infernap12/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2026-01-28 12:09:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

8375063: Update Libpng to 1.6.54

Browse Source 
Reviewed-by: serb, prr
This commit is contained in:
Jayathirth D V 2026-01-21 03:12:18 +00:00
parent e25a5a4821
commit a2e749572e
16 changed files with 1401 additions and 965 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/java.desktop/share/legal/libpng.md
View File

@ -1,4 +1,4 @@
## libpng v1.6.51
## libpng v1.6.54
### libpng License
<pre>
@ -9,8 +9,8 @@ COPYRIGHT NOTICE, DISCLAIMER, and LICENSE
PNG Reference Library License version 2
---------------------------------------
Copyright (C) 1995-2025 The PNG Reference Library Authors.
Copyright (C) 2018-2025 Cosmin Truta
Copyright (C) 1995-2026 The PNG Reference Library Authors.
Copyright (C) 2018-2026 Cosmin Truta
Copyright (C) 1998-2018 Glenn Randers-Pehrson
Copyright (C) 1996-1997 Andreas Dilger
Copyright (C) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
@ -158,6 +158,7 @@ This is the list of PNG Reference Library ("libpng") Contributing
Authors, for copyright and licensing purposes.
* Adam Richter
* Alexander Smorkalov
* Andreas Dilger
* Chris Blume
* Cosmin Truta
@ -179,6 +180,7 @@ Authors, for copyright and licensing purposes.
* Mike Klein
* Pascal Massimino
* Paul Schmidt
* Petr Simecek
* Philippe Antoine
* Qiang Zhou
* Sam Bushell
@ -209,6 +211,8 @@ Authors, for copyright and licensing purposes.
- ZhangLixia (张利霞)
* Samsung Group
- Filip Wasil
* SpacemiT Hangzhou Technology, Co.
- Liang Junzhao (梁俊钊)
The build projects, the build scripts, the test scripts, and other
files in the "projects", "scripts" and "tests" directories, have

27
src/java.desktop/share/native/libsplashscreen/libpng/CHANGES
View File

@ -6304,6 +6304,33 @@ Version 1.6.51 [November 21, 2025]
Added GitHub Actions workflows for automated testing.
Performed various refactorings and cleanups.
Version 1.6.52 [December 3, 2025]
Fixed CVE-2025-66293 (high severity):
Out-of-bounds read in `png_image_read_composite`.
(Reported by flyfish101 <flyfish101@users.noreply.github.com>.)
Fixed the Paeth filter handling in the RISC-V RVV implementation.
(Reported by Filip Wasil; fixed by Liang Junzhao.)
Improved the performance of the RISC-V RVV implementation.
(Contributed by Liang Junzhao.)
Added allocation failure fuzzing to oss-fuzz.
(Contributed by Philippe Antoine.)
Version 1.6.53 [December 5, 2025]
Fixed a build failure on RISC-V RVV caused by a misspelled intrinsic.
(Contributed by Alexander Smorkalov.)
Fixed a build failure with CMake 4.1 or newer, on Windows, when using
Visual C++ without MASM installed.
Version 1.6.54 [January 12, 2026]
Fixed CVE-2026-22695 (medium severity):
Heap buffer over-read in `png_image_read_direct_scaled.
(Reported and fixed by Petr Simecek.)
Fixed CVE-2026-22801 (medium severity):
Integer truncation causing heap buffer over-read in `png_image_write_*`.
Implemented various improvements in oss-fuzz.
(Contributed by Philippe Antoine.)
Send comments/corrections/commendations to png-mng-implement at lists.sf.net.
Subscription is required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement

4
src/java.desktop/share/native/libsplashscreen/libpng/LICENSE
View File

@ -4,8 +4,8 @@ COPYRIGHT NOTICE, DISCLAIMER, and LICENSE
PNG Reference Library License version 2
---------------------------------------
* Copyright (c) 1995-2025 The PNG Reference Library Authors.
* Copyright (c) 2018-2025 Cosmin Truta.
* Copyright (c) 1995-2026 The PNG Reference Library Authors.
* Copyright (c) 2018-2026 Cosmin Truta.
* Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson.
* Copyright (c) 1996-1997 Andreas Dilger.
* Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.

