infernap12/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2026-04-21 12:20:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

8382047: Update Libpng to 1.6.57

Browse Source 
Reviewed-by: avu, azvegint, prr
This commit is contained in:
Jayathirth D V 2026-04-15 04:22:28 +00:00
parent 9ebee751e8
commit 20e8ea0e06
9 changed files with 89 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/java.desktop/share/legal/libpng.md
View File

@ -1,4 +1,4 @@
## libpng v1.6.56
## libpng v1.6.57
### libpng License
<pre>
@ -180,6 +180,7 @@ Authors, for copyright and licensing purposes.
* Mans Rullgard
* Matt Sarett
* Mike Klein
* Mohammad Seet
* Pascal Massimino
* Paul Schmidt
* Petr Simecek

11
src/java.desktop/share/native/libsplashscreen/libpng/CHANGES
View File

@ -6368,6 +6368,17 @@ Version 1.6.56 [March 25, 2026]
(Contributed by Bob Friesenhahn and Philippe Antoine.)
Performed various refactorings and cleanups.
Version 1.6.57 [April 8, 2026]
Fixed CVE-2026-34757 (medium severity):
Use-after-free in `png_set_PLTE`, `png_set_tRNS` and `png_set_hIST`
leading to corrupted chunk data and potential heap information disclosure.
Also hardened the append-style setters (`png_set_text`, `png_set_sPLT`,
`png_set_unknown_chunks`) against a theoretical variant of the same
aliasing pattern.
(Reported by Iv4n <Iv4n550@users.noreply.github.com>.)
Fixed integer overflow in rowbytes computation in read transforms.
(Contributed by Mohammad Seet.)
Send comments/corrections/commendations to png-mng-implement at lists.sf.net.
Subscription is required; visit
<https://lists.sourceforge.net/lists/listinfo/png-mng-implement>

2
src/java.desktop/share/native/libsplashscreen/libpng/README
View File

@ -1,4 +1,4 @@
README for libpng version 1.6.56
README for libpng version 1.6.57
================================
See the note about version numbers near the top of `png.h`.

4
src/java.desktop/share/native/libsplashscreen/libpng/png.c
View File

@ -42,7 +42,7 @@
#include "pngpriv.h"
/* Generate a compiler error if there is an old png.h in the search path. */
typedef png_libpng_version_1_6_56 Your_png_h_is_not_version_1_6_56;
typedef png_libpng_version_1_6_57 Your_png_h_is_not_version_1_6_57;
/* Sanity check the chunks definitions - PNG_KNOWN_CHUNKS from pngpriv.h and the
* corresponding macro definitions. This causes a compile time failure if
@ -849,7 +849,7 @@ png_get_copyright(png_const_structrp png_ptr)
return PNG_STRING_COPYRIGHT
#else
return PNG_STRING_NEWLINE \
"libpng version 1.6.56" PNG_STRING_NEWLINE \
"libpng version 1.6.57" PNG_STRING_NEWLINE \
"Copyright (c) 2018-2026 Cosmin Truta" PNG_STRING_NEWLINE \
"Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
PNG_STRING_NEWLINE \

