Merge tag 'v1.6.55' into libpng18
diff --git a/.markdownlint.yml b/.markdownlint.yml new file mode 100644 index 0000000..5072a31 --- /dev/null +++ b/.markdownlint.yml
@@ -0,0 +1,25 @@ +# Markdownlint configuration +# See https://github.com/markdownlint/markdownlint/blob/main/docs/RULES.md + +# MD004 +ul-style: + style: sublist + +# MD007 +ul-indent: + start_indented: true + start_indent: 1 + indent: 3 + +# MD012 +no-multiple-blanks: + maximum: 2 + +# MD024 +no-duplicate-heading: false + +# MD025 +single-title: false + +# MD028 +no-blanks-blockquote: false
diff --git a/AUTHORS.md b/AUTHORS.md index 90af4ea..35f3979 100644 --- a/AUTHORS.md +++ b/AUTHORS.md
@@ -18,6 +18,7 @@ * Guy Eric Schalnat * James Yu * John Bowler + * Joshua Inscoe * Kevin Bracey * Lucas Chollet * Maarten Bent
diff --git a/CHANGES b/CHANGES index c256188..8585bb0 100644 --- a/CHANGES +++ b/CHANGES
@@ -5988,7 +5988,7 @@ Version 1.6.32rc02 [August 22, 2017] Added contrib/oss-fuzz directory which contains files used by the oss-fuzz - project (https://github.com/google/oss-fuzz/tree/master/projects/libpng). + project <https://github.com/google/oss-fuzz/tree/master/projects/libpng>. Version 1.6.32 [August 24, 2017] No changes. @@ -6323,16 +6323,23 @@ Version 1.6.54 [January 12, 2026] Fixed CVE-2026-22695 (medium severity): - Heap buffer over-read in `png_image_read_direct_scaled. + Heap buffer over-read in `png_image_read_direct_scaled`. (Reported and fixed by Petr Simecek.) Fixed CVE-2026-22801 (medium severity): Integer truncation causing heap buffer over-read in `png_image_write_*`. Implemented various improvements in oss-fuzz. (Contributed by Philippe Antoine.) +Version 1.6.55 [February 9, 2026] + Fixed CVE-2026-25646 (high severity): + Heap buffer overflow in `png_set_quantize`. + (Reported and fixed by Joshua Inscoe.) + Resolved an oss-fuzz build issue involving nalloc. + (Contributed by Philippe Antoine.) + Version 1.8.0 [TODO] Send comments/corrections/commendations to png-mng-implement at lists.sf.net. Subscription is required; visit -https://lists.sourceforge.net/lists/listinfo/png-mng-implement +<https://lists.sourceforge.net/lists/listinfo/png-mng-implement> to subscribe.
diff --git a/README.md b/README.md index 5e62d97..d2a9e71 100644 --- a/README.md +++ b/README.md
@@ -24,14 +24,14 @@ replacement for `fread()` and `fwrite()`, if you are so inclined. zlib should be available at the same place that libpng is, or at -https://zlib.net . +<https://zlib.net>. You may also want a copy of the PNG specification. It is available as an RFC, a W3C Recommendation, and an ISO/IEC Standard. You can find -these at http://www.libpng.org/pub/png/pngdocs.html . +these at <http://www.libpng.org/pub/png/pngdocs.html>. -This code is currently being archived at https://libpng.sourceforge.io -in the download area, and at http://libpng.download/src . +This code is currently being archived at <https://libpng.sourceforge.io> +in the download area, and at <http://libpng.download/src>. This release, based in a large way on Glenn's, Guy's and Andreas' earlier work, was created and will be supported by myself and the PNG @@ -39,12 +39,12 @@ Send comments, corrections and commendations to `png-mng-implement` at `lists.sourceforge.net`. (Subscription is required; visit -https://lists.sourceforge.net/lists/listinfo/png-mng-implement +<https://lists.sourceforge.net/lists/listinfo/png-mng-implement> to subscribe.) Send general questions about the PNG specification to `png-mng-misc` at `lists.sourceforge.net`. (Subscription is required; visit -https://lists.sourceforge.net/lists/listinfo/png-mng-misc +<https://lists.sourceforge.net/lists/listinfo/png-mng-misc> to subscribe.) Historical notes
diff --git a/TODO.md b/TODO.md index 8ddb7d1..83b1237 100644 --- a/TODO.md +++ b/TODO.md
@@ -1,5 +1,5 @@ TODO list for libpng --------------------- +==================== * Fix all defects (duh!) * cHRM transformation.
