[pull] libpng16 from pnggroup:libpng16#70
Open
pull[bot] wants to merge 273 commits into
Open
Conversation
This file contains hand-coded assembler implementations of the filter functions for 32-bit Arm platforms. These are only used when the compiler doesn't support neon intrinsics (added to GCC 4.3 in 2008) or is exactly GCC 4.5.4 (released 2012), both of which are sufficiently unlikely to be true that it's fair to say the assembler is no longer used. This commit deletes filter_neon.S and removes the now obsolete preprocessor logic in pngpriv.h. Signed-off-by: Bill Roberts <bill.roberts@arm.com> Signed-off-by: Cosmin Truta <ctruta@gmail.com>
In the previous commit 9e53875 we removed the obsolete assembler implementation `filter_neon.S`. In this commit we add a stand-in for the original file, restoring the original source tree structure, for the benefit of continuing hassle-free libpng source upgrades in the 1.6.x line.
Initialize the arch-specific MSYSTEM environment variable, to ensure that msys2 bash picks up and executes /etc/profile correctly. Install and use the host-specific cmake and ninja, to ensure that msys2 cmake picks up the host-specific zlib build correctly.
Because of a missing "amd64" string (in lowercase) in a regex match, the CMake build was unable to pick up the PNG_HARDWARE_OPTIMIZATIONS flag on FreeBSD/amd64 (and possibly other amd64 systems as well). Rename the target arch variable from TARGET_ARCH to a more idiomatic PNG_TARGET_ARCHITECTURE, and set it to an always-lowercase string. The follow-on checks are now simpler and easier to get right.
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
Considering that a non-trivial amount of libpng code is arch-specific, we should perform cross-platform builds (with cross-platform toolchains) and test runs (on emulated architectures) in our routine verification. The content of ci/targets/ shall consist of target description files, written in the standard shell language. These files may be source'd as needed, before running the verification scripts ci/ci_verify_*.sh. Here is the initial list of target systems: Android, Cygwin, FreeBSD, Linux, MSDOS, Windows. And here is the initial list of target architectures: ARM, MIPS, PowerPC, RISC-V, x86.
ACES AP1 has a red endpoint with a negative Z, this triggers the checks in libpng that ensure that x, y and z (chromaticities) are all >=0. This removes the checks on the sign of the chromaticities since it is valid to use negative values for any of them and converts the "internal" error code return to external (because the internal cases correspond to negative x, y or z.) Reviewed-by: Cosmin Truta <ctruta@gmail.com> Signed-off-by: John Bowler <jbowler@acm.org> Signed-off-by: Cosmin Truta <ctruta@gmail.com>
In "test: Add consistency checks for the PNG_LIBPNG_VER* number" [0] the `STDERR` macro was moved from outside an `ifdef` to inside an `ifdef`. This broke the code in the `else` of this `ifdef` which also uses the `STDERR` macro. Move `STDERR` back to where it was to avoid compile errors in the `else` case. [0] cc8006c Fixes: #560 Reviewed-by: Cosmin Truta <ctruta@gmail.com> Signed-off-by: Cosmin Truta <ctruta@gmail.com>
Going forward, we will continue developing and using ci/ci_lint.sh
Going forward, we will continue to verify the cmake build and the configure build with the hardware optimizations enabled by default, and the makefile build with the hardware optimizations disabled by default. The Travis CI configuration file is simpler, and, more importantly, the Travis CI verification process will be shorter and cheaper.
Co-authored-by: Cosmin Truta <ctruta@gmail.com> Signed-off-by: Cosmin Truta <ctruta@gmail.com>
New target added to libpng_read_fuzzer.cc for simplified READ API.
Properly declare target include directories for generated includes. Previously the non targeted `include_directories()` was used, which had issue when using the `png_static` target in a submodule. Signed-off-by: Cosmin Truta <ctruta@gmail.com>
…ctories" This reverts commit 1d1cc9a. The verification has failed. (Oopsie!)
Properly declare target include directories for generated includes. Previously the non targeted `include_directories()` was used, which had issue when using the `png_static` target in a submodule. Signed-off-by: Cosmin Truta <ctruta@gmail.com>
In `png_xy_from_XYZ` X+Y+Z was calculated without checking for overflow. This fixes that by moving the correct code from `png_XYZ_normalize` into a static function which is now used from `png_xy_from_XYZ`. Reviewed-by: Cosmin Truta <ctruta@gmail.com> Signed-off-by: John Bowler <jbowler@acm.org> Signed-off-by: Cosmin Truta <ctruta@gmail.com>
A new repository named "pngfuzz", dedicated to fuzz testing PNG processing software in general and libpng in particular, has been created: https://github.com/pnggroup/pngfuzz Signed-off-by: Cosmin Truta <ctruta@gmail.com>
Ignore the files and the directories that are typically produced by text editors, development tools, development environments, etc. This is a cherry-pick of commit 050aa7b from branch 'libpng18'.
Add the option --negative-stride to pngstest. When set, the row stride is negated after buffer allocation but before calling the library, so that `png_image_finish_read` and `png_image_write_to_file` exercise the bottom-up (negative stride) code paths. Add CI targets for the CMake build and for the configure build: - pngstest-negative-stride: Bottom-up layout with images covering colormapped, truecolor, alpha, 8-bit, 16-bit, and short-height paths. - pngstest-negative-stride-extra: Same with --stride-extra 7 for non-aligned padding with bottom-up layout. Note: the interlaced pngsuite images (`ibasn*.png`) are incompatible with pngstest's format conversion comparison framework, so the `png_image_read_direct_scaled` path (interlaced 16-to-8 conversion) is not exercised by this test. A dedicated test for that path will require interlaced images generated with the correct gamma properties for pngstest's comparison logic, which is TODO.