14
src/java.desktop/share/native/libsplashscreen/libpng/png.h
View File

@ -29,7 +29,7 @@
* However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed:
*
* libpng version 1.6.56
* libpng version 1.6.57
*
* Copyright (c) 2018-2026 Cosmin Truta
* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
@ -43,7 +43,7 @@
* libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger
* libpng versions 0.97, January 1998, through 1.6.35, July 2018:
* Glenn Randers-Pehrson
* libpng versions 1.6.36, December 2018, through 1.6.56, March 2026:
* libpng versions 1.6.36, December 2018, through 1.6.57, April 2026:
* Cosmin Truta
* See also "Contributing Authors", below.
*/
@ -267,7 +267,7 @@
* ...
* 1.5.30 15 10530 15.so.15.30[.0]
* ...
* 1.6.56 16 10656 16.so.16.56[.0]
* 1.6.57 16 10657 16.so.16.57[.0]
*
* Henceforth the source version will match the shared-library major and
* minor numbers; the shared-library major version number will be used for
@ -303,7 +303,7 @@
*/
/* Version information for png.h - this should match the version in png.c */
#define PNG_LIBPNG_VER_STRING "1.6.56"
#define PNG_LIBPNG_VER_STRING "1.6.57"
#define PNG_HEADER_VERSION_STRING " libpng version " PNG_LIBPNG_VER_STRING "\n"
/* The versions of shared library builds should stay in sync, going forward */
@ -314,7 +314,7 @@
/* These should match the first 3 components of PNG_LIBPNG_VER_STRING: */
#define PNG_LIBPNG_VER_MAJOR 1
#define PNG_LIBPNG_VER_MINOR 6
#define PNG_LIBPNG_VER_RELEASE 56
#define PNG_LIBPNG_VER_RELEASE 57
/* This should be zero for a public release, or non-zero for a
* development version.
@ -345,7 +345,7 @@
* From version 1.0.1 it is:
* XXYYZZ, where XX=major, YY=minor, ZZ=release
*/
#define PNG_LIBPNG_VER 10656 /* 1.6.56 */
#define PNG_LIBPNG_VER 10657 /* 1.6.57 */
/* Library configuration: these options cannot be changed after
* the library has been built.
@ -455,7 +455,7 @@ extern "C" {
/* This triggers a compiler error in png.c, if png.c and png.h
* do not agree upon the version number.
*/
typedef char *png_libpng_version_1_6_56;
typedef char *png_libpng_version_1_6_57;
/* Basic control structions. Read libpng-manual.txt or libpng.3 for more info.
*

2
src/java.desktop/share/native/libsplashscreen/libpng/pngconf.h
View File

@ -29,7 +29,7 @@
* However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed:
*
* libpng version 1.6.56
* libpng version 1.6.57
*
* Copyright (c) 2018-2026 Cosmin Truta
* Copyright (c) 1998-2002,2004,2006-2016,2018 Glenn Randers-Pehrson

2
src/java.desktop/share/native/libsplashscreen/libpng/pnglibconf.h
View File

@ -31,7 +31,7 @@
* However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed:
*/
/* libpng version 1.6.56 */
/* libpng version 1.6.57 */
/* Copyright (c) 2018-2026 Cosmin Truta */
/* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson */

28
src/java.desktop/share/native/libsplashscreen/libpng/pngrtran.c
View File

@ -2408,7 +2408,7 @@ png_do_unpack(png_row_infop row_info, png_bytep row)
}
row_info->bit_depth = 8;
row_info->pixel_depth = (png_byte)(8 * row_info->channels);
row_info->rowbytes = row_width * row_info->channels;
row_info->rowbytes = (size_t)row_width * row_info->channels;
}
}
#endif
@ -2610,7 +2610,7 @@ png_do_scale_16_to_8(png_row_infop row_info, png_bytep row)
row_info->bit_depth = 8;
row_info->pixel_depth = (png_byte)(8 * row_info->channels);
row_info->rowbytes = row_info->width * row_info->channels;
row_info->rowbytes = (size_t)row_info->width * row_info->channels;
}
}
#endif
@ -2638,7 +2638,7 @@ png_do_chop(png_row_infop row_info, png_bytep row)
row_info->bit_depth = 8;
row_info->pixel_depth = (png_byte)(8 * row_info->channels);
row_info->rowbytes = row_info->width * row_info->channels;
row_info->rowbytes = (size_t)row_info->width * row_info->channels;
}
}
#endif
@ -2874,7 +2874,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
*(--dp) = lo_filler;
row_info->channels = 2;
row_info->pixel_depth = 16;
row_info->rowbytes = row_width * 2;
row_info->rowbytes = (size_t)row_width * 2;
}
else
@ -2889,7 +2889,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
}
row_info->channels = 2;
row_info->pixel_depth = 16;
row_info->rowbytes = row_width * 2;
row_info->rowbytes = (size_t)row_width * 2;
}
}
@ -2912,7 +2912,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
*(--dp) = hi_filler;
row_info->channels = 2;
row_info->pixel_depth = 32;
row_info->rowbytes = row_width * 4;
row_info->rowbytes = (size_t)row_width * 4;
}
else
@ -2929,7 +2929,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
}
row_info->channels = 2;
row_info->pixel_depth = 32;
row_info->rowbytes = row_width * 4;
row_info->rowbytes = (size_t)row_width * 4;
}
}
#endif
@ -2953,7 +2953,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
*(--dp) = lo_filler;
row_info->channels = 4;
row_info->pixel_depth = 32;
row_info->rowbytes = row_width * 4;
row_info->rowbytes = (size_t)row_width * 4;
}
else
@ -2970,7 +2970,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
}
row_info->channels = 4;
row_info->pixel_depth = 32;
row_info->rowbytes = row_width * 4;
row_info->rowbytes = (size_t)row_width * 4;
}
}
@ -2997,7 +2997,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
*(--dp) = hi_filler;
row_info->channels = 4;
row_info->pixel_depth = 64;
row_info->rowbytes = row_width * 8;
row_info->rowbytes = (size_t)row_width * 8;
}
else
@ -3019,7 +3019,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
row_info->channels = 4;
row_info->pixel_depth = 64;
row_info->rowbytes = row_width * 8;
row_info->rowbytes = (size_t)row_width * 8;
}
}
#endif
@ -4513,7 +4513,7 @@ png_do_expand_palette(png_structrp png_ptr, png_row_infop row_info,
}
row_info->bit_depth = 8;
row_info->pixel_depth = 32;
row_info->rowbytes = row_width * 4;
row_info->rowbytes = (size_t)row_width * 4;
row_info->color_type = 6;
row_info->channels = 4;
}
@ -4521,7 +4521,7 @@ png_do_expand_palette(png_structrp png_ptr, png_row_infop row_info,
else
{
sp = row + (size_t)row_width - 1;
dp = row + (size_t)(row_width * 3) - 1;
dp = row + (size_t)row_width * 3 - 1;
i = 0;
#ifdef PNG_ARM_NEON_INTRINSICS_AVAILABLE
i = png_do_expand_palette_rgb8_neon(png_ptr, row_info, row,
@ -4540,7 +4540,7 @@ png_do_expand_palette(png_structrp png_ptr, png_row_infop row_info,
row_info->bit_depth = 8;
row_info->pixel_depth = 24;
row_info->rowbytes = row_width * 3;
row_info->rowbytes = (size_t)row_width * 3;
row_info->color_type = 2;
row_info->channels = 3;
}