diff --git a/ci/README.md b/ci/README.md index bb032ed..d5af747 100644 --- a/ci/README.md +++ b/ci/README.md
@@ -4,11 +4,11 @@ Copyright Notice ---------------- -Copyright (c) 2019-2025 Cosmin Truta. +Copyright (c) 2019-2026 Cosmin Truta. Use, modification and distribution are subject to the MIT License. Please see the accompanying file `LICENSE_MIT.txt` or visit -https://opensource.org/license/mit +<https://opensource.org/license/mit> File List ---------
diff --git a/manuals/libpng-manual.txt b/manuals/libpng-manual.txt index 3868db9..7d5ef22 100644 --- a/manuals/libpng-manual.txt +++ b/manuals/libpng-manual.txt
@@ -1,6 +1,6 @@ libpng-manual.txt - A description on how to use and modify libpng - Copyright (c) 2018-2025 Cosmin Truta + Copyright (c) 2018-2026 Cosmin Truta Copyright (c) 1998-2018 Glenn Randers-Pehrson This document is released under the libpng license. @@ -9,7 +9,7 @@ Based on: - libpng version 1.6.36, December 2018, through 1.6.54 - January 2026 + libpng version 1.6.36, December 2018, through 1.6.55 - February 2026 Updated and distributed by Cosmin Truta Copyright (c) 2018-2026 Cosmin Truta
diff --git a/manuals/libpng.3 b/manuals/libpng.3 index 83a7b68..11d7465 100644 --- a/manuals/libpng.3 +++ b/manuals/libpng.3
@@ -1,4 +1,4 @@ -.TH LIBPNG 3 "January 12, 2026" +.TH LIBPNG 3 "February 9, 2026" .SH NAME libpng \- Portable Network Graphics (PNG) Reference Library 1.8.0.git @@ -507,7 +507,7 @@ .SH LIBPNG.TXT libpng-manual.txt - A description on how to use and modify libpng - Copyright (c) 2018-2025 Cosmin Truta + Copyright (c) 2018-2026 Cosmin Truta Copyright (c) 1998-2018 Glenn Randers-Pehrson This document is released under the libpng license. @@ -516,7 +516,7 @@ Based on: - libpng version 1.6.36, December 2018, through 1.6.54 - January 2026 + libpng version 1.6.36, December 2018, through 1.6.55 - February 2026 Updated and distributed by Cosmin Truta Copyright (c) 2018-2026 Cosmin Truta
diff --git a/manuals/png.5 b/manuals/png.5 index 8bf1b54..7e0fdc4 100644 --- a/manuals/png.5 +++ b/manuals/png.5
@@ -1,4 +1,4 @@ -.TH PNG 5 "January 12, 2026" +.TH PNG 5 "February 9, 2026" .SH NAME png \- Portable Network Graphics (PNG) format
diff --git a/png.h b/png.h index 48d5aac..6db7bd6 100644 --- a/png.h +++ b/png.h
@@ -14,7 +14,7 @@ * libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger * libpng versions 0.97, January 1998, through 1.6.35, July 2018: * Glenn Randers-Pehrson - * libpng versions 1.6.36, December 2018, through 1.6.54, January 2026: + * libpng versions 1.6.36, December 2018, through 1.6.55, February 2026: * Cosmin Truta * See also "Contributing Authors", below. */
diff --git a/pngrtran.c b/pngrtran.c index 0d8c596..f2b23e3 100644 --- a/pngrtran.c +++ b/pngrtran.c
@@ -1,6 +1,6 @@ /* pngrtran.c - transforms the data in a row for PNG readers * - * Copyright (c) 2018-2025 Cosmin Truta + * Copyright (c) 2018-2026 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -689,8 +689,8 @@ break; t->next = hash[d]; - t->left = (png_byte)i; - t->right = (png_byte)j; + t->left = png_ptr->palette_to_index[i]; + t->right = png_ptr->palette_to_index[j]; hash[d] = t; } }
diff --git a/scripts/cmake/README.md b/scripts/cmake/README.md index 18e7107..e3b00a4 100644 --- a/scripts/cmake/README.md +++ b/scripts/cmake/README.md
@@ -4,7 +4,7 @@ Copyright Notice ---------------- - * Copyright (c) 2018-2024 Cosmin Truta. + * Copyright (c) 2018-2026 Cosmin Truta. * Copyright (c) 2007-2018 Glenn Randers-Pehrson. * Originally written by Christian Ehrlicher, 2007. @@ -12,7 +12,7 @@ files in the libpng distribution are subject to the same licensing terms and conditions as libpng. Please see the copyright notice in `png.h` or visit -http://libpng.org/pub/png/src/libpng-LICENSE.txt +<http://libpng.org/pub/png/src/libpng-LICENSE.txt> File List ---------