Skip to content

Commit 54497f9

Browse files
committed
[libpng] Update: v1.6.55 -> v1.6.56
Includes the APNG patch.
1 parent b99ab1f commit 54497f9

30 files changed

+377
-246
lines changed

extlib/libpng/ANNOUNCE

Lines changed: 37 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
libpng 1.6.55 - February 9, 2026
2-
================================
1+
libpng 1.6.56 - March 25, 2026
2+
==============================
33

44
This is a public release of libpng, intended for use in production code.
55

@@ -9,10 +9,10 @@ Files available for download
99

1010
Source files:
1111

12-
* libpng-1.6.55.tar.xz (LZMA-compressed, recommended)
13-
* libpng-1.6.55.tar.gz (deflate-compressed)
14-
* lpng1655.7z (LZMA-compressed)
15-
* lpng1655.zip (deflate-compressed)
12+
* libpng-1.6.56.tar.xz (LZMA-compressed, recommended)
13+
* libpng-1.6.56.tar.gz (deflate-compressed)
14+
* lpng1656.7z (LZMA-compressed)
15+
* lpng1656.zip (deflate-compressed)
1616

1717
Other information:
1818

@@ -22,14 +22,39 @@ Other information:
2222
* TRADEMARK.md
2323

2424

25-
Changes from version 1.6.54 to version 1.6.55
25+
Changes from version 1.6.55 to version 1.6.56
2626
---------------------------------------------
2727

28-
* Fixed CVE-2026-25646 (high severity):
29-
Heap buffer overflow in `png_set_quantize`.
30-
(Reported and fixed by Joshua Inscoe.)
31-
* Resolved an oss-fuzz build issue involving nalloc.
32-
(Contributed by Philippe Antoine.)
28+
* Fixed CVE-2026-33416 (high severity):
29+
Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`.
30+
(Reported by Halil Oktay and Ryo Shimada;
31+
fixed by Halil Oktay and Cosmin Truta.)
32+
* Fixed CVE-2026-33636 (high severity):
33+
Out-of-bounds read/write in the palette expansion on ARM Neon.
34+
(Reported by Taegu Ha; fixed by Taegu Ha and Cosmin Truta.)
35+
* Fixed uninitialized reads beyond `num_trans` in `trans_alpha` buffers.
36+
(Contributed by Halil Oktay.)
37+
* Fixed stale `info_ptr->palette` after in-place gamma and background
38+
transforms.
39+
* Fixed wrong channel indices in `png_image_read_and_map` RGB_ALPHA path.
40+
(Contributed by Yuelin Wang.)
41+
* Fixed wrong background color in colormap read.
42+
(Contributed by Yuelin Wang.)
43+
* Fixed dead loop in sPLT write.
44+
(Contributed by Yuelin Wang.)
45+
* Added missing null pointer checks in four public API functions.
46+
(Contributed by Yuelin Wang.)
47+
* Validated shift bit depths in `png_set_shift` to prevent infinite loop.
48+
(Contributed by Yuelin Wang.)
49+
* Avoided undefined behavior in library and tests.
50+
* Deprecated the hardly-ever-tested POINTER_INDEXING config option.
51+
* Added negative-stride test coverage for the simplified API.
52+
* Fixed memory leaks and API misuse in oss-fuzz.
53+
(Contributed by Owen Sanzas.)
54+
* Implemented various fixes and improvements in oss-fuzz.
55+
(Contributed by Bob Friesenhahn and Philippe Antoine.)
56+
* Performed various refactorings and cleanups.
57+
3358

3459
Send comments/corrections/commendations to png-mng-implement at lists.sf.net.
3560
Subscription is required; visit

extlib/libpng/AUTHORS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ Authors, for copyright and licensing purposes.
1515
* Glenn Randers-Pehrson
1616
* Greg Roelofs
1717
* Guy Eric Schalnat
18+
* Halil Oktay
1819
* James Yu
1920
* John Bowler
2021
* Joshua Inscoe
@@ -34,12 +35,14 @@ Authors, for copyright and licensing purposes.
3435
* Sam Bushell
3536
* Samuel Williams
3637
* Simon-Pierre Cadieux
38+
* Taegu Ha (하태구)
3739
* Tim Wegner
3840
* Tobias Stoeckmann
3941
* Tom Lane
4042
* Tom Tanner
4143
* Vadim Barkov
4244
* Willem van Schaik
45+
* Yuelin Wang (王跃林)
4346
* Zhijie Liang
4447
* Apple Inc.
4548
- Zixu Wang (王子旭)

extlib/libpng/CHANGES

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6337,6 +6337,37 @@ Version 1.6.55 [February 9, 2026]
63376337
Resolved an oss-fuzz build issue involving nalloc.
63386338
(Contributed by Philippe Antoine.)
63396339

