocation and on deallocation a 'safety' error handler is put in place (which should never be required). The error handler itself is changed to permit mismatches in the application and libpng error buffer size; however, this means a silent change to the API to return the jmp_buf if the size doesn't match the size from the libpng compilation; libpng now allocates the memory and this may fail. Overall these changes result in slight code size reductions; however, this is a reduction in code that is always executed so is particularly valuable. Overall on a 64-bit system the libpng DLL decreases in code size by 1733 bytes. pngerror.o increases in size by about 465 bytes because of the new functionality. Added png_convert_to_rfc1123_buffer() and deprecated png_convert_to_rfc1123() to avoid including a spurious buffer in the png_struct. Version 1.6.0beta04 [December 30, 2011] Regenerated configure scripts with automake-1.11.2 Eliminated png_info_destroy(). It is now used only in png.c and only calls one other internal function and memset(). Enabled png_get_sCAL_fixed() if floating point APIs are enabled. Previously it was disabled whenever internal fixed point arithmetic was selected, which meant it didn't exist even on systems where FP was available but not preferred. Added pngvalid.c compile time checks for const APIs. Implemented 'restrict' for png_info and png_struct. Because of the way libpng works both png_info and png_struct are always accessed via a single pointer. This means adding C99 'restrict' to the pointer gives the compiler some opportunity to optimize the code. This change allows that. Moved AC_MSG_CHECKING([if libraries can be versioned]) later to the proper location in configure.ac (Gilles Espinasse). Changed png_memcpy to C assignment where appropriate. Changed all those uses of png_memcpy that were doing a simple assignment to assignments (all those cases where the thing being copied is a non-array C L-value). Added some error checking to png_set_*() routines. Removed the reference to the non-exported function png_memcpy() from example.c. Fixed the Visual C 64-bit build - it requires jmp_buf to be aligned, but it had become misaligned. Revised contrib/pngminus/pnm2png.c to avoid warnings when png_uint_32 and unsigned long are of different sizes. Version 1.6.0beta05 [January 15, 2012] Updated manual with description of the simplified API (copied from png.h) Fix bug in pngerror.c: some long warnings were being improperly truncated (CVE-2011-3464, bug introduced in libpng-1.5.3beta05). Version 1.6.0beta06 [January 24, 2012] Added palette support to the simplified APIs. This commit changes some of the macro definitions in png.h, app code may need corresponding changes. Increased the formatted warning buffer to 192 bytes. Added color-map support to simplified API. This is an initial version for review; the documentation has not yet been updated. Fixed Min/GW uninstall to remove libpng.dll.a Version 1.6.0beta07 [January 28, 2012] Eliminated Intel icc/icl compiler warnings. The Intel (GCC derived) compiler issues slightly different warnings from those issued by the current vesions of GCC. This eliminates those warnings by adding/removing casts and small code rewrites. Updated configure.ac from autoupdate: added --enable-werror option. Also some layout regularization and removal of introduced tab characters (replaced with 3-character indentation). Obsolete macros identified by autoupdate have been removed; the replacements are all in 2.59 so the pre-req hasn't been changed. --enable-werror checks for support for -Werror (or the given argument) in the compiler. This mimics the gcc configure option by allowing -Werror to be turned on safely; without the option the tests written in configure itself fail compilation because they cause compiler warnings. Rewrote autogen.sh to run autoreconf instead of running tools one-by-one. Conditionalize the install rules for MINGW and CYGWIN in CMakeLists.txt and set CMAKE_LIBRARY_OUTPUT_DIRECTORY to "lib" on all platforms (C. Yapp). Freeze libtool files in the 'scripts' directory. This version of autogen.sh attempts to dissuade people from running it when it is not, or should not, be necessary. In fact, autogen.sh does not work when run in a libpng directory extracted from atar distribution anymore. You must run it in a GIT clone instead. Added two images to contrib/pngsuite (1-bit and 2-bit transparent grayscale), and renamed three whose names were inconsistent with those in pngsuite/README.txt. Version 1.6.0beta08 [February 1, 2012] Fixed Image::colormap misalignment in pngstest.c Check libtool/libtoolize version number (2.4.2) in configure.ac Divide test-pngstest.sh into separate pngstest runs for basic and transparent images. Moved automake options to AM_INIT_AUTOMAKE in configure.ac Added color-tests, silent-rules (Not yet implemented in Makefile.am) and version checking to configure.ac Improved pngstest speed by not doing redundant tests and add const to the background parameter of png_image_finish_read. The --background option is now done automagically only when required, so that commandline option no longer exists. Cleaned up pngpriv.h to consistently declare all functions and data. Also eliminated PNG_CONST_DATA, which is apparently not needed but we can't be sure