The computation of `abs(x)` (where the type of `x` is `png_int_32`) should involve a cast to `png_uint_32` before negating `x`, ensuring that the result is well-defined even for `INT32_MIN`. Considering that the PNG Specification (and, implicitly, libpng) formally prohibits `INT32_MIN` values, this is merely a zero-cost form of hardening intended to appease UBSan, and not an actual bug fix.
Guard the pointer advance with `y+1 < height` inside the function `compare_two_images` to skip this advance on the last iteration. With a negative stride, the unconditional `row += stride` in the for-statement produced a pointer before the allocated object on the final iteration. Standard C permits one-after-end but not one-before-beginning; this is undefined behavior regardless of whether the pointer is dereferenced or not.
And let the other targets focus on the other parts.
The parameter name in `png_file_add_chunk(pnt_ptr, ...)` was a typo, with the macro body referencing `png_ptr` instead. This caused the argument to be effectively unused. Fortunately, this typo was a latent bug with no effect. The sole call site was already passing `png_ptr`, so the macro expansion is identical before and after this fix. Reviewed-by: Cosmin Truta <ctruta@gmail.com> Signed-off-by: Cosmin Truta <ctruta@gmail.com>
Apply a robustness fix for a caller-side API usage pattern involving the getters and the setters for PLTE, tRNS, and hIST. Passing a pointer returned by the PLTE, tRNS, or hIST getters back into the corresponding setters used to cause the setters to read from a stale pointer. The fix consists in snapshotting the caller's data into a stack-local buffer before freeing the old internal storage. Fixes #836 Reported-by: Iv4n <Iv4n550@noreply.github.com>
Apply the same class of robustness fix from the previous commit to `png_set_text`, `png_set_sPLT` and `png_set_unknown_chunks`. These append-style setters used `png_realloc_array` to grow the internal array, then freed the old array before copying from the caller's input. If the caller's pointer was obtained from the corresponding getter, it aliased the freed array. The fix defers the freeing of the old array until after the copy loop. Also extend the pnggetset regression test to cover all three setters.
Cast `row_width` to `size_t` before multiplication when computing `row_info->rowbytes`, to avoid 32-bit truncation on LP64 systems. Fix the cast order in `png_do_expand_palette` where the widening cast was applied after the multiply rather than before it. This is a cherry-pick of commit c0ba09e from branch 'libpng18'. Reviewed-by: Cosmin Truta <ctruta@gmail.com> Signed-off-by: Cosmin Truta <ctruta@gmail.com>
The palette sync in `png_read_transform_info` was guarded by `if (transformations != 0)`, but the palette-modifying transforms clear their own bits before this function gets to run. When one of these was the sole transform, the guard was false and the sync was skipped, which caused `png_get_PLTE` to return stale palette data. Drop this guard. This was a regression from commit c1b0318 (version 1.6.56). Reported-by: ralfjunker <ralfjunker@users.noreply.github.com> Resolves: #848
This tests commit d4c4e49.
Also change the copyright notice format in source files: - Old format: "Copyright (c) <Author> <Year>-<Year>" - New format: "Copyright (C) <Author> <Year>" The new format is meant to reduce the diff output and to alleviate the maintenance burden; the use of lowercase "(c)" vs. uppercase "(C)" is meant to distinguish between the old format and the new format. This is a cherry-pick of commit 28cb31f from branch 'libpng18'. Signed-off-by: Cosmin Truta <ctruta@gmail.com>
This is a cherry-pick of commit 76745ce from branch 'libpng18'. Signed-off-by: Cosmin Truta <ctruta@gmail.com>
This is a cherry-pick of commit 92c853c from branch 'libpng18'. Co-authored-by: Cosmin Truta <ctruta@gmail.com> Signed-off-by: Cosmin Truta <ctruta@gmail.com>
The "windows-latest" alias was repointed to a Windows Server 2025 image that ships Visual Studio 2026 only, which prevented the version-exact generator "Visual Studio 17 2022" from matching any installed instance. This is a cherry-pick of commit dd5d363 from branch 'libpng18'.
This is a cherry-pick of commit d733c11 from branch 'libpng18'. Co-authored-by: Brad King <brad.king@kitware.com> Signed-off-by: Cosmin Truta <ctruta@gmail.com>
This is a cherry-pick of commit 6d2054b from branch 'libpng18'.
Clear the pointers inside `png_struct` after `png_free`, following the existing idiom in `png_read_buffer`, to ensure that a subsequent free will be a no-op. Several read-side functions free a `png_struct` member and allocate a replacement without clearing the pointer in between. When that allocation fails, `png_malloc` calls `png_error`, which longjmps out before the assignment, leaving the member pointing at freed memory. The application's cleanup path (`png_destroy_read_struct`, then `png_read_destroy`) then frees it a second time. The same defect occurs at five members across four functions: - `big_row_buf` and `big_prev_row` in `png_read_start_row`; - `palette` in `png_set_PLTE`; - `trans_alpha` in `png_set_tRNS`; - `quantize_index` in `png_set_quantize`. This is robustness hardening, not a fix for untrusted input. Arming the double-free needs a prior successful pass through the same site, and PNG content alone cannot deliver one: duplicate PLTE and tRNS chunks are rejected before their setters run, and within a single decode the row dimensions never grow, so the row-buffer reallocation guard cannot re-fire. The trigger is an application that causes a setter to run twice on one `png_struct` or reuses the struct across decodes, and then meets an allocation failure. This is a cherry-pick of commit a22696b from branch 'libpng18'. Co-authored-by: Cosmin Truta <ctruta@gmail.com> Signed-off-by: Anthony Hurtado <amhurtado@pm.me> Signed-off-by: Cosmin Truta <ctruta@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )