From: Matthieu Herrb Subject: update: libpng 1.6.56 To: tech@openbsd.org Date: Thu, 26 Mar 2026 08:21:54 +0100 Two high-severity vulnerabilities fixed: CVE-2026-33416, CVE-2026-3363 https://marc.infœ?l=oss-security&m=177448778121133&w=2 There is no ABI/API change. Corresponding port update sent to ports@ ok? Index: ANNOUNCE =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/ANNOUNCE,v diff -u -p -u -r1.5 ANNOUNCE --- ANNOUNCE 10 Feb 2026 17:06:06 -0000 1.5 +++ ANNOUNCE 26 Mar 2026 07:09:49 -0000 @@ -1,5 +1,5 @@ -libpng 1.6.55 - February 9, 2026 -================================ +libpng 1.6.56 - March 25, 2026 +============================== This is a public release of libpng, intended for use in production code. @@ -9,10 +9,10 @@ Files available for download Source files: - * libpng-1.6.55.tar.xz (LZMA-compressed, recommended) - * libpng-1.6.55.tar.gz (deflate-compressed) - * lpng1655.7z (LZMA-compressed) - * lpng1655.zip (deflate-compressed) + * libpng-1.6.56.tar.xz (LZMA-compressed, recommended) + * libpng-1.6.56.tar.gz (deflate-compressed) + * lpng1656.7z (LZMA-compressed) + * lpng1656.zip (deflate-compressed) Other information: @@ -22,14 +22,39 @@ Other information: * TRADEMARK.md -Changes from version 1.6.54 to version 1.6.55 +Changes from version 1.6.55 to version 1.6.56 --------------------------------------------- - * Fixed CVE-2026-25646 (high severity): - Heap buffer overflow in `png_set_quantize`. - (Reported and fixed by Joshua Inscoe.) - * Resolved an oss-fuzz build issue involving nalloc. - (Contributed by Philippe Antoine.) + * Fixed CVE-2026-33416 (high severity): + Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`. + (Reported by Halil Oktay and Ryo Shimada; + fixed by Halil Oktay and Cosmin Truta.) + * Fixed CVE-2026-33636 (high severity): + Out-of-bounds read/write in the palette expansion on ARM Neon. + (Reported by Taegu Ha; fixed by Taegu Ha and Cosmin Truta.) + * Fixed uninitialized reads beyond `num_trans` in `trans_alpha` buffers. + (Contributed by Halil Oktay.) + * Fixed stale `info_ptr->palette` after in-place gamma and background + transforms. + * Fixed wrong channel indices in `png_image_read_and_map` RGB_ALPHA path. + (Contributed by Yuelin Wang.) + * Fixed wrong background color in colormap read. + (Contributed by Yuelin Wang.) + * Fixed dead loop in sPLT write. + (Contributed by Yuelin Wang.) + * Added missing null pointer checks in four public API functions. + (Contributed by Yuelin Wang.) + * Validated shift bit depths in `png_set_shift` to prevent infinite loop. + (Contributed by Yuelin Wang.) + * Avoided undefined behavior in library and tests. + * Deprecated the hardly-ever-tested POINTER_INDEXING config option. + * Added negative-stride test coverage for the simplified API. + * Fixed memory leaks and API misuse in oss-fuzz. + (Contributed by Owen Sanzas.) + * Implemented various fixes and improvements in oss-fuzz. + (Contributed by Bob Friesenhahn and Philippe Antoine.) + * Performed various refactorings and cleanups. + Send comments/corrections/commendations to png-mng-implement at lists.sf.net. Subscription is required; visit Index: AUTHORS =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/AUTHORS,v diff -u -p -u -r1.5 AUTHORS --- AUTHORS 10 Feb 2026 17:06:06 -0000 1.5 +++ AUTHORS 26 Mar 2026 07:09:49 -0000 @@ -15,6 +15,7 @@ Authors, for copyright and licensing pur * Glenn Randers-Pehrson * Greg Roelofs * Guy Eric Schalnat + * Halil Oktay * James Yu * John Bowler * Joshua Inscoe @@ -34,12 +35,14 @@ Authors, for copyright and licensing pur * Sam Bushell * Samuel Williams * Simon-Pierre Cadieux + * Taegu Ha (하태구) * Tim Wegner * Tobias Stoeckmann * Tom Lane * Tom Tanner * Vadim Barkov * Willem van Schaik + * Yuelin Wang (王跃林) * Zhijie Liang * Apple Inc. - Zixu Wang (王子旭) Index: CHANGES =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/CHANGES,v diff -u -p -u -r1.5 CHANGES --- CHANGES 10 Feb 2026 17:06:06 -0000 1.5 +++ CHANGES 26 Mar 2026 07:09:49 -0000 @@ -6337,6 +6337,37 @@ Version 1.6.55 [February 9, 2026] Resolved an oss-fuzz build issue involving nalloc. (Contributed by Philippe Antoine.) +Version 1.6.56 [March 25, 2026] + Fixed CVE-2026-33416 (high severity): + Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`. + (Reported by Halil Oktay and Ryo Shimada; + fixed by Halil Oktay and Cosmin Truta.) + Fixed CVE-2026-33636 (high severity): + Out-of-bounds read/write in the palette expansion on ARM Neon. + (Reported by Taegu Ha; fixed by Taegu Ha and Cosmin Truta.) + Fixed uninitialized reads beyond `num_trans` in `trans_alpha` buffers. + (Contributed by Halil Oktay.) + Fixed stale `info_ptr->palette` after in-place gamma and background + transforms. + Fixed wrong channel indices in `png_image_read_and_map` RGB_ALPHA path. + (Contributed by Yuelin Wang.) + Fixed wrong background color in colormap read. + (Contributed by Yuelin Wang.) + Fixed dead loop in sPLT write. + (Contributed by Yuelin Wang.) + Added missing null pointer checks in four public API functions. + (Contributed by Yuelin Wang.) + Validated shift bit depths in `png_set_shift` to prevent infinite loop. + (Contributed by Yuelin Wang.) + Avoided undefined behavior in library and tests. + Deprecated the hardly-ever-tested POINTER_INDEXING config option. + Added negative-stride test coverage for the simplified API. + Fixed memory leaks and API misuse in oss-fuzz. + (Contributed by Owen Sanzas.) + Implemented various fixes and improvements in oss-fuzz. + (Contributed by Bob Friesenhahn and Philippe Antoine.) + Performed various refactorings and cleanups. + Send comments/corrections/commendations to png-mng-implement at lists.sf.net. Subscription is required; visit Index: CMakeLists.txt =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/CMakeLists.txt,v diff -u -p -u -r1.5 CMakeLists.txt --- CMakeLists.txt 10 Feb 2026 17:06:06 -0000 1.5 +++ CMakeLists.txt 26 Mar 2026 07:09:49 -0000 @@ -18,7 +18,7 @@ cmake_minimum_required(VERSION 3.14...4. set(PNGLIB_MAJOR 1) set(PNGLIB_MINOR 6) -set(PNGLIB_REVISION 55) +set(PNGLIB_REVISION 56) set(PNGLIB_SUBREVISION 0) #set(PNGLIB_SUBREVISION "git") set(PNGLIB_VERSION ${PNGLIB_MAJOR}.${PNGLIB_MINOR}.${PNGLIB_REVISION}) @@ -87,7 +87,7 @@ endif() option(PNG_TESTS "Build the libpng tests" ON) # Same as above, but for the third-party tools. -# Although these tools are targetted at development environments only, +# Although these tools are targeted at development environments only, # the users are allowed to override the option to build by default. if(ANDROID OR IOS) option(PNG_TOOLS "Build the libpng tools" OFF) @@ -772,6 +772,8 @@ if(PNG_TESTS AND PNG_SHARED) set(PNGTEST_PNG "${CMAKE_CURRENT_SOURCE_DIR}/pngtest.png") + # pngtest tests: + # Basic read/write roundtrip using the sequential API. add_executable(pngtest ${pngtest_sources}) target_link_libraries(pngtest PRIVATE png_shared) @@ -784,6 +786,9 @@ if(PNG_TESTS AND PNG_SHARED) COMMAND pngtest FILES "${TEST_PNG3_PNGS}") + # pngvalid tests: + # Internal validation of standard and progressive reading, + # transforms, and gamma handling. add_executable(pngvalid ${pngvalid_sources}) target_link_libraries(pngvalid PRIVATE png_shared) @@ -831,6 +836,9 @@ if(PNG_TESTS AND PNG_SHARED) COMMAND pngvalid OPTIONS --transform) + # pngstest tests: + # Format conversions through the simplified API, + # by gamma type and alpha type. add_executable(pngstest ${pngstest_sources}) target_link_libraries(pngstest PRIVATE png_shared) @@ -887,13 +895,48 @@ if(PNG_TESTS AND PNG_SHARED) endforeach() endforeach() - # Regression test: + # Large-stride test: # Use stride_extra > 32767 to trigger row_bytes > 65535 for linear images. png_add_test(NAME pngstest-large-stride COMMAND pngstest OPTIONS --stride-extra 33000 --tmpfile "large-stride-" --log FILES "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-16-linear.png") + # Negative-stride test: + # Bottom-up layout through all read/write paths. + png_add_test(NAME pngstest-negative-stride + COMMAND pngstest + OPTIONS --negative-stride --tmpfile "negative-stride-" --log + FILES "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-1.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-16-linear.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-8-linear.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-16-linear.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/palette-8-tRNS.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-alpha-8-linear.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-alpha-16-linear.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-8-1.8.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-8-sRGB.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-16-linear.png") + + # Negative-stride-extra test: + # Bottom-up layout with non-aligned padding. + png_add_test(NAME pngstest-negative-stride-extra + COMMAND pngstest + OPTIONS --negative-stride --stride-extra 7 + --tmpfile "negative-stride-extra-" --log + FILES "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-1.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-16-linear.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-8-linear.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-16-linear.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/palette-8-tRNS.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-alpha-8-linear.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/gray-alpha-16-linear.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-8-1.8.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-8-sRGB.png" + "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-16-linear.png") + + # pngunknown tests: + # Unknown chunk handling under various read policies. add_executable(pngunknown ${pngunknown_sources}) target_link_libraries(pngunknown PRIVATE png_shared) @@ -928,6 +971,8 @@ if(PNG_TESTS AND PNG_SHARED) OPTIONS --strict vpAg=if-safe FILES "${PNGTEST_PNG}") + # pngimage tests: + # Image read validation against the pngsuite corpus. add_executable(pngimage ${pngimage_sources}) target_link_libraries(pngimage PRIVATE png_shared) @@ -967,7 +1012,7 @@ function(create_symlink DEST_FILE) message(FATAL_ERROR "create_symlink: Missing arguments: FILE or TARGET") endif() if(_SYM_FILE AND _SYM_TARGET) - message(FATAL_ERROR "create_symlink: Mutually-exlusive arguments:" + message(FATAL_ERROR "create_symlink: Mutually-exclusive arguments:" "FILE (${_SYM_FILE}) and TARGET (${_SYM_TARGET})") endif() Index: Makefile.am =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/Makefile.am,v diff -u -p -u -r1.1.1.1 Makefile.am --- Makefile.am 17 Sep 2025 14:44:38 -0000 1.1.1.1 +++ Makefile.am 26 Mar 2026 07:09:49 -0000 @@ -1,6 +1,6 @@ # Makefile.am, the source file for Makefile.in (and hence Makefile), is # -# Copyright (c) 2018-2025 Cosmin Truta +# Copyright (c) 2018-2026 Cosmin Truta # Copyright (c) 2004-2016 Glenn Randers-Pehrson # # This code is released under the libpng license. @@ -73,21 +73,40 @@ endif if ENABLE_TESTS TESTS =\ tests/pngtest-all\ - tests/pngvalid-gamma-16-to-8 tests/pngvalid-gamma-alpha-mode\ - tests/pngvalid-gamma-background tests/pngvalid-gamma-expand16-alpha-mode\ + tests/pngvalid-gamma-16-to-8\ + tests/pngvalid-gamma-alpha-mode\ + tests/pngvalid-gamma-background\ + tests/pngvalid-gamma-expand16-alpha-mode\ tests/pngvalid-gamma-expand16-background\ - tests/pngvalid-gamma-expand16-transform tests/pngvalid-gamma-sbit\ - tests/pngvalid-gamma-threshold tests/pngvalid-gamma-transform\ + tests/pngvalid-gamma-expand16-transform\ + tests/pngvalid-gamma-sbit\ + tests/pngvalid-gamma-threshold\ + tests/pngvalid-gamma-transform\ tests/pngvalid-progressive-size\ tests/pngvalid-progressive-interlace-standard\ tests/pngvalid-transform\ - tests/pngvalid-progressive-standard tests/pngvalid-standard\ - tests/pngstest-1.8 tests/pngstest-1.8-alpha tests/pngstest-linear\ - tests/pngstest-linear-alpha tests/pngstest-none tests/pngstest-none-alpha\ - tests/pngstest-sRGB tests/pngstest-sRGB-alpha tests/pngunknown-IDAT\ - tests/pngunknown-discard tests/pngunknown-if-safe tests/pngunknown-sAPI\ - tests/pngunknown-sTER tests/pngunknown-save tests/pngunknown-vpAg\ - tests/pngimage-quick tests/pngimage-full + tests/pngvalid-progressive-standard\ + tests/pngvalid-standard\ + tests/pngstest-1.8\ + tests/pngstest-1.8-alpha\ + tests/pngstest-linear\ + tests/pngstest-linear-alpha\ + tests/pngstest-none\ + tests/pngstest-none-alpha\ + tests/pngstest-sRGB\ + tests/pngstest-sRGB-alpha\ + tests/pngstest-large-stride\ + tests/pngstest-negative-stride\ + tests/pngstest-negative-stride-extra\ + tests/pngunknown-IDAT\ + tests/pngunknown-discard\ + tests/pngunknown-if-safe\ + tests/pngunknown-sAPI\ + tests/pngunknown-sTER\ + tests/pngunknown-save\ + tests/pngunknown-vpAg\ + tests/pngimage-quick\ + tests/pngimage-full endif # man pages Index: Makefile.in =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/Makefile.in,v diff -u -p -u -r1.2 Makefile.in --- Makefile.in 17 Sep 2025 14:48:30 -0000 1.2 +++ Makefile.in 26 Mar 2026 07:10:06 -0000 @@ -16,7 +16,7 @@ # Makefile.am, the source file for Makefile.in (and hence Makefile), is # -# Copyright (c) 2018-2025 Cosmin Truta +# Copyright (c) 2018-2026 Cosmin Truta # Copyright (c) 2004-2016 Glenn Randers-Pehrson # # This code is released under the libpng license. @@ -754,21 +754,40 @@ BUILT_SOURCES = pnglibconf.h # set of parameters: @ENABLE_TESTS_TRUE@TESTS = \ @ENABLE_TESTS_TRUE@ tests/pngtest-all\ -@ENABLE_TESTS_TRUE@ tests/pngvalid-gamma-16-to-8 tests/pngvalid-gamma-alpha-mode\ -@ENABLE_TESTS_TRUE@ tests/pngvalid-gamma-background tests/pngvalid-gamma-expand16-alpha-mode\ +@ENABLE_TESTS_TRUE@ tests/pngvalid-gamma-16-to-8\ +@ENABLE_TESTS_TRUE@ tests/pngvalid-gamma-alpha-mode\ +@ENABLE_TESTS_TRUE@ tests/pngvalid-gamma-background\ +@ENABLE_TESTS_TRUE@ tests/pngvalid-gamma-expand16-alpha-mode\ @ENABLE_TESTS_TRUE@ tests/pngvalid-gamma-expand16-background\ -@ENABLE_TESTS_TRUE@ tests/pngvalid-gamma-expand16-transform tests/pngvalid-gamma-sbit\ -@ENABLE_TESTS_TRUE@ tests/pngvalid-gamma-threshold tests/pngvalid-gamma-transform\ +@ENABLE_TESTS_TRUE@ tests/pngvalid-gamma-expand16-transform\ +@ENABLE_TESTS_TRUE@ tests/pngvalid-gamma-sbit\ +@ENABLE_TESTS_TRUE@ tests/pngvalid-gamma-threshold\ +@ENABLE_TESTS_TRUE@ tests/pngvalid-gamma-transform\ @ENABLE_TESTS_TRUE@ tests/pngvalid-progressive-size\ @ENABLE_TESTS_TRUE@ tests/pngvalid-progressive-interlace-standard\ @ENABLE_TESTS_TRUE@ tests/pngvalid-transform\ -@ENABLE_TESTS_TRUE@ tests/pngvalid-progressive-standard tests/pngvalid-standard\ -@ENABLE_TESTS_TRUE@ tests/pngstest-1.8 tests/pngstest-1.8-alpha tests/pngstest-linear\ -@ENABLE_TESTS_TRUE@ tests/pngstest-linear-alpha tests/pngstest-none tests/pngstest-none-alpha\ -@ENABLE_TESTS_TRUE@ tests/pngstest-sRGB tests/pngstest-sRGB-alpha tests/pngunknown-IDAT\ -@ENABLE_TESTS_TRUE@ tests/pngunknown-discard tests/pngunknown-if-safe tests/pngunknown-sAPI\ -@ENABLE_TESTS_TRUE@ tests/pngunknown-sTER tests/pngunknown-save tests/pngunknown-vpAg\ -@ENABLE_TESTS_TRUE@ tests/pngimage-quick tests/pngimage-full +@ENABLE_TESTS_TRUE@ tests/pngvalid-progressive-standard\ +@ENABLE_TESTS_TRUE@ tests/pngvalid-standard\ +@ENABLE_TESTS_TRUE@ tests/pngstest-1.8\ +@ENABLE_TESTS_TRUE@ tests/pngstest-1.8-alpha\ +@ENABLE_TESTS_TRUE@ tests/pngstest-linear\ +@ENABLE_TESTS_TRUE@ tests/pngstest-linear-alpha\ +@ENABLE_TESTS_TRUE@ tests/pngstest-none\ +@ENABLE_TESTS_TRUE@ tests/pngstest-none-alpha\ +@ENABLE_TESTS_TRUE@ tests/pngstest-sRGB\ +@ENABLE_TESTS_TRUE@ tests/pngstest-sRGB-alpha\ +@ENABLE_TESTS_TRUE@ tests/pngstest-large-stride\ +@ENABLE_TESTS_TRUE@ tests/pngstest-negative-stride\ +@ENABLE_TESTS_TRUE@ tests/pngstest-negative-stride-extra\ +@ENABLE_TESTS_TRUE@ tests/pngunknown-IDAT\ +@ENABLE_TESTS_TRUE@ tests/pngunknown-discard\ +@ENABLE_TESTS_TRUE@ tests/pngunknown-if-safe\ +@ENABLE_TESTS_TRUE@ tests/pngunknown-sAPI\ +@ENABLE_TESTS_TRUE@ tests/pngunknown-sTER\ +@ENABLE_TESTS_TRUE@ tests/pngunknown-save\ +@ENABLE_TESTS_TRUE@ tests/pngunknown-vpAg\ +@ENABLE_TESTS_TRUE@ tests/pngimage-quick\ +@ENABLE_TESTS_TRUE@ tests/pngimage-full # man pages @@ -1815,6 +1834,27 @@ tests/pngstest-sRGB.log: tests/pngstest- tests/pngstest-sRGB-alpha.log: tests/pngstest-sRGB-alpha @p='tests/pngstest-sRGB-alpha'; \ b='tests/pngstest-sRGB-alpha'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +tests/pngstest-large-stride.log: tests/pngstest-large-stride + @p='tests/pngstest-large-stride'; \ + b='tests/pngstest-large-stride'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +tests/pngstest-negative-stride.log: tests/pngstest-negative-stride + @p='tests/pngstest-negative-stride'; \ + b='tests/pngstest-negative-stride'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +tests/pngstest-negative-stride-extra.log: tests/pngstest-negative-stride-extra + @p='tests/pngstest-negative-stride-extra'; \ + b='tests/pngstest-negative-stride-extra'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ Index: README =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/README,v diff -u -p -u -r1.5 README --- README 10 Feb 2026 17:06:06 -0000 1.5 +++ README 26 Mar 2026 07:09:49 -0000 @@ -1,4 +1,4 @@ -README for libpng version 1.6.55 +README for libpng version 1.6.56 ================================ See the note about version numbers near the top of `png.h`. Index: configure =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/configure,v diff -u -p -u -r1.6 configure --- configure 10 Feb 2026 17:06:06 -0000 1.6 +++ configure 26 Mar 2026 07:10:36 -0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for libpng 1.6.55. +# Generated by GNU Autoconf 2.71 for libpng 1.6.56. # # Report bugs to . # @@ -621,8 +621,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='libpng' PACKAGE_TARNAME='libpng' -PACKAGE_VERSION='1.6.55' -PACKAGE_STRING='libpng 1.6.55' +PACKAGE_VERSION='1.6.56' +PACKAGE_STRING='libpng 1.6.56' PACKAGE_BUGREPORT='png-mng-implement@lists.sourceforge.net' PACKAGE_URL='' @@ -1420,7 +1420,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libpng 1.6.55 to adapt to many kinds of systems. +\`configure' configures libpng 1.6.56 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1491,7 +1491,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libpng 1.6.55:";; + short | recursive ) echo "Configuration of libpng 1.6.56:";; esac cat <<\_ACEOF @@ -1689,7 +1689,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libpng configure 1.6.55 +libpng configure 1.6.56 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -1945,7 +1945,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libpng $as_me 1.6.55, which was +It was created by libpng $as_me 1.6.56, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3226,7 +3226,7 @@ fi # Define the identity of the package. PACKAGE='libpng' - VERSION='1.6.55' + VERSION='1.6.56' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -3302,10 +3302,10 @@ fi -PNGLIB_VERSION=1.6.55 +PNGLIB_VERSION=1.6.56 PNGLIB_MAJOR=1 PNGLIB_MINOR=6 -PNGLIB_RELEASE=55 +PNGLIB_RELEASE=56 @@ -14488,7 +14488,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libpng $as_me 1.6.55, which was +This file was extended by libpng $as_me 1.6.56, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -14556,7 +14556,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -libpng config.status 1.6.55 +libpng config.status 1.6.56 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" Index: configure.ac =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/configure.ac,v diff -u -p -u -r1.5 configure.ac --- configure.ac 10 Feb 2026 17:06:06 -0000 1.5 +++ configure.ac 26 Mar 2026 07:09:49 -0000 @@ -25,7 +25,7 @@ AC_PREREQ([2.68]) dnl Version number stuff here: -AC_INIT([libpng],[1.6.55],[png-mng-implement@lists.sourceforge.net]) +AC_INIT([libpng],[1.6.56],[png-mng-implement@lists.sourceforge.net]) AC_CONFIG_MACRO_DIR([scripts/autoconf]) # libpng does not follow GNU file name conventions (hence 'foreign') @@ -46,10 +46,10 @@ dnl automake, so the following is not ne dnl AM_PREREQ([1.11.2]) dnl stop configure from automagically running automake -PNGLIB_VERSION=1.6.55 +PNGLIB_VERSION=1.6.56 PNGLIB_MAJOR=1 PNGLIB_MINOR=6 -PNGLIB_RELEASE=55 +PNGLIB_RELEASE=56 dnl End of version number stuff Index: libpng-manual.txt =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/libpng-manual.txt,v diff -u -p -u -r1.5 libpng-manual.txt --- libpng-manual.txt 10 Feb 2026 17:06:06 -0000 1.5 +++ libpng-manual.txt 26 Mar 2026 07:09:49 -0000 @@ -9,7 +9,7 @@ libpng-manual.txt - A description on how Based on: - libpng version 1.6.36, December 2018, through 1.6.55 - February 2026 + libpng version 1.6.36, December 2018, through 1.6.56 - March 2026 Updated and distributed by Cosmin Truta Copyright (c) 2018-2026 Cosmin Truta @@ -2318,7 +2318,7 @@ libpng provides two macros to help you i png_uint_32 height = PNG_PASS_ROWS(image_height, pass_number); Respectively these tell you the width and height of the sub-image -corresponding to the numbered pass. 'pass' is in in the range 0 to 6 - +corresponding to the numbered pass. 'pass' is in the range 0 to 6 - this can be confusing because the specification refers to the same passes as 1 to 7! Be careful, you must check both the width and height before calling png_read_rows() and not call it for that pass if either is zero. @@ -2457,7 +2457,7 @@ point to libpng-allocated storage with t This function may be safely called when the relevant storage has already been freed, or has not yet been allocated, or was allocated -by the user and not by libpng, and will in those cases do nothing. +by the user and not by libpng, and will in those cases do nothing. The "seq" parameter is ignored if only one item of the selected data type, such as PLTE, is allowed. If "seq" is not -1, and multiple items are allowed for the data type identified in the mask, such as text or @@ -3292,7 +3292,7 @@ disclaimer until after, so viewers worki don't have to wait for the disclaimer to go over the modem before they start seeing the image. Finally, keywords should be full words, not abbreviations. Keywords and text are in the ISO 8859-1 -(Latin-1) character set (a superset of regular ASCII) and can not +(Latin-1) character set (a superset of regular ASCII) and cannot contain NUL characters, and should not contain control or other unprintable characters. To make the comments widely readable, stick with basic ASCII, and avoid machine specific character set extensions @@ -3694,7 +3694,7 @@ point to libpng-allocated storage with t This function may be safely called when the relevant storage has already been freed, or has not yet been allocated, or was allocated -by the user and not by libpng, and will in those cases do nothing. +by the user and not by libpng, and will in those cases do nothing. The "seq" parameter is ignored if only one item of the selected data type, such as PLTE, is allowed. If "seq" is not -1, and multiple items are allowed for the data type identified in the mask, such as text or Index: libpng.3 =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/libpng.3,v diff -u -p -u -r1.5 libpng.3 --- libpng.3 10 Feb 2026 17:06:06 -0000 1.5 +++ libpng.3 26 Mar 2026 07:09:49 -0000 @@ -1,6 +1,6 @@ -.TH LIBPNG 3 "February 9, 2026" +.TH LIBPNG 3 "March 25, 2026" .SH NAME -libpng \- Portable Network Graphics (PNG) Reference Library 1.6.55 +libpng \- Portable Network Graphics (PNG) Reference Library 1.6.56 .SH SYNOPSIS \fB#include \fP @@ -528,7 +528,7 @@ libpng-manual.txt - A description on how Based on: - libpng version 1.6.36, December 2018, through 1.6.55 - February 2026 + libpng version 1.6.36, December 2018, through 1.6.56 - March 2026 Updated and distributed by Cosmin Truta Copyright (c) 2018-2026 Cosmin Truta @@ -2837,7 +2837,7 @@ libpng provides two macros to help you i png_uint_32 height = PNG_PASS_ROWS(image_height, pass_number); Respectively these tell you the width and height of the sub-image -corresponding to the numbered pass. 'pass' is in in the range 0 to 6 - +corresponding to the numbered pass. 'pass' is in the range 0 to 6 - this can be confusing because the specification refers to the same passes as 1 to 7! Be careful, you must check both the width and height before calling png_read_rows() and not call it for that pass if either is zero. @@ -2976,7 +2976,7 @@ point to libpng-allocated storage with t This function may be safely called when the relevant storage has already been freed, or has not yet been allocated, or was allocated -by the user and not by libpng, and will in those cases do nothing. +by the user and not by libpng, and will in those cases do nothing. The "seq" parameter is ignored if only one item of the selected data type, such as PLTE, is allowed. If "seq" is not \-1, and multiple items are allowed for the data type identified in the mask, such as text or @@ -3811,7 +3811,7 @@ disclaimer until after, so viewers worki don't have to wait for the disclaimer to go over the modem before they start seeing the image. Finally, keywords should be full words, not abbreviations. Keywords and text are in the ISO 8859-1 -(Latin-1) character set (a superset of regular ASCII) and can not +(Latin-1) character set (a superset of regular ASCII) and cannot contain NUL characters, and should not contain control or other unprintable characters. To make the comments widely readable, stick with basic ASCII, and avoid machine specific character set extensions @@ -4213,7 +4213,7 @@ point to libpng-allocated storage with t This function may be safely called when the relevant storage has already been freed, or has not yet been allocated, or was allocated -by the user and not by libpng, and will in those cases do nothing. +by the user and not by libpng, and will in those cases do nothing. The "seq" parameter is ignored if only one item of the selected data type, such as PLTE, is allowed. If "seq" is not \-1, and multiple items are allowed for the data type identified in the mask, such as text or Index: libpngpf.3 =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/libpngpf.3,v diff -u -p -u -r1.5 libpngpf.3 --- libpngpf.3 10 Feb 2026 17:06:06 -0000 1.5 +++ libpngpf.3 26 Mar 2026 07:09:49 -0000 @@ -1,6 +1,6 @@ -.TH LIBPNGPF 3 "February 9, 2026" +.TH LIBPNGPF 3 "March 25, 2026" .SH NAME -libpng \- Portable Network Graphics (PNG) Reference Library 1.6.55 +libpng \- Portable Network Graphics (PNG) Reference Library 1.6.56 .SH SYNOPSIS \fB#include "pngpriv.h"\fP Index: png.5 =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/png.5,v diff -u -p -u -r1.5 png.5 --- png.5 10 Feb 2026 17:06:06 -0000 1.5 +++ png.5 26 Mar 2026 07:09:49 -0000 @@ -1,4 +1,4 @@ -.TH PNG 5 "February 9, 2026" +.TH PNG 5 "March 25, 2026" .SH NAME png \- Portable Network Graphics (PNG) format Index: png.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/png.c,v diff -u -p -u -r1.5 png.c --- png.c 10 Feb 2026 17:06:06 -0000 1.5 +++ png.c 26 Mar 2026 07:09:49 -0000 @@ -13,7 +13,7 @@ #include "pngpriv.h" /* Generate a compiler error if there is an old png.h in the search path. */ -typedef png_libpng_version_1_6_55 Your_png_h_is_not_version_1_6_55; +typedef png_libpng_version_1_6_56 Your_png_h_is_not_version_1_6_56; /* Sanity check the chunks definitions - PNG_KNOWN_CHUNKS from pngpriv.h and the * corresponding macro definitions. This causes a compile time failure if @@ -820,7 +820,7 @@ png_get_copyright(png_const_structrp png return PNG_STRING_COPYRIGHT #else return PNG_STRING_NEWLINE \ - "libpng version 1.6.55" PNG_STRING_NEWLINE \ + "libpng version 1.6.56" PNG_STRING_NEWLINE \ "Copyright (c) 2018-2026 Cosmin Truta" PNG_STRING_NEWLINE \ "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \ PNG_STRING_NEWLINE \ @@ -1170,7 +1170,7 @@ png_xy_from_XYZ(png_xy *xy, const png_XY return 1; /* The reference white is simply the sum of the end-point (X,Y,Z) vectors so - * the fillowing calculates (X+Y+Z) of the reference white (media white, + * the following calculates (X+Y+Z) of the reference white (media white, * encoding white) itself: */ d = dblue; @@ -1215,9 +1215,9 @@ png_XYZ_from_xy(png_XYZ *XYZ, const png_ * (-0.0770) because the PNG spec itself requires the xy values to be * unsigned. whitey is also required to be 5 or more to avoid overflow. * - * Instead the upper limits have been relaxed to accomodate ACES AP1 where + * Instead the upper limits have been relaxed to accommodate ACES AP1 where * redz ends up as -600 (-0.006). ProPhotoRGB was already "in range." - * The new limit accomodates the AP0 and AP1 ranges for z but not AP0 redy. + * The new limit accommodates the AP0 and AP1 ranges for z but not AP0 redy. */ const png_fixed_point fpLimit = PNG_FP_1+(PNG_FP_1/10); if (xy->redx < 0 || xy->redx > fpLimit) return 1; @@ -1328,7 +1328,7 @@ png_XYZ_from_xy(png_XYZ *XYZ, const png_ * red-scale + green-scale + blue-scale = 1/white-y = white-scale * * So now we have a Cramer's rule solution where the determinants are just - * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve + * 3x3 - far more tractable. Unfortunately 3x3 determinants still involve * multiplication of three coefficients so we can't guarantee to avoid * overflow in the libpng fixed point representation. Using Cramer's rule in * floating point is probably a good choice here, but it's not an option for @@ -1697,7 +1697,7 @@ png_icc_check_header(png_const_structrp * into R, G and B channels. * * Previously it was suggested that an RGB profile on grayscale data could be - * handled. However it it is clear that using an RGB profile in this context + * handled. However it is clear that using an RGB profile in this context * must be an error - there is no specification of what it means. Thus it is * almost certainly more correct to ignore the profile. */ @@ -2915,7 +2915,7 @@ png_gamma_significant(png_fixed_point ga * * 2.2/(2+51/256) == 1.00035524 * - * I.e. vanishly small (<4E-4) but still detectable in 16-bit linear (+/- + * I.e. vanishingly small (<4E-4) but still detectable in 16-bit linear (+/- * 23). Note that the Adobe choice seems to be something intended to give an * exact number with 8 binary fractional digits - it is the closest to 2.2 * that is possible a base 2 .8p representation. Index: png.h =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/png.h,v diff -u -p -u -r1.5 png.h --- png.h 10 Feb 2026 17:06:06 -0000 1.5 +++ png.h 26 Mar 2026 07:09:49 -0000 @@ -1,6 +1,6 @@ /* png.h - header file for PNG reference library * - * libpng version 1.6.55 + * libpng version 1.6.56 * * Copyright (c) 2018-2026 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson @@ -14,7 +14,7 @@ * libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger * libpng versions 0.97, January 1998, through 1.6.35, July 2018: * Glenn Randers-Pehrson - * libpng versions 1.6.36, December 2018, through 1.6.55, February 2026: + * libpng versions 1.6.36, December 2018, through 1.6.56, March 2026: * Cosmin Truta * See also "Contributing Authors", below. */ @@ -238,7 +238,7 @@ * ... * 1.5.30 15 10530 15.so.15.30[.0] * ... - * 1.6.55 16 10655 16.so.16.55[.0] + * 1.6.56 16 10656 16.so.16.56[.0] * * Henceforth the source version will match the shared-library major and * minor numbers; the shared-library major version number will be used for @@ -274,7 +274,7 @@ */ /* Version information for png.h - this should match the version in png.c */ -#define PNG_LIBPNG_VER_STRING "1.6.55" +#define PNG_LIBPNG_VER_STRING "1.6.56" #define PNG_HEADER_VERSION_STRING " libpng version " PNG_LIBPNG_VER_STRING "\n" /* The versions of shared library builds should stay in sync, going forward */ @@ -285,7 +285,7 @@ /* These should match the first 3 components of PNG_LIBPNG_VER_STRING: */ #define PNG_LIBPNG_VER_MAJOR 1 #define PNG_LIBPNG_VER_MINOR 6 -#define PNG_LIBPNG_VER_RELEASE 55 +#define PNG_LIBPNG_VER_RELEASE 56 /* This should be zero for a public release, or non-zero for a * development version. @@ -316,7 +316,7 @@ * From version 1.0.1 it is: * XXYYZZ, where XX=major, YY=minor, ZZ=release */ -#define PNG_LIBPNG_VER 10655 /* 1.6.55 */ +#define PNG_LIBPNG_VER 10656 /* 1.6.56 */ /* Library configuration: these options cannot be changed after * the library has been built. @@ -426,7 +426,7 @@ extern "C" { /* This triggers a compiler error in png.c, if png.c and png.h * do not agree upon the version number. */ -typedef char *png_libpng_version_1_6_55; +typedef char *png_libpng_version_1_6_56; /* Basic control structions. Read libpng-manual.txt or libpng.3 for more info. * @@ -2341,7 +2341,7 @@ PNG_EXPORT(162, int, png_get_text, #endif /* Note while png_set_text() will accept a structure whose text, - * language, and translated keywords are NULL pointers, the structure + * language, and translated keywords are NULL pointers, the structure * returned by png_get_text will always contain regular * zero-terminated C strings. They might be empty strings but * they will never be NULL pointers. Index: pngconf.h =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/pngconf.h,v diff -u -p -u -r1.5 pngconf.h --- pngconf.h 10 Feb 2026 17:06:06 -0000 1.5 +++ pngconf.h 26 Mar 2026 07:09:49 -0000 @@ -1,6 +1,6 @@ /* pngconf.h - machine-configurable file for libpng * - * libpng version 1.6.55 + * libpng version 1.6.56 * * Copyright (c) 2018-2026 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2016,2018 Glenn Randers-Pehrson Index: pngpriv.h =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/pngpriv.h,v diff -u -p -u -r1.3 pngpriv.h --- pngpriv.h 14 Jan 2026 06:38:29 -0000 1.3 +++ pngpriv.h 26 Mar 2026 07:09:49 -0000 @@ -957,7 +957,7 @@ * * At present these index values are not exported (not part of the public API) * so can be changed at will. For convenience the names are in lexical sort - * order but with the critical chunks at the start in the order of occurence in + * order but with the critical chunks at the start in the order of occurrence in * a PNG. * * PNG_INFO_ values do not exist for every one of these chunk handles; for @@ -2086,7 +2086,7 @@ PNG_INTERNAL_FUNCTION(void, png_ascii_fr * not valid it will be the index of a character in the supposed number. * * The format of a number is defined in the PNG extensions specification - * and this API is strictly conformant to that spec, not anyone elses! + * and this API is strictly conformant to that spec, not anyone else's! * * The format as a regular expression is: * Index: pngread.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/pngread.c,v diff -u -p -u -r1.4 pngread.c --- pngread.c 14 Jan 2026 06:38:29 -0000 1.4 +++ pngread.c 26 Mar 2026 07:09:49 -0000 @@ -691,7 +691,7 @@ png_read_end(png_structrp png_ptr, png_i png_read_finish_IDAT(png_ptr); #ifdef PNG_READ_CHECK_FOR_INVALID_INDEX_SUPPORTED - /* Report invalid palette index; added at libng-1.5.10 */ + /* Report invalid palette index; added at libpng-1.5.10 */ if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && png_ptr->num_palette_max >= png_ptr->num_palette) png_benign_error(png_ptr, "Read palette index exceeding num_palette"); @@ -779,21 +779,19 @@ png_read_destroy(png_structrp png_ptr) png_ptr->quantize_index = NULL; #endif - if ((png_ptr->free_me & PNG_FREE_PLTE) != 0) - { - png_zfree(png_ptr, png_ptr->palette); - png_ptr->palette = NULL; - } - png_ptr->free_me &= ~PNG_FREE_PLTE; + /* png_ptr->palette is always independently allocated (not aliased + * with info_ptr->palette), so free it unconditionally. + */ + png_free(png_ptr, png_ptr->palette); + png_ptr->palette = NULL; #if defined(PNG_tRNS_SUPPORTED) || \ defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) - if ((png_ptr->free_me & PNG_FREE_TRNS) != 0) - { - png_free(png_ptr, png_ptr->trans_alpha); - png_ptr->trans_alpha = NULL; - } - png_ptr->free_me &= ~PNG_FREE_TRNS; + /* png_ptr->trans_alpha is always independently allocated (not aliased + * with info_ptr->trans_alpha), so free it unconditionally. + */ + png_free(png_ptr, png_ptr->trans_alpha); + png_ptr->trans_alpha = NULL; #endif inflateEnd(&png_ptr->zstream); @@ -1256,7 +1254,7 @@ png_image_is_not_sRGB(png_const_structrp * png_struct::chromaticities always exists since the simplified API * requires rgb-to-gray. The mDCV, cICP and cHRM chunks may all set it to * a non-sRGB value, so it needs to be checked but **only** if one of - * those chunks occured in the file. + * those chunks occurred in the file. */ /* Highest priority: check to be safe. */ if (png_has_chunk(png_ptr, cICP) || png_has_chunk(png_ptr, mDCV)) @@ -2596,7 +2594,7 @@ png_image_read_colormap(png_voidp argume { r = back_r; g = back_g; - b = back_g; + b = back_b; } /* Compare the newly-created color-map entry with the one the @@ -2874,9 +2872,9 @@ png_image_read_and_map(png_voidp argumen { png_bytep inrow = png_voidcast(png_bytep, display->local_row); png_bytep outrow = first_row + y * row_step; - png_const_bytep end_row = outrow + width; + png_const_bytep row_end = outrow + width; - /* Read read the libpng data into the temporary buffer. */ + /* Read the libpng data into the temporary buffer. */ png_read_row(png_ptr, inrow, NULL); /* Now process the row according to the processing option, note @@ -2887,7 +2885,7 @@ png_image_read_and_map(png_voidp argumen switch (proc) { case PNG_CMAP_GA: - for (; outrow < end_row; outrow += stepx) + for (; outrow < row_end; outrow += stepx) { /* The data is always in the PNG order */ unsigned int gray = *inrow++; @@ -2916,7 +2914,7 @@ png_image_read_and_map(png_voidp argumen break; case PNG_CMAP_TRANS: - for (; outrow < end_row; outrow += stepx) + for (; outrow < row_end; outrow += stepx) { png_byte gray = *inrow++; png_byte alpha = *inrow++; @@ -2933,7 +2931,7 @@ png_image_read_and_map(png_voidp argumen break; case PNG_CMAP_RGB: - for (; outrow < end_row; outrow += stepx) + for (; outrow < row_end; outrow += stepx) { *outrow = PNG_RGB_INDEX(inrow[0], inrow[1], inrow[2]); inrow += 3; @@ -2941,7 +2939,7 @@ png_image_read_and_map(png_voidp argumen break; case PNG_CMAP_RGB_ALPHA: - for (; outrow < end_row; outrow += stepx) + for (; outrow < row_end; outrow += stepx) { unsigned int alpha = inrow[3]; @@ -2978,10 +2976,10 @@ png_image_read_and_map(png_voidp argumen */ if (inrow[0] & 0x80) back_i += 9; /* red */ if (inrow[0] & 0x40) back_i += 9; - if (inrow[0] & 0x80) back_i += 3; /* green */ - if (inrow[0] & 0x40) back_i += 3; - if (inrow[0] & 0x80) back_i += 1; /* blue */ - if (inrow[0] & 0x40) back_i += 1; + if (inrow[1] & 0x80) back_i += 3; /* green */ + if (inrow[1] & 0x40) back_i += 3; + if (inrow[2] & 0x80) back_i += 1; /* blue */ + if (inrow[2] & 0x40) back_i += 1; *outrow = (png_byte)back_i; } @@ -3248,18 +3246,18 @@ png_image_read_composite(png_voidp argum { png_bytep inrow = png_voidcast(png_bytep, display->local_row); png_bytep outrow; - png_const_bytep end_row; + png_const_bytep row_end; /* Read the row, which is packed: */ png_read_row(png_ptr, inrow, NULL); outrow = png_voidcast(png_bytep, display->first_row); outrow += y * row_step; - end_row = outrow + width * channels; + row_end = outrow + width * channels; /* Now do the composition on each pixel in this row. */ outrow += startx; - for (; outrow < end_row; outrow += stepx) + for (; outrow < row_end; outrow += stepx) { png_byte alpha = inrow[channels]; @@ -3432,14 +3430,14 @@ png_image_read_background(png_voidp argu png_bytep inrow = png_voidcast(png_bytep, display->local_row); png_bytep outrow = first_row + y * row_step; - png_const_bytep end_row = outrow + width; + png_const_bytep row_end = outrow + width; /* Read the row, which is packed: */ png_read_row(png_ptr, inrow, NULL); /* Now do the composition on each pixel in this row. */ outrow += startx; - for (; outrow < end_row; outrow += stepx) + for (; outrow < row_end; outrow += stepx) { png_byte alpha = inrow[1]; @@ -3477,14 +3475,14 @@ png_image_read_background(png_voidp argu png_bytep inrow = png_voidcast(png_bytep, display->local_row); png_bytep outrow = first_row + y * row_step; - png_const_bytep end_row = outrow + width; + png_const_bytep row_end = outrow + width; /* Read the row, which is packed: */ png_read_row(png_ptr, inrow, NULL); /* Now do the composition on each pixel in this row. */ outrow += startx; - for (; outrow < end_row; outrow += stepx) + for (; outrow < row_end; outrow += stepx) { png_byte alpha = inrow[1]; @@ -3567,7 +3565,7 @@ png_image_read_background(png_voidp argu { png_const_uint_16p inrow; png_uint_16p outrow = first_row + y * row_step; - png_uint_16p end_row = outrow + width * outchannels; + png_uint_16p row_end = outrow + width * outchannels; /* Read the row, which is packed: */ png_read_row(png_ptr, png_voidcast(png_bytep, @@ -3577,7 +3575,7 @@ png_image_read_background(png_voidp argu /* Now do the pre-multiplication on each pixel in this row. */ outrow += startx; - for (; outrow < end_row; outrow += stepx) + for (; outrow < row_end; outrow += stepx) { png_uint_32 component = inrow[0]; png_uint_16 alpha = inrow[1]; @@ -4113,7 +4111,7 @@ png_image_finish_read(png_imagep image, row_stride = (png_int_32)/*SAFE*/png_row_stride; if (row_stride < 0) - check = (png_uint_32)(-row_stride); + check = -(png_uint_32)row_stride; else check = (png_uint_32)row_stride; Index: pngrtran.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/pngrtran.c,v diff -u -p -u -r1.5 pngrtran.c --- pngrtran.c 10 Feb 2026 17:06:06 -0000 1.5 +++ pngrtran.c 26 Mar 2026 07:09:49 -0000 @@ -230,7 +230,7 @@ png_set_strip_alpha(png_structrp png_ptr * * Terminology (assuming power law, "gamma", encodings): * "screen" gamma: a power law imposed by the output device when digital - * samples are converted to visible light output. The EOTF - volage to + * samples are converted to visible light output. The EOTF - voltage to * luminance on output. * * "file" gamma: a power law used to encode luminance levels from the input @@ -495,6 +495,9 @@ png_set_quantize(png_structrp png_ptr, p if (png_rtran_ok(png_ptr, 0) == 0) return; + if (palette == NULL) + return; + png_ptr->transformations |= PNG_QUANTIZE; if (full_quantize == 0) @@ -811,7 +814,13 @@ png_set_quantize(png_structrp png_ptr, p } if (png_ptr->palette == NULL) { - png_ptr->palette = palette; + /* Allocate an owned copy rather than aliasing the caller's pointer, + * so that png_read_destroy can free png_ptr->palette unconditionally. + */ + png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, + PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); + memcpy(png_ptr->palette, palette, (unsigned int)num_palette * + (sizeof (png_color))); } png_ptr->num_palette = (png_uint_16)num_palette; @@ -1364,7 +1373,7 @@ png_resolve_file_gamma(png_const_structr if (file_gamma != 0) return file_gamma; - /* If png_reciprocal oveflows it returns 0 which indicates to the caller that + /* If png_reciprocal overflows, it returns 0, indicating to the caller that * there is no usable file gamma. (The checks added to png_set_gamma and * png_set_alpha_mode should prevent a screen_gamma which would overflow.) */ @@ -2060,6 +2069,21 @@ void /* PRIVATE */ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr) { png_debug(1, "in png_read_transform_info"); + + if (png_ptr->transformations != 0) + { + if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE && + info_ptr->palette != NULL && png_ptr->palette != NULL) + { + /* Sync info_ptr->palette with png_ptr->palette. + * The function png_init_read_transformations may have modified + * png_ptr->palette in place (e.g. for gamma correction or for + * background compositing). + */ + memcpy(info_ptr->palette, png_ptr->palette, + PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))); + } + } #ifdef PNG_READ_EXPAND_SUPPORTED if ((png_ptr->transformations & PNG_EXPAND) != 0) Index: pngrutil.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/pngrutil.c,v diff -u -p -u -r1.2 pngrutil.c --- pngrutil.c 14 Jan 2026 06:38:29 -0000 1.2 +++ pngrutil.c 26 Mar 2026 07:09:49 -0000 @@ -436,7 +436,7 @@ png_inflate_claim(png_structrp png_ptr, * be gained by using this when it is known *if* the zlib stream itself does * not record the number; however, this is an illusion: the original writer * of the PNG may have selected a lower window size, and we really must - * follow that because, for systems with with limited capabilities, we + * follow that because, for systems with limited capabilities, we * would otherwise reject the application's attempts to use a smaller window * size (zlib doesn't have an interface to say "this or lower"!). * @@ -1006,7 +1006,7 @@ png_handle_PLTE(png_structrp png_ptr, pn * in the case of an 8-bit display with a decoder which controls the palette. * * The alternative here is to ignore the error and store the palette anyway; - * destroying the tRNS will definately cause problems. + * destroying the tRNS will definitely cause problems. * * NOTE: the case of PNG_COLOR_TYPE_PALETTE need not be considered because * the png_handle_ routines for the three 'after PLTE' chunks tRNS, bKGD and @@ -1053,19 +1053,6 @@ png_handle_PLTE(png_structrp png_ptr, pn /* A valid PLTE chunk has been read */ png_ptr->mode |= PNG_HAVE_PLTE; - /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to - * its own copy of the palette. This has the side effect that when - * png_start_row is called (this happens after any call to - * png_read_update_info) the info_ptr palette gets changed. This is - * extremely unexpected and confusing. - * - * REVIEW: there have been consistent bugs in the past about gamma and - * similar transforms to colour mapped images being useless because the - * modified palette cannot be accessed because of the above. - * - * CONSIDER: Fix this by not sharing the palette in this way. But does - * this completely fix the problem? - */ png_set_PLTE(png_ptr, info_ptr, palette, num); return handled_ok; } @@ -1267,7 +1254,7 @@ png_handle_cHRM(png_structrp png_ptr, pn /* png_set_cHRM may complain about some of the values but this doesn't matter * because it was a cHRM and it did have vaguely (if, perhaps, ridiculous) - * values. Ridiculousity will be checked if the values are used later. + * values. Ridiculosity will be checked if the values are used later. */ png_set_cHRM_fixed(png_ptr, info_ptr, xy.whitex, xy.whitey, xy.redx, xy.redy, xy.greenx, xy.greeny, xy.bluex, xy.bluey); @@ -1564,7 +1551,8 @@ static png_handle_result_code /* PRIVATE png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) /* Note: this does not properly handle chunks that are > 64K under DOS */ { - png_bytep entry_start, buffer; + png_bytep buffer; + png_bytep entry_start; png_sPLT_t new_palette; png_sPLT_entryp pp; png_uint_32 data_length; @@ -1771,10 +1759,6 @@ png_handle_tRNS(png_structrp png_ptr, pn return handled_error; } - /* TODO: this is a horrible side effect in the palette case because the - * png_struct ends up with a pointer to the tRNS buffer owned by the - * png_info. Fix this. - */ png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans, &(png_ptr->trans_color)); return handled_ok; @@ -2033,7 +2017,7 @@ png_handle_eXIf(png_structrp png_ptr, pn return handled_error; /* PNGv3: the code used to check the byte order mark at the start for MM or - * II, however PNGv3 states that the the first 4 bytes should be checked. + * II, however PNGv3 states that the first 4 bytes should be checked. * The caller ensures that there are four bytes available. */ { @@ -2155,9 +2139,13 @@ png_handle_oFFs(png_structrp png_ptr, pn static png_handle_result_code /* PRIVATE */ png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) { + png_bytep buffer; + png_bytep buf; + png_bytep endptr; png_int_32 X0, X1; - png_byte type, nparams; - png_bytep buffer, buf, units, endptr; + png_byte type; + png_byte nparams; + png_byte *units; png_charpp params; int i; @@ -3011,7 +2999,7 @@ static const struct png_uint_32 max_length :12; /* Length min, max in bytes */ png_uint_32 min_length :8; /* Length errors on critical chunks have special handling to preserve the - * existing behaviour in libpng 1.6. Anciallary chunks are checked below + * existing behaviour in libpng 1.6. Ancillary chunks are checked below * and produce a 'benign' error. */ png_uint_32 pos_before :4; /* PNG_HAVE_ values chunk must precede */ @@ -3019,7 +3007,7 @@ static const struct /* NOTE: PLTE, tRNS and bKGD require special handling which depends on * the colour type of the base image. */ - png_uint_32 multiple :1; /* Multiple occurences permitted */ + png_uint_32 multiple :1; /* Multiple occurrences permitted */ /* This is enabled for PLTE because PLTE may, in practice, be optional */ } read_chunks[PNG_INDEX_unknown] = @@ -3053,7 +3041,7 @@ read_chunks[PNG_INDEX_unknown] = # define CDIHDR 13U, 13U, hIHDR, 0, 0 # define CDPLTE NoCheck, 0U, 0, hIHDR, 1 /* PLTE errors are only critical for colour-map images, consequently the - * hander does all the checks. + * handler does all the checks. */ # define CDIDAT NoCheck, 0U, aIDAT, hIHDR, 1 # define CDIEND NoCheck, 0U, 0, aIDAT, 0 Index: pngset.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/pngset.c,v diff -u -p -u -r1.1.1.1 pngset.c --- pngset.c 17 Sep 2025 14:44:40 -0000 1.1.1.1 +++ pngset.c 26 Mar 2026 07:09:49 -0000 @@ -1,6 +1,6 @@ /* pngset.c - storage of image information into info struct * - * Copyright (c) 2018-2025 Cosmin Truta + * Copyright (c) 2018-2026 Cosmin Truta * Copyright (c) 1998-2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -333,7 +333,8 @@ png_set_eXIf_1(png_const_structrp png_pt png_debug1(1, "in %s storage function", "eXIf"); if (png_ptr == NULL || info_ptr == NULL || - (png_ptr->mode & PNG_WROTE_eXIf) != 0) + (png_ptr->mode & PNG_WROTE_eXIf) != 0 || + exif == NULL) return; new_exif = png_voidcast(png_bytep, png_malloc_warn(png_ptr, num_exif)); @@ -388,7 +389,7 @@ png_set_hIST(png_const_structrp png_ptr, png_debug1(1, "in %s storage function", "hIST"); - if (png_ptr == NULL || info_ptr == NULL) + if (png_ptr == NULL || info_ptr == NULL || hist == NULL) return; if (info_ptr->num_palette == 0 || info_ptr->num_palette @@ -775,28 +776,38 @@ png_set_PLTE(png_structrp png_ptr, png_i png_error(png_ptr, "Invalid palette"); } - /* It may not actually be necessary to set png_ptr->palette here; - * we do it for backward compatibility with the way the png_handle_tRNS - * function used to do the allocation. - * - * 1.6.0: the above statement appears to be incorrect; something has to set - * the palette inside png_struct on read. - */ png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead * of num_palette entries, in case of an invalid PNG file or incorrect * call to png_set_PLTE() with too-large sample values. + * + * Allocate independent buffers for info_ptr and png_ptr so that the + * lifetime of png_ptr->palette is decoupled from the lifetime of + * info_ptr->palette. Previously, these two pointers were aliased, + * which caused a use-after-free vulnerability if png_free_data freed + * info_ptr->palette while png_ptr->palette was still in use by the + * row transform functions (e.g. png_do_expand_palette). + * + * Both buffers are allocated with png_calloc to zero-fill, because + * the ARM NEON palette riffle reads all 256 entries unconditionally, + * regardless of num_palette. */ + png_free(png_ptr, png_ptr->palette); png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); + info_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, + PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); + png_ptr->num_palette = info_ptr->num_palette = (png_uint_16)num_palette; if (num_palette > 0) + { + memcpy(info_ptr->palette, palette, (unsigned int)num_palette * + (sizeof (png_color))); memcpy(png_ptr->palette, palette, (unsigned int)num_palette * (sizeof (png_color))); + } - info_ptr->palette = png_ptr->palette; - info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette; info_ptr->free_me |= PNG_FREE_PLTE; info_ptr->valid |= PNG_INFO_PLTE; } @@ -1154,28 +1165,40 @@ png_set_tRNS(png_structrp png_ptr, png_i if (trans_alpha != NULL) { - /* It may not actually be necessary to set png_ptr->trans_alpha here; - * we do it for backward compatibility with the way the png_handle_tRNS - * function used to do the allocation. - * - * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively - * relies on png_set_tRNS storing the information in png_struct - * (otherwise it won't be there for the code in pngrtran.c). - */ - png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0); if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH) { - /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */ + /* Allocate info_ptr's copy of the transparency data. + * Initialize all entries to fully opaque (0xff), then overwrite + * the first num_trans entries with the actual values. + */ info_ptr->trans_alpha = png_voidcast(png_bytep, png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); + memset(info_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH); memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans); - info_ptr->free_me |= PNG_FREE_TRNS; info_ptr->valid |= PNG_INFO_tRNS; + + /* Allocate an independent copy for png_struct, so that the + * lifetime of png_ptr->trans_alpha is decoupled from the + * lifetime of info_ptr->trans_alpha. Previously these two + * pointers were aliased, which caused a use-after-free if + * png_free_data freed info_ptr->trans_alpha while + * png_ptr->trans_alpha was still in use by the row transform + * functions (e.g. png_do_expand_palette). + */ + png_free(png_ptr, png_ptr->trans_alpha); + png_ptr->trans_alpha = png_voidcast(png_bytep, + png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); + memset(png_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH); + memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans); + } + else + { + png_free(png_ptr, png_ptr->trans_alpha); + png_ptr->trans_alpha = NULL; } - png_ptr->trans_alpha = info_ptr->trans_alpha; } if (trans_color != NULL) @@ -1873,7 +1896,7 @@ png_set_benign_errors(png_structrp png_p #endif /* BENIGN_ERRORS */ #ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED - /* Whether to report invalid palette index; added at libng-1.5.10. + /* Whether to report invalid palette index; added at libpng-1.5.10. * It is possible for an indexed (color-type==3) PNG file to contain * pixels with invalid (out-of-range) indexes if the PLTE chunk has * fewer entries than the image's bit-depth would allow. We recover Index: pngstruct.h =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/pngstruct.h,v diff -u -p -u -r1.2 pngstruct.h --- pngstruct.h 24 Nov 2025 21:24:23 -0000 1.2 +++ pngstruct.h 26 Mar 2026 07:09:49 -0000 @@ -1,6 +1,6 @@ /* pngstruct.h - internal structures for libpng * - * Copyright (c) 2018-2025 Cosmin Truta + * Copyright (c) 2018-2026 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -106,7 +106,7 @@ typedef enum * TODO: C23: convert these macros to C23 inlines (which are static). */ #define png_chunk_flag_from_index(i) (0x80000000U >> (31 - (i))) - /* The flag coresponding to the given png_index enum value. This is defined + /* The flag corresponding to the given png_index enum value. This is defined * for png_unknown as well (until it reaches the value 32) but this should * not be relied on. */ @@ -115,7 +115,7 @@ typedef enum (((png_ptr)->chunks & png_chunk_flag_from_index(i)) != 0) /* The chunk has been recorded in png_struct */ -#define png_file_add_chunk(pnt_ptr, i)\ +#define png_file_add_chunk(png_ptr, i)\ ((void)((png_ptr)->chunks |= png_chunk_flag_from_index(i))) /* Record the chunk in the png_struct */ Index: pngtest.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/pngtest.c,v diff -u -p -u -r1.5 pngtest.c --- pngtest.c 10 Feb 2026 17:06:06 -0000 1.5 +++ pngtest.c 26 Mar 2026 07:09:49 -0000 @@ -1,6 +1,6 @@ /* pngtest.c - a test program for libpng * - * Copyright (c) 2018-2025 Cosmin Truta + * Copyright (c) 2018-2026 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -50,7 +50,7 @@ #define STDERR stdout /* Generate a compiler error if there is an old png.h in the search path. */ -typedef png_libpng_version_1_6_55 Your_png_h_is_not_version_1_6_55; +typedef png_libpng_version_1_6_56 Your_png_h_is_not_version_1_6_56; /* Ensure that all version numbers in png.h are consistent with one another. */ #if (PNG_LIBPNG_VER != PNG_LIBPNG_VER_MAJOR * 10000 + \ @@ -858,7 +858,8 @@ test_one_file(const char *inname, const static FILE *fpout; /* "static" prevents setjmp corruption */ pngtest_error_parameters error_parameters; png_structp read_ptr; - png_infop read_info_ptr, end_info_ptr; + png_infop read_info_ptr; + png_infop end_info_ptr; #ifdef PNG_WRITE_SUPPORTED png_structp write_ptr; png_infop write_info_ptr; @@ -1299,7 +1300,8 @@ test_one_file(const char *inname, const #endif #ifdef PNG_pCAL_SUPPORTED { - png_charp purpose, units; + png_charp purpose; + png_charp units; png_charpp params; png_int_32 X0, X1; int type, nparams; Index: pngtrans.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/pngtrans.c,v diff -u -p -u -r1.2 pngtrans.c --- pngtrans.c 14 Jan 2026 06:38:29 -0000 1.2 +++ pngtrans.c 26 Mar 2026 07:09:49 -0000 @@ -1,6 +1,6 @@ /* pngtrans.c - transforms the data in a row (used by both readers and writers) * - * Copyright (c) 2018-2024 Cosmin Truta + * Copyright (c) 2018-2026 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -84,9 +84,38 @@ png_set_shift(png_structrp png_ptr, png_ { png_debug(1, "in png_set_shift"); - if (png_ptr == NULL) + if (png_ptr == NULL || true_bits == NULL) return; + /* Check the shift values before passing them on to png_do_shift. */ + { + png_byte bit_depth = png_ptr->bit_depth; + int invalid = 0; + + if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0) + { + if (true_bits->red == 0 || true_bits->red > bit_depth || + true_bits->green == 0 || true_bits->green > bit_depth || + true_bits->blue == 0 || true_bits->blue > bit_depth) + invalid = 1; + } + else + { + if (true_bits->gray == 0 || true_bits->gray > bit_depth) + invalid = 1; + } + + if ((png_ptr->color_type & PNG_COLOR_MASK_ALPHA) != 0 && + (true_bits->alpha == 0 || true_bits->alpha > bit_depth)) + invalid = 1; + + if (invalid) + { + png_app_error(png_ptr, "png_set_shift: invalid shift values"); + return; + } + } + png_ptr->transformations |= PNG_SHIFT; png_ptr->shift = *true_bits; } @@ -457,10 +486,9 @@ png_do_packswap(png_row_infop row_info, if (row_info->bit_depth < 8) { + png_const_bytep table; png_bytep rp; - png_const_bytep end, table; - - end = row + row_info->rowbytes; + png_bytep row_end = row + row_info->rowbytes; if (row_info->bit_depth == 1) table = onebppswaptable; @@ -474,7 +502,7 @@ png_do_packswap(png_row_infop row_info, else return; - for (rp = row; rp < end; rp++) + for (rp = row; rp < row_end; rp++) *rp = table[*rp]; } } Index: pngwrite.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/pngwrite.c,v diff -u -p -u -r1.3 pngwrite.c --- pngwrite.c 14 Jan 2026 06:38:29 -0000 1.3 +++ pngwrite.c 26 Mar 2026 07:09:49 -0000 @@ -159,7 +159,7 @@ png_write_info_before_PLTE(png_structrp * them. * * PNG v3: Chunks mDCV and cLLI provide ancillary information for the - * interpretation of the colourspace chunkgs but do not require support for + * interpretation of the colourspace chunks but do not require support for * those chunks so are outside the "COLORSPACE" check but before the write of * the colourspace chunks themselves. */ @@ -1010,6 +1010,16 @@ png_write_destroy(png_structrp png_ptr) png_ptr->chunk_list = NULL; #endif +#if defined(PNG_tRNS_SUPPORTED) + /* Free the independent copy of trans_alpha owned by png_struct. */ + png_free(png_ptr, png_ptr->trans_alpha); + png_ptr->trans_alpha = NULL; +#endif + + /* Free the independent copy of the palette owned by png_struct. */ + png_free(png_ptr, png_ptr->palette); + png_ptr->palette = NULL; + /* The error handling and memory handling information is left intact at this * point: the jmp_buf may still have to be freed. See png_destroy_png_struct * for how this happens. @@ -2020,7 +2030,7 @@ png_image_write_main(png_voidp argument) display->row_stride = (png_int_32)/*SAFE*/png_row_stride; if (display->row_stride < 0) - check = (png_uint_32)(-display->row_stride); + check = -(png_uint_32)display->row_stride; else check = (png_uint_32)display->row_stride; @@ -2219,7 +2229,7 @@ png_image_write_main(png_voidp argument) static void (PNGCBAPI -image_memory_write)(png_structp png_ptr, png_bytep/*const*/ data, size_t size) +image_memory_write)(png_structp png_ptr, png_bytep data, size_t size) { png_image_write_control *display = png_voidcast(png_image_write_control*, png_ptr->io_ptr/*backdoor: png_get_io_ptr(png_ptr)*/); Index: pngwutil.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/pngwutil.c,v diff -u -p -u -r1.2 pngwutil.c --- pngwutil.c 14 Jan 2026 06:38:29 -0000 1.2 +++ pngwutil.c 26 Mar 2026 07:09:49 -0000 @@ -1,6 +1,6 @@ /* pngwutil.c - utilities to write a PNG file * - * Copyright (c) 2018-2025 Cosmin Truta + * Copyright (c) 2018-2026 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -898,7 +898,6 @@ png_write_PLTE(png_structrp png_ptr, png png_debug1(3, "num_palette = %d", png_ptr->num_palette); png_write_chunk_header(png_ptr, png_PLTE, (png_uint_32)(num_pal * 3)); -#ifdef PNG_POINTER_INDEXING_SUPPORTED for (i = 0, pal_ptr = palette; i < num_pal; i++, pal_ptr++) { @@ -908,21 +907,6 @@ png_write_PLTE(png_structrp png_ptr, png png_write_chunk_data(png_ptr, buf, 3); } -#else - /* This is a little slower but some buggy compilers need to do this - * instead - */ - pal_ptr=palette; - - for (i = 0; i < num_pal; i++) - { - buf[0] = pal_ptr[i].red; - buf[1] = pal_ptr[i].green; - buf[2] = pal_ptr[i].blue; - png_write_chunk_data(png_ptr, buf, 3); - } - -#endif png_write_chunk_end(png_ptr); png_ptr->mode |= PNG_HAVE_PLTE; } @@ -1201,9 +1185,6 @@ png_write_sPLT(png_structrp png_ptr, png size_t entry_size = (spalette->depth == 8 ? 6 : 10); size_t palette_size = entry_size * (size_t)spalette->nentries; png_sPLT_entryp ep; -#ifndef PNG_POINTER_INDEXING_SUPPORTED - int i; -#endif png_debug(1, "in png_write_sPLT"); @@ -1221,7 +1202,6 @@ png_write_sPLT(png_structrp png_ptr, png png_write_chunk_data(png_ptr, &spalette->depth, 1); /* Loop through each palette entry, writing appropriately */ -#ifdef PNG_POINTER_INDEXING_SUPPORTED for (ep = spalette->entries; epentries + spalette->nentries; ep++) { if (spalette->depth == 8) @@ -1244,31 +1224,6 @@ png_write_sPLT(png_structrp png_ptr, png png_write_chunk_data(png_ptr, entrybuf, entry_size); } -#else - ep=spalette->entries; - for (i = 0; i>spalette->nentries; i++) - { - if (spalette->depth == 8) - { - entrybuf[0] = (png_byte)ep[i].red; - entrybuf[1] = (png_byte)ep[i].green; - entrybuf[2] = (png_byte)ep[i].blue; - entrybuf[3] = (png_byte)ep[i].alpha; - png_save_uint_16(entrybuf + 4, ep[i].frequency); - } - - else - { - png_save_uint_16(entrybuf + 0, ep[i].red); - png_save_uint_16(entrybuf + 2, ep[i].green); - png_save_uint_16(entrybuf + 4, ep[i].blue); - png_save_uint_16(entrybuf + 6, ep[i].alpha); - png_save_uint_16(entrybuf + 8, ep[i].frequency); - } - - png_write_chunk_data(png_ptr, entrybuf, entry_size); - } -#endif png_write_chunk_end(png_ptr); } @@ -1738,7 +1693,7 @@ png_write_iTXt(png_structrp png_ptr, int } new_key[++key_len] = PNG_COMPRESSION_TYPE_BASE; - ++key_len; /* for the keywod separator */ + ++key_len; /* for the keyword separator */ /* We leave it to the application to meet PNG-1.0 requirements on the * contents of the text. PNG-1.0 through PNG-1.2 discourage the use of Index: arm/palette_neon_intrinsics.