until it is gone. Added symbol prefixing that allows all the libpng external symbols to be prefixed (suggested by Reuben Hawkins). Updated "ftbb*.png" list in the owatcom and vstudio projects. Fixed 'prefix' builds on clean systems. The generation of pngprefix.h should not require itself. Updated INSTALL to explain that autogen.sh must be run in a GIT clone, not in a libpng directory extracted from a tar distribution. Version 1.6.0beta09 [February 1, 2012] Reverted the prebuilt configure files to libpng-1.6.0beta05 condition. Version 1.6.0beta10 [February 3, 2012] Added Z_SOLO for zlib-1.2.6+ and correct pngstest tests Updated list of test images in CMakeLists.txt Updated the prebuilt configure files to current condition. Revised INSTALL information about autogen.sh; it works in tar distributions. Version 1.6.0beta11 [February 16, 2012] Fix character count in pngstest command in projects/owatcom/pngstest.tgt Revised test-pngstest.sh to report PASS/FAIL for each image. Updated documentation about the simplified API. Corrected estimate of error in libpng png_set_rgb_to_gray API. The API is extremely inaccurate for sRGB conversions because it uses an 8-bit intermediate linear value and it does not use the sRGB transform, so it suffers from the known instability in gamma transforms for values close to 0 (see Poynton). The net result is that the calculation has a maximum error of 14.99/255; 0.5/255^(1/2.2). pngstest now uses 15 for the permitted 8-bit error. This may still not be enough because of arithmetic error. Removed some unused arrays (with #ifdef) from png_read_push_finish_row(). Fixed a memory overwrite bug in simplified read of RGB PNG with non-linear gamma Also bugs in the error checking in pngread.c and changed quite a lot of the checks in pngstest.c to be correct; either correctly written or not over-optimistic. The pngstest changes are insufficient to allow all possible RGB transforms to be passed; pngstest cmppixel needs to be rewritten to make it clearer which errors it allows and then changed to permit known inaccuracies. Removed tests for no-longer-used *_EMPTY_PLTE_SUPPORTED from pngstruct.h Fixed fixed/float API export conditionals. 1) If FIXED_POINT or FLOATING_POINT options were switched off, png.h ended up with lone ';' characters. This is not valid ANSI-C outside a function. The ';' characters have been moved inside the definition of PNG_FP_EXPORT and PNG_FIXED_EXPORT. 2) If either option was switched off, the declaration of the corresponding functions were completely omitted, even though some of them are still used internally. The result is still valid, but produces warnings from gcc with some warning options (including -Wall). The fix is to cause png.h to declare the functions with PNG_INTERNAL_FUNCTION when png.h is included from pngpriv.h. Check for invalid palette index while reading paletted PNG. When one is found, issue a warning and increase png_ptr->num_palette accordingly. Apps are responsible for checking to see if that happened. Version 1.6.0beta12 [February 18, 2012] Do not increase num_palette on invalid_index. Relocated check for invalid palette index to pngrtran.c, after unpacking the sub-8-bit pixels. Fixed CVE-2011-3026 buffer overrun bug. Deal more correctly with the test on iCCP chunk length. Also removed spurious casts that may hide problems on 16-bit systems. Version 1.6.0beta13 [February 24, 2012] Eliminated redundant png_push_read_tEXt|zTXt|iTXt|unknown code from pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c; now that png_ptr->buffer is inaccessible to applications, the special handling is no longer useful. Added PNG_SAFE_LIMITS feature to pnglibconf.dfa, pngpriv.h, and new pngusr.dfa to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined. To enable, use "CPPFLAGS=-DPNG_SAFE_LIMITS_SUPPORTED=1" on the configure command or put #define PNG_SAFE_LIMITS_SUPPORTED in pnglibconf.h.prebuilt and pnglibconf.h. Version 1.6.0beta14 [February 27, 2012] Added information about the new limits in the manual. Updated Makefile.in Version 1.6.0beta15 [March 2, 2012] Removed unused "current_text" members of png_struct and the png_free() of png_ptr->current_text from pngread.c Rewrote pngstest.c for substantial speed improvement. Fixed transparent pixel and 16-bit rgb tests in pngstest and removed a spurious check in pngwrite.c Added PNG_IMAGE_FLAG_FAST for the benefit of applications that store intermediate files, or intermediate in-memory data, while processing image data with the simplified API. The option makes the files larger but faster to write and read. pngstest now uses this by default; this can be disabled with the --slow option. Improved pngstest fine tuning of error numbers, new test file generator. The generator generates images that test the full range of sample values, allow the error numbers in pngstest to be tuned and checked. makepng also allows generation of images with extra chunks, although this is still work-in-progress. Added tests for invalid palette index while reading and writing (work in progress, the latter isn't finished). Fixed some bugs in ICC profile writing. The code should now accept all potentially valid ICC profiles and reject obviously invalid ones. It now uses png_error() to do so rather than casually writing a PNG without the necessary