- version update to 1.2.59
Added png_check_chunk_length() function, and check all chunks except
IDAT against the default 8MB limit; check IDAT against the maximum
size computed from IHDR parameters (Fixes CVE-2017-12652).
Initialize memory allocated by png_inflate to zero, using memset, to
stop an oss-fuzz "use of uninitialized value" detection in png_set_text_2()
due to truncated iTXt or zTXt chunk.
OBS-URL: https://build.opensuse.org/request/show/715992
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libpng12?expand=0&rev=39
Added png_check_chunk_length() function, and check all chunks except
IDAT against the default 8MB limit; check IDAT against the maximum
size computed from IHDR parameters (Fixes CVE-2017-12652).
Initialize memory allocated by png_inflate to zero, using memset, to
stop an oss-fuzz "use of uninitialized value" detection in png_set_text_2()
due to truncated iTXt or zTXt chunk.
OBS-URL: https://build.opensuse.org/package/show/graphics/libpng12?expand=0&rev=63
Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(),
png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr).
Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
vulnerability.
OBS-URL: https://build.opensuse.org/package/show/graphics/libpng12?expand=0&rev=54
- updated to 1.2.53:
Issue a png_error() instead of a png_warning() when width is
potentially too large for the architecture, in case the calling
application has overridden the default 1,000,000-column limit
(fixes CVE-2014-9495 and CVE-2015-0973).
Display user limits in the output from pngtest.
Changed PNG_USER_CHUNK_MALLOC_MAX from unlimited to 8,000,000.
This can only be changed at library-build time. It only
affects the maximum memory that can be allocated to an
ancillary chunk; it does not limit the size of IDAT
data, which is instead limited by PNG_USER_WIDTH_MAX.
OBS-URL: https://build.opensuse.org/request/show/288036
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libpng12?expand=0&rev=30
Issue a png_error() instead of a png_warning() when width is
potentially too large for the architecture, in case the calling
application has overridden the default 1,000,000-column limit
(fixes CVE-2014-9495 and CVE-2015-0973).
Display user limits in the output from pngtest.
Changed PNG_USER_CHUNK_MALLOC_MAX from unlimited to 8,000,000.
This can only be changed at library-build time. It only
affects the maximum memory that can be allocated to an
ancillary chunk; it does not limit the size of IDAT
data, which is instead limited by PNG_USER_WIDTH_MAX.
OBS-URL: https://build.opensuse.org/package/show/graphics/libpng12?expand=0&rev=48
- updated to 1.2.51:
Ignore, with a warning, out-of-range value of num_trans in png_set_tRNS().
Replaced AM_CONFIG_HEADER(config.h) with
AC_CONFIG_HEADERS([config.h]) in configure.ac
Changed default value of PNG_USER_CACHE_MAX from 0 to 32767 in pngconf.h.
Avoid a possible memory leak in contrib/gregbook/readpng.c
Revised libpng.3 so that "doclifter" can process it.
Changed '"%s"m' to '"%s" m' in png_debug macros to improve portability
among compilers.
Rebuilt the configure scripts with autoconf-2.69 and automake-1.14.1
Removed potentially misleading warning from png_check_IHDR().
Quiet set-but-not-used warnings in pngset.c
Quiet an uninitialized memory warning from VC2013 in png_get_png().
Quiet unused variable warnings from clang by porting PNG_UNUSED() from
libpng-1.4.6.
Added -DZ_SOLO to CFLAGS in contrib/pngminim/*/makefile
Added an #ifdef PNG_FIXED_POINT_SUPPORTED/#endif in pngset.c
OBS-URL: https://build.opensuse.org/request/show/221208
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libpng12?expand=0&rev=25
Ignore, with a warning, out-of-range value of num_trans in png_set_tRNS().
Replaced AM_CONFIG_HEADER(config.h) with
AC_CONFIG_HEADERS([config.h]) in configure.ac
Changed default value of PNG_USER_CACHE_MAX from 0 to 32767 in pngconf.h.
Avoid a possible memory leak in contrib/gregbook/readpng.c
Revised libpng.3 so that "doclifter" can process it.
Changed '"%s"m' to '"%s" m' in png_debug macros to improve portability
among compilers.
Rebuilt the configure scripts with autoconf-2.69 and automake-1.14.1
Removed potentially misleading warning from png_check_IHDR().
Quiet set-but-not-used warnings in pngset.c
Quiet an uninitialized memory warning from VC2013 in png_get_png().
Quiet unused variable warnings from clang by porting PNG_UNUSED() from
libpng-1.4.6.
Added -DZ_SOLO to CFLAGS in contrib/pngminim/*/makefile
Added an #ifdef PNG_FIXED_POINT_SUPPORTED/#endif in pngset.c
OBS-URL: https://build.opensuse.org/package/show/graphics/libpng12?expand=0&rev=40