6340+
Version 1.6.56 [March 25, 2026]
6341+
Fixed CVE-2026-33416 (high severity):
6342+
Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`.
6343+
(Reported by Halil Oktay and Ryo Shimada;
6344+
fixed by Halil Oktay and Cosmin Truta.)
6345+
Fixed CVE-2026-33636 (high severity):
6346+
Out-of-bounds read/write in the palette expansion on ARM Neon.
6347+
(Reported by Taegu Ha; fixed by Taegu Ha and Cosmin Truta.)
6348+
Fixed uninitialized reads beyond `num_trans` in `trans_alpha` buffers.
6349+
(Contributed by Halil Oktay.)
6350+
Fixed stale `info_ptr->palette` after in-place gamma and background
6351+
transforms.
6352+
Fixed wrong channel indices in `png_image_read_and_map` RGB_ALPHA path.
6353+
(Contributed by Yuelin Wang.)
6354+
Fixed wrong background color in colormap read.
6355+
(Contributed by Yuelin Wang.)
6356+
Fixed dead loop in sPLT write.
6357+
(Contributed by Yuelin Wang.)
6358+
Added missing null pointer checks in four public API functions.
6359+
(Contributed by Yuelin Wang.)
6360+
Validated shift bit depths in `png_set_shift` to prevent infinite loop.
6361+
(Contributed by Yuelin Wang.)
6362+
Avoided undefined behavior in library and tests.
6363+
Deprecated the hardly-ever-tested POINTER_INDEXING config option.
6364+
Added negative-stride test coverage for the simplified API.
6365+
Fixed memory leaks and API misuse in oss-fuzz.
6366+
(Contributed by Owen Sanzas.)
6367+
Implemented various fixes and improvements in oss-fuzz.
6368+
(Contributed by Bob Friesenhahn and Philippe Antoine.)
6369+
Performed various refactorings and cleanups.
6370+
63406371
Send comments/corrections/commendations to png-mng-implement at lists.sf.net.
63416372
Subscription is required; visit
63426373
<https://lists.sourceforge.net/lists/listinfo/png-mng-implement>

extlib/libpng/CMakeLists.txt

Lines changed: 49 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ ENDIF(0)
2020

2121
set(PNGLIB_MAJOR 1)
2222
set(PNGLIB_MINOR 6)
23-
set(PNGLIB_REVISION 55)
23+
set(PNGLIB_REVISION 56)
2424
set(PNGLIB_SUBREVISION 0)
2525
#set(PNGLIB_SUBREVISION "git")
2626
set(PNGLIB_VERSION ${PNGLIB_MAJOR}.${PNGLIB_MINOR}.${PNGLIB_REVISION})
@@ -99,7 +99,7 @@ endif()
9999
option(PNG_TESTS "Build the libpng tests" ON)
100100

101101
# Same as above, but for the third-party tools.
102-
# Although these tools are targetted at development environments only,
102+
# Although these tools are targeted at development environments only,
103103
# the users are allowed to override the option to build by default.
104104
if(ANDROID OR IOS)
105105
option(PNG_TOOLS "Build the libpng tools" OFF)
@@ -870,6 +870,8 @@ if(PNG_TESTS AND PNG_SHARED)
870870

871871
set(PNGTEST_PNG "${CMAKE_CURRENT_SOURCE_DIR}/pngtest.png")
872872

873+
# pngtest tests:
874+
# Basic read/write roundtrip using the sequential API.
873875
add_executable(pngtest ${pngtest_sources})
874876
target_link_libraries(pngtest
875877
PRIVATE png_shared)
@@ -882,6 +884,9 @@ if(PNG_TESTS AND PNG_SHARED)
882884
COMMAND pngtest
883885
FILES "${TEST_PNG3_PNGS}")
884886

887+
# pngvalid tests:
888+
# Internal validation of standard and progressive reading,
889+
# transforms, and gamma handling.
885890
add_executable(pngvalid ${pngvalid_sources})
886891
target_link_libraries(pngvalid
887892
PRIVATE png_shared)
@@ -929,6 +934,9 @@ if(PNG_TESTS AND PNG_SHARED)
929934
COMMAND pngvalid
930935
OPTIONS --transform)
931936

937+
# pngstest tests:
938+
# Format conversions through the simplified API,
939+
# by gamma type and alpha type.
932940
add_executable(pngstest ${pngstest_sources})
933941
target_link_libraries(pngstest
934942
PRIVATE png_shared)
@@ -985,13 +993,48 @@ if(PNG_TESTS AND PNG_SHARED)
985993
endforeach()
986994
endforeach()
987995

988-
# Regression test:
996+
# Large-stride test:
989997
# Use stride_extra > 32767 to trigger row_bytes > 65535 for linear images.
990998
png_add_test(NAME pngstest-large-stride
991999
COMMAND pngstest
9921000
OPTIONS --stride-extra 33000 --tmpfile "large-stride-" --log
9931001
FILES "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-16-linear.png")
9941002

1003+
# Negative-stride test:
1004+
# Bottom-up layout through all read/write paths.
1005+
png_add_test(NAME pngstest-negative-stride
1006+
COMMAND pngstest
1007+
OPTIONS --negative-stride --tmpfile "negative-stride-" --log
1008+
FILES "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-1.png"
1009+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-16-linear.png"
1010+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-8-linear.png"
1011+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-16-linear.png"
1012+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/palette-8-tRNS.png"
1013+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-alpha-8-linear.png"
1014+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-alpha-16-linear.png"
1015+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-8-1.8.png"
1016+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-8-sRGB.png"
1017+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-16-linear.png")
1018+
1019+
# Negative-stride-extra test:
1020+
# Bottom-up layout with non-aligned padding.
1021+
png_add_test(NAME pngstest-negative-stride-extra
1022+
COMMAND pngstest
1023+
OPTIONS --negative-stride --stride-extra 7
1024+
--tmpfile "negative-stride-extra-" --log
1025+
FILES "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-1.png"
1026+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-16-linear.png"
1027+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-8-linear.png"
1028+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-16-linear.png"
1029+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/palette-8-tRNS.png"
1030+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-alpha-8-linear.png"
1031+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-alpha-16-linear.png"
1032+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-8-1.8.png"
1033+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-8-sRGB.png"
1034+
"${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-16-linear.png")
1035+
1036+
# pngunknown tests:
1037+
# Unknown chunk handling under various read policies.
9951038
add_executable(pngunknown ${pngunknown_sources})
9961039
target_link_libraries(pngunknown
9971040
PRIVATE png_shared)
@@ -1026,6 +1069,8 @@ if(PNG_TESTS AND PNG_SHARED)
10261069
OPTIONS --strict vpAg=if-safe
10271070
FILES "${PNGTEST_PNG}")
10281071

1072+
# pngimage tests:
1073+
# Image read validation against the pngsuite corpus.
10291074
add_executable(pngimage ${pngimage_sources})
10301075
target_link_libraries(pngimage
10311076
PRIVATE png_shared)
@@ -1065,7 +1110,7 @@ function(create_symlink DEST_FILE)
10651110
message(FATAL_ERROR "create_symlink: Missing arguments: FILE or TARGET")
10661111
endif()
10671112
if(_SYM_FILE AND _SYM_TARGET)
1068-
message(FATAL_ERROR "create_symlink: Mutually-exlusive arguments:"
1113+
message(FATAL_ERROR "create_symlink: Mutually-exclusive arguments:"
10691114
"FILE (${_SYM_FILE}) and TARGET (${_SYM_TARGET})")
10701115
endif()
10711116

extlib/libpng/README

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
README for libpng version 1.6.55
1+
README for libpng version 1.6.56
22
================================
33

44
See the note about version numbers near the top of `png.h`.

extlib/libpng/_MODIFIED_LIBPNG.txt

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
1-
This copy of libpng-1.6.55 is a modified version of the original.
1+
This copy of libpng-1.6.56 is a modified version of the original.
22

3-
commit c3e304954a9cfd154bc0dfbfea2b01cd61d6546d
4-
Release libpng version 1.6.55
3+
commit d5515b5b8be3901aac04e5bd8bd5c89f287bcd33
4+
Release libpng version 1.6.56
55

6-
Tag: v1.6.55
6+
Tag: v1.6.56
77

88
The following changes have been made to the original:
99

@@ -14,5 +14,5 @@ The following changes have been made to the original:
1414
- APNG support has been added via the APNG patch:
1515
http://sourceforge.net/projects/libpng-apng/
1616

17-
To obtain the original libpng-1.6.55, visit:
17+
To obtain the original libpng-1.6.56, visit:
1818
http://www.libpng.org/pub/png/libpng.html

extlib/libpng/arm/palette_neon_intrinsics.c

Lines changed: 29 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
/* palette_neon_intrinsics.c - NEON optimised palette expansion functions
22
*
3-
* Copyright (c) 2018-2019 Cosmin Truta
3+
* Copyright (c) 2018-2026 Cosmin Truta
44
* Copyright (c) 2017-2018 Arm Holdings. All rights reserved.
55
* Written by Richard Townsend <Richard.Townsend@arm.com>, February 2017.
66
*
@@ -49,12 +49,12 @@ png_riffle_palette_neon(png_structrp png_ptr)
4949
w.val[0] = v.val[0];
5050
w.val[1] = v.val[1];
5151
w.val[2] = v.val[2];
52-
vst4q_u8(riffled_palette + (i << 2), w);
52+
vst4q_u8(riffled_palette + i * 4, w);
5353
}
5454