color data. Removed whitespace from the end of lines in all source files and scripts. Version 1.6.0beta16 [March 6, 2012] Relocated palette-index checking function from pngrutil.c to pngtrans.c Added palette-index checking while writing. Changed png_inflate() and calling routines to avoid overflow problems. This is an intermediate check-in that solves the immediate problems and introduces one performance improvement (avoiding a copy via png_ptr->zbuf.) Further changes will be made to make ICC profile handling more secure. Fixed build warnings (MSVC, GCC, GCC v3). Cygwin GCC with default options declares 'index' as a global, causing a warning if it is used as a local variable. GCC 64-bit warns about assigning a (size_t) (unsigned 64-bit) to an (int) (signed 32-bit). MSVC, however, warns about using the unary '-' operator on an unsigned value (even though it is well defined by ANSI-C to be ~x+1). The padding calculation was changed to use a different method. Removed the tests on png_ptr->pass. Added contrib/libtests/tarith.c to test internal arithmetic functions from png.c. This is a libpng maintainer program used to validate changes to the internal arithmetic functions. Made read 'inflate' handling like write 'deflate' handling. The read code now claims and releases png_ptr->zstream, like the write code. The bug whereby the progressive reader failed to release the zstream is now fixed, all initialization is delayed, and the code checks for changed parameters on deflate rather than always calling deflatedEnd/deflateInit. Validate the zTXt strings in pngvalid. Added code to validate the windowBits value passed to deflateInit2(). If the call to deflateInit2() is wrong a png_warning will be issued (in fact this is harmless, but the PNG data produced may be sub-optimal). Version 1.6.0beta17 [March 10, 2012] Fixed PNG_LIBPNG_BUILD_BASE_TYPE definition. Reject all iCCP chunks after the first, even if the first one is invalid. Deflate/inflate was reworked to move common zlib calls into single functions [rw]util.c. A new shared keyword check routine was also added and the 'zbuf' is no longer allocated on progressive read. It is now possible to call png_inflate() incrementally. If benign errors are disabled use maximum window on ancilliary inflate. This works round a bug introduced in 1.5.4 where compressed ancillary chunks could end up with a too-small windowBits value in the deflate header. Version 1.6.0beta18 [March 16, 2012] Issue a png_benign_error() instead of png_warning() about bad palette index. In pngtest, treat benign errors as errors if "-strict" is present. Fixed an off-by-one error in the palette index checking function. Fixed a compiler warning under Cygwin (Windows-7, 32-bit system) Revised example.c to put text strings in a temporary character array instead of directly assigning string constants to png_textp members. This avoids compiler warnings when -Wwrite-strings is enabled. Added output flushing to aid debugging under Visual Studio. Unfortunately this is necessary because the VS2010 output window otherwise simply loses the error messages on error (they weren't flushed to the window before the process exited, apparently!) Added configuration support for benign errors and changed the read default. Also changed some warnings in the iCCP and sRGB handling from to benign errors. Configuration now makes read benign errors warnings and write benign errors to errors by default (thus changing the behavior on read). The simplified API always forces read benign errors to warnings (regardless of the system default, unless this is disabled in which case the simplified API can't be built.) Version 1.6.0beta19 [March 18,2012] Work around for duplicate row start calls; added warning messages. This turns on PNG_FLAG_DETECT_UNINITIALIZED to detect app code that fails to call one of the 'start' routines (not enabled in libpng-1.5 because it is technically an API change, since it did normally work before.) It also makes duplicate calls to png_read_start_row (an internal function called at the start of the image read) benign, as they were before changes to use png_inflate_claim. Somehow webkit is causing this to happen; this is probably a mis-feature in the zlib changes so this commit is only a work-round. Removed erroneous setting of DETECT_UNINITIALIZED and added more checks. The code now does a png_error if an attempt is made to do the row initialization twice; this is an application error and it has serious consequences because the transform data in png_struct is changed by each call. Added application error reporting and added chunk names to read benign errors; also added --strict to pngstest - not enabled yet because a warning is produced. Avoid the double gamma correction warning in the simplified API. This allows the --strict option to pass in the pngstest checks Version 1.6.0beta20 [March 29, 2012] Changed chunk handler warnings into benign errors, incrementally load iCCP Added checksum-icc.c to contrib/tools Prevent PNG_EXPAND+PNG_SHIFT doing the shift twice. Recognize known sRGB ICC profiles while reading; prefer writing the iCCP profile over writing the sRGB chunk, controlled by the PNG_sRGB_PROFILE_CHECKS option. Revised png_set_text_2() to avoid potential memory corruption (fixes CVE-2011-3048, also known as CVE-2012-3425). Version 1.6.0beta21 [April 27, 2012] Revised scripts/makefile.darwin: use system zlib; remove quotes around architecture list; add missing ppc architecture; add architecture options to shared library link; don't try to create a shared lib based on missing RELEASE variable. Enable png_set_check_for_invalid_index() for both read and write. Removed #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED in pngpriv.h around declaration of png_handle_unknown(). Added -lssp_nonshared in a comment in scripts/makefile.freebsd and changed deprecated NOOBJ and NOPROFILE to NO_OBJ and NO_PROFILE. Version 1.6.0beta22 [May 23, 2012] Removed need for -Wno-cast-align with clang. clang correctly warns on alignment increasing pointer casts when -Wcast-align is passed. This fixes the cases that clang warns about either by eliminating the casts from png_bytep to png_uint_16p (pngread.c), or, for pngrutil.c where the cast is previously verified or pngstest.c where it is OK, by introducing new png_aligncast macros to do the cast in a way that clang accepts. Version 1.6.0beta23 [June 6, 2012] Revised CMakeLists.txt to not attempt to make a symlink under mingw. Made fixes for new optimization warnings from gcc 4.7.0. The compiler performs an optimization which is safe; however it then warns about it. Changing the type of 'palette_number' in pngvalid.c removes the warning. Do not depend upon a GCC feature macro being available for use in generating the linker mapfile symbol prefix. Improved performance of new do_check_palette_indexes() function (only update the value when it actually increases, move test for whether the check is wanted out of the function. Version 1.6.0beta24 [June 7, 2012] Don't check palette indexes if num_palette is 0 (as it can be in MNG files). Version 1.6.0beta25 [June 16, 2012] Revised png_set_keep_unknown_chunks() so num_chunks < 0 means ignore all unknown chunks and all known chunks except for IHDR, PLTE, tRNS, IDAT, and IEND. Previously it only meant ignore all unknown chunks, the same as num_chunks == 0. Revised png_image_skip_unused_chunks() to provide a list of chunks to be processed instead of a list of chunks to ignore. Revised contrib/gregbook/readpng2.c accordingly. Version 1.6.0beta26 [July 10, 2012] Removed scripts/makefile.cegcc from the *.zip and *.7z distributions; it depends on configure, which is not included in those archives. Moved scripts/chkfmt to contrib/tools. Changed "a+w" to "u+w" in Makefile.in to fix CVE-2012-3386. Version 1.6.0beta27 [August 11, 2012] Do not compile PNG_DEPRECATED, PNG_ALLOC and PNG_PRIVATE when __GNUC__ < 3. Do not use __restrict when GNUC is <= 3.1 Removed references to png_zalloc() and png_zfree() from the manual. Fixed configurations where floating point is completely disabled. Because of the changes to support symbol prefixing PNG_INTERNAL_FUNCTION declares floating point APIs during libpng builds even if they are completely disabled. This requires the png floating point types (png_double*) to be declared even though the functions are never actually defined. This change provides a dummy definition so that the declarations work, yet any implementation will fail to compile because of an incomplete type. Re-eliminated the use of strcpy() in pngtest.c. An unncessary use of strcpy() was accidentally re-introduced in libpng16; this change replaces it with strncpy(). Eliminated use of png_sizeof(); use sizeof() instead. Use a consistent style for (sizeof type) and (sizeof (array)) Cleanup of png_set_filler(). This function does very different things on read and write. In libpng 1.6 the two cases can be distinguished and considerable code cleanup, and extra error checking, is possible. This makes calls on the write side that have no effect be ignored with a png_app_error(), which can be disabled in the app using png_set_benign_errors(), and removes the spurious use of usr_channels on the read side. Insist on autotools 1.12.1 for git builds because there are security issues with 1.12 and insisting on anything less would allow 1.12 to be used. Removed info_ptr->signature[8] from WRITE-only builds. Add some conditions for compiling png_fixed(). This is a small function but it requires "-lm" on some platforms. Cause pngtest --strict to fail on any warning from libpng (not just errors) and cause it not to fail at the comparison step if libpng lacks support for writing chunks that it reads from the input (currently only implemented for compressed text chunks). Make all three "make check" test programs work without READ or WRITE support. Now "make check" will succeed even if libpng is compiled with -DPNG_NO_READ or -DPNG_NO_WRITE. The tests performed are reduced, but the basic reading and writing of a PNG file is always tested by one or more of the tests. Consistently use strlen(), memset(), memcpy(), and memcmp() instead of the png_strlen(), png_memset(), png_memcpy(), and png_memcmp() macros. Removed the png_sizeof(), png_strlen(), png_memset(), png_memcpy(), and png_memcmp() macros. Work around gcc 3.x and Microsoft Visual Studio 2010 complaints. Both object to the split initialization of num_chunks. Version 1.6.0beta28 [August 11, 2012] Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement to subscribe) or to glennrp at users.sourceforge.net Glenn R-P