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/arm/palette_neon_intrinsics.c,v diff -u -p -u -r1.1.1.1 palette_neon_intrinsics.c --- arm/palette_neon_intrinsics.c 17 Sep 2025 14:44:40 -0000 1.1.1.1 +++ arm/palette_neon_intrinsics.c 26 Mar 2026 07:09:49 -0000 @@ -1,6 +1,6 @@ /* palette_neon_intrinsics.c - NEON optimised palette expansion functions * - * Copyright (c) 2018-2019 Cosmin Truta + * Copyright (c) 2018-2026 Cosmin Truta * Copyright (c) 2017-2018 Arm Holdings. All rights reserved. * Written by Richard Townsend , February 2017. * @@ -48,12 +48,12 @@ png_riffle_palette_neon(png_structrp png w.val[0] = v.val[0]; w.val[1] = v.val[1]; w.val[2] = v.val[2]; - vst4q_u8(riffled_palette + (i << 2), w); + vst4q_u8(riffled_palette + i * 4, w); } /* Fix up the missing transparency values. */ for (i = 0; i < num_trans; i++) - riffled_palette[(i << 2) + 3] = trans_alpha[i]; + riffled_palette[i * 4 + 3] = trans_alpha[i]; } /* Expands a palettized row into RGBA8. */ @@ -77,27 +77,26 @@ png_do_expand_palette_rgba8_neon(png_str * The NEON part writes forward from a given position, so we have * to seek this back by 4 pixels x 4 bytes. */ - *ddp = *ddp - ((pixels_per_chunk * sizeof(png_uint_32)) - 1); + *ddp = *ddp - (pixels_per_chunk * 4 - 1); - for (i = 0; i < row_width; i += pixels_per_chunk) + for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk) { uint32x4_t cur; - png_bytep sp = *ssp - i, dp = *ddp - (i << 2); + png_bytep sp = *ssp - i, dp = *ddp - i * 4; cur = vld1q_dup_u32 (riffled_palette + *(sp - 3)); cur = vld1q_lane_u32(riffled_palette + *(sp - 2), cur, 1); cur = vld1q_lane_u32(riffled_palette + *(sp - 1), cur, 2); cur = vld1q_lane_u32(riffled_palette + *(sp - 0), cur, 3); vst1q_u32((void *)dp, cur); } - if (i != row_width) - { - /* Remove the amount that wasn't processed. */ - i -= pixels_per_chunk; - } - /* Decrement output pointers. */ + /* Undo the pre-adjustment of *ddp before the pointer handoff, + * so the scalar fallback in pngrtran.c receives a dp that points + * to the correct position. + */ + *ddp = *ddp + (pixels_per_chunk * 4 - 1); *ssp = *ssp - i; - *ddp = *ddp - (i << 2); + *ddp = *ddp - i * 4; return i; } @@ -118,32 +117,30 @@ png_do_expand_palette_rgb8_neon(png_stru return 0; /* Seeking this back by 8 pixels x 3 bytes. */ - *ddp = *ddp - ((pixels_per_chunk * sizeof(png_color)) - 1); + *ddp = *ddp - (pixels_per_chunk * 3 - 1); - for (i = 0; i < row_width; i += pixels_per_chunk) + for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk) { uint8x8x3_t cur; - png_bytep sp = *ssp - i, dp = *ddp - ((i << 1) + i); - cur = vld3_dup_u8(palette + sizeof(png_color) * (*(sp - 7))); - cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 6)), cur, 1); - cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 5)), cur, 2); - cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 4)), cur, 3); - cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 3)), cur, 4); - cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 2)), cur, 5); - cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 1)), cur, 6); - cur = vld3_lane_u8(palette + sizeof(png_color) * (*(sp - 0)), cur, 7); + png_bytep sp = *ssp - i, dp = *ddp - i * 3; + cur = vld3_dup_u8(palette + *(sp - 7) * 3); + cur = vld3_lane_u8(palette + *(sp - 6) * 3, cur, 1); + cur = vld3_lane_u8(palette + *(sp - 5) * 3, cur, 2); + cur = vld3_lane_u8(palette + *(sp - 4) * 3, cur, 3); + cur = vld3_lane_u8(palette + *(sp - 3) * 3, cur, 4); + cur = vld3_lane_u8(palette + *(sp - 2) * 3, cur, 5); + cur = vld3_lane_u8(palette + *(sp - 1) * 3, cur, 6); + cur = vld3_lane_u8(palette + *(sp - 0) * 3, cur, 7); vst3_u8((void *)dp, cur); } - if (i != row_width) - { - /* Remove the amount that wasn't processed. */ - i -= pixels_per_chunk; - } - - /* Decrement output pointers. */ + /* Undo the pre-adjustment of *ddp before the pointer handoff, + * so the scalar fallback in pngrtran.c receives a dp that points + * to the correct position. + */ + *ddp = *ddp + (pixels_per_chunk * 3 - 1); *ssp = *ssp - i; - *ddp = *ddp - ((i << 1) + i); + *ddp = *ddp - i * 3; return i; } Index: contrib/libtests/pngstest.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/contrib/libtests/pngstest.c,v diff -u -p -u -r1.3 pngstest.c --- contrib/libtests/pngstest.c 14 Jan 2026 06:38:29 -0000 1.3 +++ contrib/libtests/pngstest.c 26 Mar 2026 07:09:49 -0000 @@ -323,18 +323,19 @@ compare_16bit(int v1, int v2, int error_ } #endif /* unused */ -#define USE_FILE 1 /* else memory */ -#define USE_STDIO 2 /* else use file name */ -#define STRICT 4 /* fail on warnings too */ +#define USE_FILE 1 /* else memory */ +#define USE_STDIO 2 /* else use file name */ +#define STRICT 4 /* fail on warnings too */ #define VERBOSE 8 -#define KEEP_TMPFILES 16 /* else delete temporary files */ +#define KEEP_TMPFILES 16 /* else delete temporary files */ #define KEEP_GOING 32 #define ACCUMULATE 64 #define FAST_WRITE 128 #define sRGB_16BIT 256 -#define NO_RESEED 512 /* do not reseed on each new file */ -#define GBG_ERROR 1024 /* do not ignore the gamma+background_rgb_to_gray - * libpng warning. */ +#define NO_RESEED 512 /* do not reseed on each new file */ +#define GBG_ERROR 1024 /* do not ignore the gamma+background_rgb_to_gray + * warning. */ +#define NEGATIVE_STRIDE 2048 /* negate row stride for bottom-up layout */ static void print_opts(png_uint_32 opts) @@ -363,6 +364,8 @@ print_opts(png_uint_32 opts) if (opts & GBG_ERROR) printf(" --fault-gbg-warning"); #endif + if (opts & NEGATIVE_STRIDE) + printf(" --negative-stride"); } #define FORMAT_NO_CHANGE 0x80000000 /* additional flag */ @@ -2664,7 +2667,7 @@ compare_two_images(Image *a, Image *b, i * of the loop until the end; this validates the color-mapped data to * ensure all pixels are valid color-map indexes. */ - for (y=0, match=1; y amax) amax = aval; } + + /* Increment with care! + * With negative strides, an unguarded final increment would produce + * a pointer before the allocated object, which is undefined behavior. + * Standard C allows one-after-end pointers, not one-before-beginning + * pointers, and this restriction stands regardless of whether the + * pointers are dereferenced or not. + */ + if (y+1 < height) + { + ppa += stridea; + ppb += strideb; + } } /* If the buffers match then the colormaps must too. */ @@ -2792,7 +2808,7 @@ compare_two_images(Image *a, Image *b, i * If an alpha channel has been *added* then it must have the relevant opaque * value (255 or 65535). * - * The fist two the tests (in the order given above) (using the boolean + * The first two tests (in the order given above) (using the boolean * equivalence !a && !b == !(a || b)) */ if (!(((formata ^ formatb) & PNG_FORMAT_FLAG_LINEAR) | @@ -2859,7 +2875,7 @@ compare_two_images(Image *a, Image *b, i btoa[3] = btoa[2] = btoa[1] = btoa[0] = 4; /* 4 == not present */ } - for (y=0; yopts & KEEP_GOING) == 0) return 0; /* error case */ } + + /* Increment with care! + * (See the previous comment about preventing negative strides from + * causing undefined behavior.) + */ + if (y+1 < height) + { + rowa += stridea; + rowb += strideb; + } } /* If requested, copy the error values back from the Transform. */ @@ -3042,6 +3068,9 @@ read_file(Image *image, png_uint_32 form image->stride = PNG_IMAGE_ROW_STRIDE(image->image) + image->stride_extra; allocbuffer(image); + if (image->opts & NEGATIVE_STRIDE) + image->stride = -image->stride; + result = png_image_finish_read(&image->image, background, image->buffer+16, (png_int_32)image->stride, image->colormap); @@ -3579,6 +3608,8 @@ main(int argc, char **argv) opts |= NO_RESEED; else if (strcmp(arg, "--fault-gbg-warning") == 0) opts |= GBG_ERROR; + else if (strcmp(arg, "--negative-stride") == 0) + opts |= NEGATIVE_STRIDE; else if (strcmp(arg, "--stride-extra") == 0) { if (c+1 < argc) Index: contrib/libtests/pngunknown.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/contrib/libtests/pngunknown.c,v diff -u -p -u -r1.2 pngunknown.c --- contrib/libtests/pngunknown.c 24 Nov 2025 21:24:23 -0000 1.2 +++ contrib/libtests/pngunknown.c 26 Mar 2026 07:09:49 -0000 @@ -379,7 +379,8 @@ typedef struct { jmp_buf error_return; png_structp png_ptr; - png_infop info_ptr, end_ptr; + png_infop info_ptr; + png_infop end_ptr; png_uint_32 before_IDAT; png_uint_32 after_IDAT; int error_count; Index: contrib/libtests/pngvalid.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/contrib/libtests/pngvalid.c,v diff -u -p -u -r1.3 pngvalid.c --- contrib/libtests/pngvalid.c 14 Jan 2026 06:38:29 -0000 1.3 +++ contrib/libtests/pngvalid.c 26 Mar 2026 07:10:20 -0000 @@ -3928,7 +3928,7 @@ transform_row(png_const_structp pp, png_ #elif PNG_LIBPNG_VER != 10700 # define set_write_interlace_handling(pp,type) (1) static void -check_interlace_type(int const interlace_type) +check_interlace_type(int interlace_type) { /* Prior to 1.7.0 libpng does not support the write of an interlaced image * unless PNG_WRITE_INTERLACING_SUPPORTED, even with do_interlace so the @@ -4045,9 +4045,8 @@ choose_random_filter(png_structp pp, int #endif /* !WRITE_FILTER */ static void -make_transform_image(png_store* const ps, png_byte const colour_type, - png_byte const bit_depth, unsigned int palette_number, - int interlace_type, png_const_charp name) +make_transform_image(png_store* ps, png_byte colour_type, png_byte bit_depth, + unsigned int palette_number, int interlace_type, png_const_charp name) { context(ps, fault); @@ -4264,10 +4263,8 @@ size_row(png_byte buffer[SIZE_ROWMAX], p } static void -make_size_image(png_store* const ps, png_byte const colour_type, - png_byte const bit_depth, int const interlace_type, - png_uint_32 const w, png_uint_32 const h, - int const do_interlace) +make_size_image(png_store* ps, png_byte colour_type, png_byte bit_depth, + int interlace_type, png_uint_32 w, png_uint_32 h, int do_interlace) { context(ps, fault); @@ -4461,8 +4458,7 @@ make_size_image(png_store* const ps, png } static void -make_size(png_store* const ps, png_byte const colour_type, int bdlo, - int const bdhi) +make_size(png_store* ps, png_byte colour_type, int bdlo, int bdhi) { for (; bdlo <= bdhi; ++bdlo) { @@ -4579,8 +4575,8 @@ static const struct }; static void -make_error(png_store* const ps, png_byte const colour_type, - png_byte bit_depth, int interlace_type, int test, png_const_charp name) +make_error(png_store* ps, png_byte colour_type, png_byte bit_depth, + int interlace_type, int test, png_const_charp name) { context(ps, fault); @@ -4718,8 +4714,7 @@ make_error(png_store* const ps, png_byte } static int -make_errors(png_modifier* const pm, png_byte const colour_type, - int bdlo, int const bdhi) +make_errors(png_modifier* pm, png_byte colour_type, int bdlo, int bdhi) { for (; bdlo <= bdhi; ++bdlo) { @@ -5665,7 +5660,7 @@ standard_end(png_structp ppIn, png_infop /* A single test run checking the standard image to ensure it is not damaged. */ static void -standard_test(png_store* const psIn, png_uint_32 const id, +standard_test(png_store* psIn, png_uint_32 id, int do_interlace, int use_update_info) { standard_display d; @@ -5753,8 +5748,7 @@ standard_test(png_store* const psIn, png } static int -test_standard(png_modifier* const pm, png_byte const colour_type, - int bdlo, int const bdhi) +test_standard(png_modifier* pm, png_byte colour_type, int bdlo, int bdhi) { for (; bdlo <= bdhi; ++bdlo) { @@ -5800,8 +5794,7 @@ perform_standard_test(png_modifier *pm) /********************************** SIZE TESTS ********************************/ static int -test_size(png_modifier* const pm, png_byte const colour_type, - int bdlo, int const bdhi) +test_size(png_modifier* pm, png_byte colour_type, int bdlo, int bdhi) { /* Run the tests on each combination. * @@ -6191,7 +6184,7 @@ image_pixel_add_alpha(image_pixel *this, this->have_tRNS = 0; /* Check the input, original, channel value here against the - * original tRNS gray chunk valie. + * original tRNS gray chunk value. */ if (this->red == display->transparent.red) this->alphaf = 0; @@ -6771,7 +6764,7 @@ transform_image_validate(transform_displ for (y=0; ythis, fault); @@ -7526,7 +7519,7 @@ static struct double green_coefficient; double blue_coefficient; - /* Set if the coeefficients have been overridden. */ + /* Set if the coefficients have been overridden. */ int coefficients_overridden; } data; @@ -9000,7 +8993,7 @@ image_transform_test_counter(png_uint_32 /* For max 0 or 1 continue until the counter overflows: */ counter >>= 1; - /* Continue if any entry hasn't reacked the max. */ + /* Continue if any entry hasn't reached the max. */ if (max > 1 && next->local_use < max) return 1; next = next->list; @@ -9686,7 +9679,7 @@ gamma_component_validate(const char *nam * od: encoded result from libpng */ - /* Now we have the numbers for real errors, both absolute values as as a + /* Now we have the numbers for real errors, both absolute values as a * percentage of the correct value (output): */ error = fabs(input_sample-output); @@ -11660,7 +11653,7 @@ main(int argc, char **argv) # endif /* The following allows results to pass if they correspond to anything in the - * transformed range [input-.5,input+.5]; this is is required because of the + * transformed range [input-.5,input+.5]; this is required because of the * way libpng treats the 16_TO_8 flag when building the gamma tables in * releases up to 1.6.0. * Index: contrib/oss-fuzz/build.sh =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/contrib/oss-fuzz/build.sh,v diff -u -p -u -r1.3 build.sh --- contrib/oss-fuzz/build.sh 10 Feb 2026 17:06:07 -0000 1.3 +++ contrib/oss-fuzz/build.sh 26 Mar 2026 07:09:49 -0000 @@ -22,15 +22,15 @@ # 3. Build zlib alongside libpng ################################################################################ -# Disable logging via library build configuration control. +# Disable logging via pnglibconf. cat scripts/pnglibconf.dfa | \ - sed -e "s/option STDIO/option STDIO disabled/" \ - -e "s/option WARNING /option WARNING disabled/" \ - -e "s/option WRITE enables WRITE_INT_FUNCTIONS/option WRITE disabled/" \ -> scripts/pnglibconf.dfa.temp + sed -e "s/option STDIO/option STDIO disabled/" \ + -e "s/option WARNING /option WARNING disabled/" \ + -e "s/option WRITE enables WRITE_INT_FUNCTIONS/option WRITE disabled/" \ + > scripts/pnglibconf.dfa.temp mv scripts/pnglibconf.dfa.temp scripts/pnglibconf.dfa -# build the libpng library. +# Build the libpng library. autoreconf -f -i ./configure --with-libpng-prefix=OSS_FUZZ_ make -j$(nproc) clean @@ -41,35 +41,38 @@ for f in libpng_read_fuzzer \ libpng_readapi_fuzzer \ libpng_transformations_fuzzer; do -# build libpng_read_fuzzer. -$CXX $CXXFLAGS -std=c++11 -I. \ - $SRC/libpng/contrib/oss-fuzz/${f}.cc \ - -o $OUT/${f} \ - -lFuzzingEngine .libs/libpng16.a -lz - -# only libfuzzer can run the nalloc targets -if test "x$FUZZING_ENGINE" == 'xlibfuzzer' -then - -# wrapper script to duplicate target, run with env var NALLOC_FREQ=32 -# having a separate target with allocations failures -cat << EOF > $OUT/${f}_nalloc -#!