2
src/java.desktop/share/native/libsplashscreen/libpng/README
View File

@ -1,4 +1,4 @@
README for libpng version 1.6.51
README for libpng version 1.6.54
================================
See the note about version numbers near the top of `png.h`.

21
src/java.desktop/share/native/libsplashscreen/libpng/png.c
View File

@ -29,7 +29,7 @@
* However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed:
*
* Copyright (c) 2018-2025 Cosmin Truta
* Copyright (c) 2018-2026 Cosmin Truta
* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
* Copyright (c) 1996-1997 Andreas Dilger
* Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
@ -42,7 +42,7 @@
#include "pngpriv.h"
/* Generate a compiler error if there is an old png.h in the search path. */
typedef png_libpng_version_1_6_51 Your_png_h_is_not_version_1_6_51;
typedef png_libpng_version_1_6_54 Your_png_h_is_not_version_1_6_54;
/* Sanity check the chunks definitions - PNG_KNOWN_CHUNKS from pngpriv.h and the
* corresponding macro definitions. This causes a compile time failure if
@ -130,7 +130,8 @@ png_sig_cmp(png_const_bytep sig, size_t start, size_t num_to_check)
#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
/* Function to allocate memory for zlib */
PNG_FUNCTION(voidpf /* PRIVATE */,
png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
png_zalloc,(voidpf png_ptr, uInt items, uInt size),
PNG_ALLOCATED)
{
png_alloc_size_t num_bytes = size;
@ -286,7 +287,8 @@ png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
PNG_FUNCTION(png_structp /* PRIVATE */,
png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
png_malloc_ptr malloc_fn, png_free_ptr free_fn),
PNG_ALLOCATED)
{
png_struct create_struct;
# ifdef PNG_SETJMP_SUPPORTED
@ -390,7 +392,8 @@ png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
/* Allocate the memory for an info_struct for the application. */
PNG_FUNCTION(png_infop,PNGAPI
png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
png_create_info_struct,(png_const_structrp png_ptr),
PNG_ALLOCATED)
{
png_inforp info_ptr;
@ -846,8 +849,8 @@ png_get_copyright(png_const_structrp png_ptr)
return PNG_STRING_COPYRIGHT
#else
return PNG_STRING_NEWLINE \
"libpng version 1.6.51" PNG_STRING_NEWLINE \
"Copyright (c) 2018-2025 Cosmin Truta" PNG_STRING_NEWLINE \
"libpng version 1.6.54" PNG_STRING_NEWLINE \
"Copyright (c) 2018-2026 Cosmin Truta" PNG_STRING_NEWLINE \
"Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
PNG_STRING_NEWLINE \
"Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
@ -2286,8 +2289,8 @@ PNG_FP_End:
int
png_check_fp_string(png_const_charp string, size_t size)
{
int state=0;
size_t char_index=0;
int state = 0;
size_t char_index = 0;
if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
(char_index == size || string[char_index] == 0))

1121
src/java.desktop/share/native/libsplashscreen/libpng/png.h
View File

File diff suppressed because it is too large Load Diff

4
src/java.desktop/share/native/libsplashscreen/libpng/pngconf.h
View File

@ -29,9 +29,9 @@
* However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed:
*
* libpng version 1.6.51
* libpng version 1.6.54
*
* Copyright (c) 2018-2025 Cosmin Truta
* Copyright (c) 2018-2026 Cosmin Truta
* Copyright (c) 1998-2002,2004,2006-2016,2018 Glenn Randers-Pehrson
* Copyright (c) 1996-1997 Andreas Dilger
* Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.