54
src/java.desktop/share/native/libsplashscreen/libpng/pngset.c
View File

@ -414,6 +414,7 @@ void PNGAPI
png_set_hIST(png_const_structrp png_ptr, png_inforp info_ptr,
png_const_uint_16p hist)
{
png_uint_16 safe_hist[PNG_MAX_PALETTE_LENGTH];
int i;
png_debug1(1, "in %s storage function", "hIST");
@ -430,6 +431,13 @@ png_set_hIST(png_const_structrp png_ptr, png_inforp info_ptr,
return;
}
/* Snapshot the caller's hist before freeing, in case it points to
* info_ptr->hist (getter-to-setter aliasing).
*/
memcpy(safe_hist, hist, (unsigned int)info_ptr->num_palette *
(sizeof (png_uint_16)));
hist = safe_hist;
png_free_data(png_ptr, info_ptr, PNG_FREE_HIST, 0);
/* Changed from info->num_palette to PNG_MAX_PALETTE_LENGTH in
@ -771,7 +779,7 @@ void PNGAPI
png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
png_const_colorp palette, int num_palette)
{
png_color safe_palette[PNG_MAX_PALETTE_LENGTH];
png_uint_32 max_palette_length;
png_debug1(1, "in %s storage function", "PLTE");
@ -805,6 +813,15 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
png_error(png_ptr, "Invalid palette");
}
/* Snapshot the caller's palette before freeing, in case it points to
* info_ptr->palette (getter-to-setter aliasing).
*/
if (num_palette > 0)
memcpy(safe_palette, palette, (unsigned int)num_palette *
(sizeof (png_color)));
palette = safe_palette;
png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
@ -966,6 +983,7 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
png_const_textp text_ptr, int num_text)
{
int i;
png_textp old_text = NULL;
png_debug1(1, "in text storage function, chunk typeid = 0x%lx",
png_ptr == NULL ? 0xabadca11UL : (unsigned long)png_ptr->chunk_name);
@ -1013,7 +1031,10 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
return 1;
}
png_free(png_ptr, info_ptr->text);
/* Defer freeing the old array until after the copy loop below,
* in case text_ptr aliases info_ptr->text (getter-to-setter).
*/
old_text = info_ptr->text;
info_ptr->text = new_text;
info_ptr->free_me |= PNG_FREE_TEXT;
@ -1098,6 +1119,7 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
{
png_chunk_report(png_ptr, "text chunk: out of memory",
PNG_CHUNK_WRITE_ERROR);
png_free(png_ptr, old_text);
return 1;
}
@ -1151,6 +1173,8 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
png_debug1(3, "transferred text chunk %d", info_ptr->num_text);
}
png_free(png_ptr, old_text);
return 0;
}
#endif
@ -1194,6 +1218,16 @@ png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr,
if (trans_alpha != NULL)
{
/* Snapshot the caller's trans_alpha before freeing, in case it
* points to info_ptr->trans_alpha (getter-to-setter aliasing).
*/
png_byte safe_trans[PNG_MAX_PALETTE_LENGTH];
if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
memcpy(safe_trans, trans_alpha, (size_t)num_trans);
trans_alpha = safe_trans;
png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
@ -1278,6 +1312,7 @@ png_set_sPLT(png_const_structrp png_ptr,
*/
{
png_sPLT_tp np;
png_sPLT_tp old_spalettes;
png_debug1(1, "in %s storage function", "sPLT");
@ -1298,7 +1333,10 @@ png_set_sPLT(png_const_structrp png_ptr,
return;
}
png_free(png_ptr, info_ptr->splt_palettes);
/* Defer freeing the old array until after the copy loop below,
* in case entries aliases info_ptr->splt_palettes (getter-to-setter).
*/
old_spalettes = info_ptr->splt_palettes;
info_ptr->splt_palettes = np;
info_ptr->free_me |= PNG_FREE_SPLT;
@ -1362,6 +1400,8 @@ png_set_sPLT(png_const_structrp png_ptr,
}
while (--nentries);
png_free(png_ptr, old_spalettes);
if (nentries > 0)
png_chunk_report(png_ptr, "sPLT out of memory", PNG_CHUNK_WRITE_ERROR);
}
@ -1410,6 +1450,7 @@ png_set_unknown_chunks(png_const_structrp png_ptr,
png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns)
{
png_unknown_chunkp np;
png_unknown_chunkp old_unknowns;
if (png_ptr == NULL || info_ptr == NULL || num_unknowns <= 0 ||
unknowns == NULL)
@ -1456,7 +1497,10 @@ png_set_unknown_chunks(png_const_structrp png_ptr,
return;
}
png_free(png_ptr, info_ptr->unknown_chunks);
/* Defer freeing the old array until after the copy loop below,
* in case unknowns aliases info_ptr->unknown_chunks (getter-to-setter).
*/
old_unknowns = info_ptr->unknown_chunks;
info_ptr->unknown_chunks = np; /* safe because it is initialized */
info_ptr->free_me |= PNG_FREE_UNKN;
@ -1502,6 +1546,8 @@ png_set_unknown_chunks(png_const_structrp png_ptr,
++np;
++(info_ptr->unknown_chunks_num);
}
png_free(png_ptr, old_unknowns);
}
void PNGAPI