/bin/sh + # Build the fuzzer. + $CXX $CXXFLAGS -std=c++11 -I. \ + $SRC/libpng/contrib/oss-fuzz/${f}.cc \ + -o $OUT/${f} \ + -lFuzzingEngine .libs/libpng16.a -lz + + # Only libfuzzer can run the nalloc targets. + if test "x$FUZZING_ENGINE" == 'xlibfuzzer' + then + + if grep -q "nalloc_init" $SRC/libpng/contrib/oss-fuzz/${f}.cc + then + # Generate a wrapper that runs the fuzzer with NALLOC_FREQ=32 + # (allocation failures enabled). + cat << EOF > $OUT/${f}@nalloc +#!/bin/bash # LLVMFuzzerTestOneInput for fuzzer detection. this_dir=\$(dirname "\$0") NALLOC_FREQ=32 \$this_dir/${f} \$@ EOF -chmod +x $OUT/${f}_nalloc + chmod +x $OUT/${f}@nalloc + fi -# add seed corpus. -find $SRC/libpng -name "*.png" | \ - xargs zip $OUT/${f}_seed_corpus.zip + # Add seed corpus. + find $SRC/libpng -name "*.png" | \ + xargs zip $OUT/${f}_seed_corpus.zip -cp $SRC/libpng/contrib/oss-fuzz/png.dict $OUT/${f}.dict + fi + cp $SRC/libpng/contrib/oss-fuzz/png.dict $OUT/${f}.dict done cp $SRC/libpng/contrib/oss-fuzz/*.dict \ - $SRC/libpng/contrib/oss-fuzz/*.options $OUT/ + $SRC/libpng/contrib/oss-fuzz/*.options $OUT/ -fi # end Index: contrib/oss-fuzz/libpng_readapi_fuzzer.cc =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/contrib/oss-fuzz/libpng_readapi_fuzzer.cc,v diff -u -p -u -r1.1 libpng_readapi_fuzzer.cc --- contrib/oss-fuzz/libpng_readapi_fuzzer.cc 14 Jan 2026 06:38:29 -0000 1.1 +++ contrib/oss-fuzz/libpng_readapi_fuzzer.cc 26 Mar 2026 07:09:49 -0000 @@ -40,13 +40,10 @@ static void test_png_read_png_api(const struct png_mem_buffer buffer = {data, size, 0}; png_set_read_fn(png_ptr, &buffer, png_read_from_buffer); - /* Set up transformations before reading */ - png_set_scale_16(png_ptr); - png_set_packing(png_ptr); - png_set_expand(png_ptr); - - /* Use png_read_png which should trigger OSS_FUZZ_png_read_png path */ - png_read_png(png_ptr, info_ptr, PNG_TRANSFORM_IDENTITY, NULL); + /* Use png_read_png with transform flags */ + png_read_png(png_ptr, info_ptr, + PNG_TRANSFORM_SCALE_16 | PNG_TRANSFORM_PACKING | PNG_TRANSFORM_EXPAND, + NULL); png_destroy_read_struct(&png_ptr, &info_ptr, NULL); } Index: contrib/oss-fuzz/libpng_transformations_fuzzer.cc =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/contrib/oss-fuzz/libpng_transformations_fuzzer.cc,v diff -u -p -u -r1.1 libpng_transformations_fuzzer.cc --- contrib/oss-fuzz/libpng_transformations_fuzzer.cc 14 Jan 2026 06:38:29 -0000 1.1 +++ contrib/oss-fuzz/libpng_transformations_fuzzer.cc 26 Mar 2026 07:09:49 -0000 @@ -32,7 +32,15 @@ static void test_png_transformations(con return; } + /* Declare heap pointers before setjmp so they can be freed on longjmp. + Must be volatile per C standard §7.13.2.1: non-volatile locals modified + between setjmp and longjmp have indeterminate values after longjmp. */ + volatile png_bytep row = NULL; + volatile png_colorp palette = NULL; + if (setjmp(png_jmpbuf(png_ptr))) { + free((void*)row); + free((void*)palette); png_destroy_read_struct(&png_ptr, &info_ptr, NULL); return; } @@ -60,14 +68,15 @@ static void test_png_transformations(con /* Target 2: Color quantization (triggers png_do_quantize) */ if (color_type == PNG_COLOR_TYPE_RGB || color_type == PNG_COLOR_TYPE_RGB_ALPHA) { - png_colorp palette = (png_colorp)malloc(256 * sizeof(png_color)); + palette = (png_colorp)malloc(256 * sizeof(png_color)); if (palette) { int i; for (i = 0; i < 256; i++) { palette[i].red = palette[i].green = palette[i].blue = (png_byte)i; } png_set_quantize(png_ptr, palette, 256, 256, NULL, 0); - free(palette); + free((void*)palette); + palette = NULL; } } @@ -90,108 +99,15 @@ static void test_png_transformations(con /* Read image data to execute transformations */ size_t rowbytes = png_get_rowbytes(png_ptr, info_ptr); - png_bytep row = (png_bytep)malloc(rowbytes); + row = (png_bytep)malloc(rowbytes); if (row) { int y; for (y = 0; y < height && y < 100; y++) { /* Limit rows for performance */ png_read_row(png_ptr, row, NULL); } - free(row); - } - - png_destroy_read_struct(&png_ptr, &info_ptr, NULL); -} - -/* Test png_image API and colormap functions */ -static void test_png_image_colormap(const uint8_t *data, size_t size) { - png_image image; - memset(&image, 0, sizeof(image)); - image.version = PNG_IMAGE_VERSION; - - if (!png_image_begin_read_from_memory(&image, data, size)) { - return; - } - - /* Limit image size for performance */ - if (image.width > 1024 || image.height > 1024) { - png_image_free(&image); - return; - } - - /* Test different colormap formats to trigger uncovered functions */ - png_uint_32 formats[] = { - PNG_FORMAT_GRAY, - PNG_FORMAT_GA, - PNG_FORMAT_RGB, - PNG_FORMAT_RGBA, - PNG_FORMAT_RGB_COLORMAP, - PNG_FORMAT_RGBA_COLORMAP - }; - - int i; - for (i = 0; i < 6; i++) { - image.format = formats[i]; - - size_t buffer_size = PNG_IMAGE_SIZE(image); - if (buffer_size > 0 && buffer_size < 5*1024*1024) { /* Limit to 5MB */ - void *img_buffer = malloc(buffer_size); - if (img_buffer) { - if (image.format & PNG_FORMAT_FLAG_COLORMAP) { - png_bytep colormap = (png_bytep)malloc(PNG_IMAGE_COLORMAP_SIZE(image)); - if (colormap) { - /* This triggers png_image_finish_read and colormap generation */ - png_image_finish_read(&image, NULL, img_buffer, 0, colormap); - free(colormap); - } - } else { - png_image_finish_read(&image, NULL, img_buffer, 0, NULL); - } - free(img_buffer); - } - } - - /* Reset for next format */ - if (i < 5) { - png_image_free(&image); - memset(&image, 0, sizeof(image)); - image.version = PNG_IMAGE_VERSION; - if (!png_image_begin_read_from_memory(&image, data, size)) { - break; - } - } } - png_image_free(&image); -} - - -/* Test png_read_png API */ -static void test_png_read_png_api(const uint8_t *data, size_t size) { - png_structp png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL); - if (!png_ptr) return; - - png_infop info_ptr = png_create_info_struct(png_ptr); - if (!info_ptr) { - png_destroy_read_struct(&png_ptr, NULL, NULL); - return; - } - - if (setjmp(png_jmpbuf(png_ptr))) { - png_destroy_read_struct(&png_ptr, &info_ptr, NULL); - return; - } - - struct png_mem_buffer buffer = {data, size, 0}; - png_set_read_fn(png_ptr, &buffer, png_read_from_buffer); - - /* Set up transformations before reading */ - png_set_scale_16(png_ptr); - png_set_packing(png_ptr); - png_set_expand(png_ptr); - - /* Use png_read_png which should trigger OSS_FUZZ_png_read_png path */ - png_read_png(png_ptr, info_ptr, PNG_TRANSFORM_IDENTITY, NULL); - + free((void*)row); png_destroy_read_struct(&png_ptr, &info_ptr, NULL); } @@ -200,12 +116,6 @@ extern "C" int LLVMFuzzerTestOneInput(co /* Test 1: Standard PNG reading with transformations */ test_png_transformations(data, size); - - /* Test 2: PNG image API with colormap processing */ - test_png_image_colormap(data, size); - - /* Test 3: png_read_png API */ - test_png_read_png_api(data, size); return 0; } Index: contrib/pngminus/README.txt =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/contrib/pngminus/README.txt,v diff -u -p -u -r1.1.1.1 README.txt --- contrib/pngminus/README.txt 17 Sep 2025 14:44:42 -0000 1.1.1.1 +++ contrib/pngminus/README.txt 26 Mar 2026 07:09:49 -0000 @@ -53,7 +53,7 @@ program are some elementary routines to It does not handle B&W pbm-files, but instead you could do pgm with bit- depth 1. -The downside of this approach is that you can not use them on images +The downside of this approach is that you cannot use them on images that require blocks of memory bigger than 64k (the DOS version). For larger images you will get an out-of-memory error. Index: contrib/tools/pngfix.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/contrib/tools/pngfix.c,v diff -u -p -u -r1.2 pngfix.c --- contrib/tools/pngfix.c 14 Jan 2026 06:38:30 -0000 1.2 +++ contrib/tools/pngfix.c 26 Mar 2026 07:09:49 -0000 @@ -1568,7 +1568,7 @@ chunk_end(struct chunk **chunk_var) } static void -chunk_init(struct chunk * const chunk, struct file * const file) +chunk_init(struct chunk *chunk, struct file *file) /* When a chunk is initialized the file length/type/pos are copied into the * corresponding chunk fields and the new chunk is registered in the file * structure. There can only be one chunk at a time. @@ -1777,7 +1777,7 @@ IDAT_end(struct IDAT **idat_var) } static void -IDAT_init(struct IDAT * const idat, struct file * const file) +IDAT_init(struct IDAT *idat, struct file *file) /* When the chunk is png_IDAT instantiate an IDAT control structure in place * of a chunk control structure. The IDAT will instantiate a chunk control * structure using the file alloc routine. Index: contrib/visupng/VisualPng.c =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/contrib/visupng/VisualPng.c,v diff -u -p -u -r1.1.1.1 VisualPng.c --- contrib/visupng/VisualPng.c 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ contrib/visupng/VisualPng.c 26 Mar 2026 07:09:49 -0000 @@ -832,7 +832,7 @@ BOOL FillBitmap ( cxNewSize = cxWinSize - 2 * MARGIN; cyNewSize = cyWinSize - 2 * MARGIN; - /* stretch the image to it's window determined size */ + /* stretch the image to its window determined size */ /* the following two are mathematically the same, but the first * has side-effects because of rounding Index: scripts/libpng-config-head.in =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/scripts/libpng-config-head.in,v diff -u -p -u -r1.5 libpng-config-head.in --- scripts/libpng-config-head.in 10 Feb 2026 17:06:07 -0000 1.5 +++ scripts/libpng-config-head.in 26 Mar 2026 07:09:49 -0000 @@ -11,7 +11,7 @@ # Modeled after libxml-config. -version=1.6.55 +version=1.6.56 prefix="" libdir="" libs="" Index: scripts/libpng.pc.in =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/scripts/libpng.pc.in,v diff -u -p -u -r1.5 libpng.pc.in --- scripts/libpng.pc.in 10 Feb 2026 17:06:07 -0000 1.5 +++ scripts/libpng.pc.in 26 Mar 2026 07:09:49 -0000 @@ -5,6 +5,6 @@ includedir=@includedir@/libpng16 Name: libpng Description: Loads and saves PNG files -Version: 1.6.55 +Version: 1.6.56 Libs: -L${libdir} -lpng16 Cflags: -I${includedir} Index: scripts/pnglibconf.dfa =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/scripts/pnglibconf.dfa,v diff -u -p -u -r1.2 pnglibconf.dfa --- scripts/pnglibconf.dfa 14 Jan 2026 06:38:30 -0000 1.2 +++ scripts/pnglibconf.dfa 26 Mar 2026 07:09:49 -0000 @@ -763,8 +763,10 @@ setting sRGB_PROFILE_CHECKS default 2 option ALIGNED_MEMORY -# Buggy compilers (e.g., gcc 2.7.2.2) need PNG_NO_POINTER_INDEXING -# See png[wr]util.c, normally this should always be *on* +# The option to control pointer indexing has been deprecated in +# libpng 1.6.56 and removed from libpng 1.8. +# It used to control a workaround for old and buggy compilers such +# as gcc 2.7.2.2, but the workaround, itself, was untested and buggy. option POINTER_INDEXING Index: scripts/pnglibconf.h.prebuilt =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/scripts/pnglibconf.h.prebuilt,v diff -u -p -u -r1.5 pnglibconf.h.prebuilt --- scripts/pnglibconf.h.prebuilt 10 Feb 2026 17:06:07 -0000 1.5 +++ scripts/pnglibconf.h.prebuilt 26 Mar 2026 07:09:49 -0000 @@ -1,6 +1,6 @@ /* pnglibconf.h - library build configuration */ -/* libpng version 1.6.55 */ +/* libpng version 1.6.56 */ /* Copyright (c) 2018-2026 Cosmin Truta */ /* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson */ Index: tests/pngimage-full =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngimage-full,v diff -u -p -u -r1.1.1.1 pngimage-full --- tests/pngimage-full 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngimage-full 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,5 @@ #!/bin/sh + +# pngimage-full test: +# Exhaustive read validation against the pngsuite corpus. exec ./pngimage --exhaustive --list-combos --log "${srcdir}/contrib/pngsuite/"*.png Index: tests/pngimage-quick =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngimage-quick,v diff -u -p -u -r1.1.1.1 pngimage-quick --- tests/pngimage-quick 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngimage-quick 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,5 @@ #!/bin/sh + +# pngimage-quick test: +# Quick read validation against the pngsuite corpus. exec ./pngimage --list-combos --log "${srcdir}/contrib/pngsuite/"*.png Index: tests/pngstest =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngstest,v diff -u -p -u -r1.1.1.1 pngstest --- tests/pngstest 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngstest 26 Mar 2026 07:09:49 -0000 @@ -1,5 +1,5 @@ #!