Dominique Leuenberger
43714a87bc
- verson update to 1.6.56:
* Fixed CVE-2026-33416 (high severity):
* Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`.
(Reported by Halil Oktay and Ryo Shimada;
fixed by Halil Oktay and Cosmin Truta.)
* Fixed CVE-2026-33636 (high severity):
* Out-of-bounds read/write in the palette expansion on ARM Neon.
(Reported by Taegu Ha; fixed by Taegu Ha and Cosmin Truta.)
* Fixed uninitialized reads beyond `num_trans` in `trans_alpha` buffers.
(Contributed by Halil Oktay.)
* Fixed stale `info_ptr->palette` after in-place gamma and background
transforms.
* Fixed wrong channel indices in `png_image_read_and_map` RGB_ALPHA path.
(Contributed by Yuelin Wang.)
* Fixed wrong background color in colormap read.
(Contributed by Yuelin Wang.)
* Fixed dead loop in sPLT write.
(Contributed by Yuelin Wang.)
* Added missing null pointer checks in four public API functions.
(Contributed by Yuelin Wang.)
* Validated shift bit depths in `png_set_shift` to prevent infinite loop.
(Contributed by Yuelin Wang.)
* Avoided undefined behavior in library and tests.
* Deprecated the hardly-ever-tested POINTER_INDEXING config option.
* Added negative-stride test coverage for the simplified API.
* Fixed memory leaks and API misuse in oss-fuzz.
(Contributed by Owen Sanzas.)
* Implemented various fixes and improvements in oss-fuzz.
(Contributed by Bob Friesenhahn and Philippe Antoine.)
* Performed various refactorings and cleanups.
OBS-URL: https://build.opensuse.org/request/show/1343165
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libpng16?expand=0&rev=64