5555
/* Fix up the missing transparency values. */
5656
for (i = 0; i < num_trans; i++)
57-
riffled_palette[(i << 2) + 3] = trans_alpha[i];
57+
riffled_palette[i * 4 + 3] = trans_alpha[i];
5858
}
5959

6060
/* Expands a palettized row into RGBA8. */
@@ -78,27 +78,26 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info,
7878
* The NEON part writes forward from a given position, so we have
7979
* to seek this back by 4 pixels x 4 bytes.
8080
*/
81-
*ddp = *ddp - ((pixels_per_chunk * sizeof(png_uint_32)) - 1);
81+
*ddp = *ddp - (pixels_per_chunk * 4 - 1);
8282

83-
for (i = 0; i < row_width; i += pixels_per_chunk)
83+
for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk)
8484
{
8585
uint32x4_t cur;
86-
png_bytep sp = *ssp - i, dp = *ddp - (i << 2);
86+
png_bytep sp = *ssp - i, dp = *ddp - i * 4;
8787
cur = vld1q_dup_u32 (riffled_palette + *(sp - 3));
8888
cur = vld1q_lane_u32(riffled_palette + *(sp - 2), cur, 1);
8989
cur = vld1q_lane_u32(riffled_palette + *(sp - 1), cur, 2);
9090
cur = vld1q_lane_u32(riffled_palette + *(sp - 0), cur, 3);
9191
vst1q_u32((void *)dp, cur);
9292
}
93-
if (i != row_width)
94-
{
95-
/* Remove the amount that wasn't processed. */
96-
i -= pixels_per_chunk;
97-
}
9893

99-
/* Decrement output pointers. */
94+
/* Undo the pre-adjustment of *ddp before the pointer handoff,
95+
* so the scalar fallback in pngrtran.c receives a dp that points
96+
* to the correct position.
97+
*/
98+
*ddp = *ddp + (pixels_per_chunk * 4 - 1);
10099
*ssp = *ssp - i;
101-
*ddp = *ddp - (i << 2);
100+
*ddp = *ddp - i * 4;
102101
return i;
103102
}
104103

@@ -119,32 +118,30 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info,
119118
return 0;
120119

121120
/* Seeking this back by 8 pixels x 3 bytes. */
122-
*ddp = *ddp - ((pixels_per_chunk * sizeof(png_color)) - 1);
121+
*ddp = *ddp - (pixels_per_chunk * 3 - 1);
123122

124-
for (i = 0; i < row_width; i += pixels_per_chunk)
123+
for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk)
125124
{
126125
uint8x8x3_t cur;
127-
png_bytep sp = *ssp - i, dp = *ddp - ((i << 1) + i);
128-
cur = vld3_dup_u8(palette + sizeof(png_color) * (*(sp - 7)));
129-
cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 6)), cur, 1);
130-
cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 5)), cur, 2);
131-
cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 4)), cur, 3);
132-
cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 3)), cur, 4);
133-
cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 2)), cur, 5);
134-
cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 1)), cur, 6);
135-
cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 0)), cur, 7);
126+
png_bytep sp = *ssp - i, dp = *ddp - i * 3;
127+
cur = vld3_dup_u8(palette + *(sp - 7) * 3);
128+
cur = vld3_lane_u8(palette + *(sp - 6) * 3, cur, 1);
129+
cur = vld3_lane_u8(palette + *(sp - 5) * 3, cur, 2);
130+
cur = vld3_lane_u8(palette + *(sp - 4) * 3, cur, 3);
131+
cur = vld3_lane_u8(palette + *(sp - 3) * 3, cur, 4);
132+
cur = vld3_lane_u8(palette + *(sp - 2) * 3, cur, 5);
133+
cur = vld3_lane_u8(palette + *(sp - 1) * 3, cur, 6);
134+
cur = vld3_lane_u8(palette + *(sp - 0) * 3, cur, 7);
136135
vst3_u8((void *)dp, cur);
137136
}
138137

139-
if (i != row_width)
140-
{
141-
/* Remove the amount that wasn't processed. */
142-
i -= pixels_per_chunk;
143-
}
144-
145-
/* Decrement output pointers. */
138+
/* Undo the pre-adjustment of *ddp before the pointer handoff,
139+
* so the scalar fallback in pngrtran.c receives a dp that points
140+
* to the correct position.
141+
*/
142+
*ddp = *ddp + (pixels_per_chunk * 3 - 1);
146143
*ssp = *ssp - i;
147-
*ddp = *ddp - ((i << 1) + i);
144+
*ddp = *ddp - i * 3;
148145
return i;
149146
}
150147

0 commit comments

Comments
 (0)