/bin/sh -# + # Usage: # # tests/pngstest gamma alpha Index: tests/pngstest-1.8 =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngstest-1.8,v diff -u -p -u -r1.1.1.1 pngstest-1.8 --- tests/pngstest-1.8 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngstest-1.8 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec "${srcdir}/tests/pngstest" 1.8 none Index: tests/pngstest-1.8-alpha =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngstest-1.8-alpha,v diff -u -p -u -r1.1.1.1 pngstest-1.8-alpha --- tests/pngstest-1.8-alpha 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngstest-1.8-alpha 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec "${srcdir}/tests/pngstest" 1.8 alpha Index: tests/pngstest-large-stride =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngstest-large-stride,v diff -u -p -u -r1.1 pngstest-large-stride --- tests/pngstest-large-stride 14 Jan 2026 06:38:30 -0000 1.1 +++ tests/pngstest-large-stride 26 Mar 2026 07:09:49 -0000 @@ -1,6 +1,6 @@ #!/bin/sh -# Regression test: +# Large-stride test: # Use stride_extra > 32767 to trigger row_bytes > 65535 for linear images. exec ./pngstest \ --stride-extra 33000 \ Index: tests/pngstest-linear =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngstest-linear,v diff -u -p -u -r1.1.1.1 pngstest-linear --- tests/pngstest-linear 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngstest-linear 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec "${srcdir}/tests/pngstest" linear none Index: tests/pngstest-linear-alpha =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngstest-linear-alpha,v diff -u -p -u -r1.1.1.1 pngstest-linear-alpha --- tests/pngstest-linear-alpha 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngstest-linear-alpha 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec "${srcdir}/tests/pngstest" linear alpha Index: tests/pngstest-negative-stride =================================================================== RCS file: tests/pngstest-negative-stride diff -N tests/pngstest-negative-stride --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ tests/pngstest-negative-stride 26 Mar 2026 07:09:49 -0000 @@ -0,0 +1,18 @@ +#!/bin/sh + +# Negative-stride test: +# Bottom-up layout through all read/write paths. +exec ./pngstest \ + --negative-stride \ + --tmpfile "negative-stride-" \ + --log \ + "${srcdir}/contrib/testpngs/gray-1.png" \ + "${srcdir}/contrib/testpngs/gray-16-linear.png" \ + "${srcdir}/contrib/testpngs/rgb-8-linear.png" \ + "${srcdir}/contrib/testpngs/rgb-16-linear.png" \ + "${srcdir}/contrib/testpngs/palette-8-tRNS.png" \ + "${srcdir}/contrib/testpngs/gray-alpha-8-linear.png" \ + "${srcdir}/contrib/testpngs/gray-alpha-16-linear.png" \ + "${srcdir}/contrib/testpngs/rgb-alpha-8-1.8.png" \ + "${srcdir}/contrib/testpngs/rgb-alpha-8-sRGB.png" \ + "${srcdir}/contrib/testpngs/rgb-alpha-16-linear.png" Index: tests/pngstest-negative-stride-extra =================================================================== RCS file: tests/pngstest-negative-stride-extra diff -N tests/pngstest-negative-stride-extra --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ tests/pngstest-negative-stride-extra 26 Mar 2026 07:09:49 -0000 @@ -0,0 +1,19 @@ +#!/bin/sh + +# Negative-stride-extra test: +# Bottom-up layout with non-aligned padding. +exec ./pngstest \ + --negative-stride \ + --stride-extra 7 \ + --tmpfile "negative-stride-extra-" \ + --log \ + "${srcdir}/contrib/testpngs/gray-1.png" \ + "${srcdir}/contrib/testpngs/gray-16-linear.png" \ + "${srcdir}/contrib/testpngs/rgb-8-linear.png" \ + "${srcdir}/contrib/testpngs/rgb-16-linear.png" \ + "${srcdir}/contrib/testpngs/palette-8-tRNS.png" \ + "${srcdir}/contrib/testpngs/gray-alpha-8-linear.png" \ + "${srcdir}/contrib/testpngs/gray-alpha-16-linear.png" \ + "${srcdir}/contrib/testpngs/rgb-alpha-8-1.8.png" \ + "${srcdir}/contrib/testpngs/rgb-alpha-8-sRGB.png" \ + "${srcdir}/contrib/testpngs/rgb-alpha-16-linear.png" Index: tests/pngstest-none =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngstest-none,v diff -u -p -u -r1.1.1.1 pngstest-none --- tests/pngstest-none 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngstest-none 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec "${srcdir}/tests/pngstest" none none Index: tests/pngstest-none-alpha =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngstest-none-alpha,v diff -u -p -u -r1.1.1.1 pngstest-none-alpha --- tests/pngstest-none-alpha 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngstest-none-alpha 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec "${srcdir}/tests/pngstest" none alpha Index: tests/pngstest-sRGB =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngstest-sRGB,v diff -u -p -u -r1.1.1.1 pngstest-sRGB --- tests/pngstest-sRGB 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngstest-sRGB 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec "${srcdir}/tests/pngstest" sRGB none Index: tests/pngstest-sRGB-alpha =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngstest-sRGB-alpha,v diff -u -p -u -r1.1.1.1 pngstest-sRGB-alpha --- tests/pngstest-sRGB-alpha 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngstest-sRGB-alpha 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec "${srcdir}/tests/pngstest" sRGB alpha Index: tests/pngunknown-IDAT =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngunknown-IDAT,v diff -u -p -u -r1.1.1.1 pngunknown-IDAT --- tests/pngunknown-IDAT 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngunknown-IDAT 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngunknown --strict default=discard IDAT=save "${srcdir}/pngtest.png" Index: tests/pngunknown-discard =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngunknown-discard,v diff -u -p -u -r1.1.1.1 pngunknown-discard --- tests/pngunknown-discard 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngunknown-discard 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngunknown --strict default=discard "${srcdir}/pngtest.png" Index: tests/pngunknown-if-safe =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngunknown-if-safe,v diff -u -p -u -r1.1.1.1 pngunknown-if-safe --- tests/pngunknown-if-safe 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngunknown-if-safe 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngunknown --strict default=if-safe "${srcdir}/pngtest.png" Index: tests/pngunknown-sAPI =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngunknown-sAPI,v diff -u -p -u -r1.1.1.1 pngunknown-sAPI --- tests/pngunknown-sAPI 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngunknown-sAPI 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngunknown --strict bKGD=save cHRM=save gAMA=save all=discard iCCP=save sBIT=save sRGB=save eXIf=save "${srcdir}/pngtest.png" Index: tests/pngunknown-sTER =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngunknown-sTER,v diff -u -p -u -r1.1.1.1 pngunknown-sTER --- tests/pngunknown-sTER 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngunknown-sTER 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngunknown --strict sTER=if-safe "${srcdir}/pngtest.png" Index: tests/pngunknown-save =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngunknown-save,v diff -u -p -u -r1.1.1.1 pngunknown-save --- tests/pngunknown-save 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngunknown-save 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngunknown --strict default=save "${srcdir}/pngtest.png" Index: tests/pngunknown-vpAg =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngunknown-vpAg,v diff -u -p -u -r1.1.1.1 pngunknown-vpAg --- tests/pngunknown-vpAg 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngunknown-vpAg 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngunknown --strict vpAg=if-safe "${srcdir}/pngtest.png" Index: tests/pngvalid-gamma-16-to-8 =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-gamma-16-to-8,v diff -u -p -u -r1.1.1.1 pngvalid-gamma-16-to-8 --- tests/pngvalid-gamma-16-to-8 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-gamma-16-to-8 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --gamma-16-to-8 Index: tests/pngvalid-gamma-alpha-mode =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-gamma-alpha-mode,v diff -u -p -u -r1.1.1.1 pngvalid-gamma-alpha-mode --- tests/pngvalid-gamma-alpha-mode 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-gamma-alpha-mode 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --gamma-alpha-mode Index: tests/pngvalid-gamma-background =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-gamma-background,v diff -u -p -u -r1.1.1.1 pngvalid-gamma-background --- tests/pngvalid-gamma-background 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-gamma-background 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --gamma-background Index: tests/pngvalid-gamma-expand16-alpha-mode =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-gamma-expand16-alpha-mode,v diff -u -p -u -r1.1.1.1 pngvalid-gamma-expand16-alpha-mode --- tests/pngvalid-gamma-expand16-alpha-mode 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-gamma-expand16-alpha-mode 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --gamma-alpha-mode --expand16 Index: tests/pngvalid-gamma-expand16-background =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-gamma-expand16-background,v diff -u -p -u -r1.1.1.1 pngvalid-gamma-expand16-background --- tests/pngvalid-gamma-expand16-background 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-gamma-expand16-background 26 Mar 2026 07:09:49 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --gamma-background --expand16 Index: tests/pngvalid-gamma-expand16-transform =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-gamma-expand16-transform,v diff -u -p -u -r1.1.1.1 pngvalid-gamma-expand16-transform --- tests/pngvalid-gamma-expand16-transform 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-gamma-expand16-transform 26 Mar 2026 07:09:50 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --gamma-transform --expand16 Index: tests/pngvalid-gamma-sbit =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-gamma-sbit,v diff -u -p -u -r1.1.1.1 pngvalid-gamma-sbit --- tests/pngvalid-gamma-sbit 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-gamma-sbit 26 Mar 2026 07:09:50 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --gamma-sbit Index: tests/pngvalid-gamma-threshold =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-gamma-threshold,v diff -u -p -u -r1.1.1.1 pngvalid-gamma-threshold --- tests/pngvalid-gamma-threshold 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-gamma-threshold 26 Mar 2026 07:09:50 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --gamma-threshold Index: tests/pngvalid-gamma-transform =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-gamma-transform,v diff -u -p -u -r1.1.1.1 pngvalid-gamma-transform --- tests/pngvalid-gamma-transform 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-gamma-transform 26 Mar 2026 07:09:50 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --gamma-transform Index: tests/pngvalid-progressive-interlace-standard =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-progressive-interlace-standard,v diff -u -p -u -r1.1.1.1 pngvalid-progressive-interlace-standard --- tests/pngvalid-progressive-interlace-standard 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-progressive-interlace-standard 26 Mar 2026 07:09:50 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --standard --progressive-read --interlace Index: tests/pngvalid-progressive-size =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-progressive-size,v diff -u -p -u -r1.1.1.1 pngvalid-progressive-size --- tests/pngvalid-progressive-size 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-progressive-size 26 Mar 2026 07:09:50 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --size --progressive-read Index: tests/pngvalid-progressive-standard =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-progressive-standard,v diff -u -p -u -r1.1.1.1 pngvalid-progressive-standard --- tests/pngvalid-progressive-standard 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-progressive-standard 26 Mar 2026 07:09:50 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --standard --progressive-read Index: tests/pngvalid-standard =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-standard,v diff -u -p -u -r1.1.1.1 pngvalid-standard --- tests/pngvalid-standard 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-standard 26 Mar 2026 07:09:50 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --standard Index: tests/pngvalid-transform =================================================================== RCS file: /cvs/OpenBSD/xenocara/lib/libpng/tests/pngvalid-transform,v diff -u -p -u -r1.1.1.1 pngvalid-transform --- tests/pngvalid-transform 17 Sep 2025 14:44:43 -0000 1.1.1.1 +++ tests/pngvalid-transform 26 Mar 2026 07:09:50 -0000 @@ -1,2 +1,3 @@ #!/bin/sh + exec ./pngvalid --strict --transform -- Matthieu Herrb