17
src/java.desktop/share/native/libsplashscreen/libpng/pngerror.c
View File

@ -78,7 +78,8 @@ png_error,(png_const_structrp png_ptr, png_const_charp error_message),
}
#else
PNG_FUNCTION(void,PNGAPI
png_err,(png_const_structrp png_ptr),PNG_NORETURN)
png_err,(png_const_structrp png_ptr),
PNG_NORETURN)
{
/* Prior to 1.5.2 the error_fn received a NULL pointer, expressed
* erroneously as '\0', instead of the empty string "". This was
@ -405,8 +406,8 @@ static const char png_digit[16] = {
};
static void /* PRIVATE */
png_format_buffer(png_const_structrp png_ptr, png_charp buffer, png_const_charp
error_message)
png_format_buffer(png_const_structrp png_ptr, png_charp buffer,
png_const_charp error_message)
{
png_uint_32 chunk_name = png_ptr->chunk_name;
int iout = 0, ishift = 24;
@ -485,8 +486,8 @@ png_chunk_warning(png_const_structrp png_ptr, png_const_charp warning_message)
#ifdef PNG_READ_SUPPORTED
#ifdef PNG_BENIGN_ERRORS_SUPPORTED
void PNGAPI
png_chunk_benign_error(png_const_structrp png_ptr, png_const_charp
error_message)
png_chunk_benign_error(png_const_structrp png_ptr,
png_const_charp error_message)
{
if ((png_ptr->flags & PNG_FLAG_BENIGN_ERRORS_WARN) != 0)
png_chunk_warning(png_ptr, error_message);
@ -543,7 +544,8 @@ png_chunk_report(png_const_structrp png_ptr, png_const_charp message, int error)
#ifdef PNG_ERROR_TEXT_SUPPORTED
#ifdef PNG_FLOATING_POINT_SUPPORTED
PNG_FUNCTION(void,
png_fixed_error,(png_const_structrp png_ptr, png_const_charp name),PNG_NORETURN)
png_fixed_error,(png_const_structrp png_ptr, png_const_charp name),
PNG_NORETURN)
{
# define fixed_message "fixed point overflow in "
# define fixed_message_ln ((sizeof fixed_message)-1)
@ -696,7 +698,8 @@ png_default_error,(png_const_structrp png_ptr, png_const_charp error_message),
}
PNG_FUNCTION(void,PNGAPI
png_longjmp,(png_const_structrp png_ptr, int val),PNG_NORETURN)
png_longjmp,(png_const_structrp png_ptr, int val),
PNG_NORETURN)
{
#ifdef PNG_SETJMP_SUPPORTED
if (png_ptr != NULL && png_ptr->longjmp_fn != NULL &&

13
src/java.desktop/share/native/libsplashscreen/libpng/pngget.c
View File

@ -151,8 +151,8 @@ png_get_compression_type(png_const_structrp png_ptr, png_const_inforp info_ptr)
}
png_uint_32 PNGAPI
png_get_x_pixels_per_meter(png_const_structrp png_ptr, png_const_inforp
info_ptr)
png_get_x_pixels_per_meter(png_const_structrp png_ptr,
png_const_inforp info_ptr)
{
#ifdef PNG_pHYs_SUPPORTED
png_debug(1, "in png_get_x_pixels_per_meter");
@ -172,8 +172,8 @@ png_get_x_pixels_per_meter(png_const_structrp png_ptr, png_const_inforp
}
png_uint_32 PNGAPI
png_get_y_pixels_per_meter(png_const_structrp png_ptr, png_const_inforp
info_ptr)
png_get_y_pixels_per_meter(png_const_structrp png_ptr,
png_const_inforp info_ptr)
{
#ifdef PNG_pHYs_SUPPORTED
png_debug(1, "in png_get_y_pixels_per_meter");
@ -215,8 +215,8 @@ png_get_pixels_per_meter(png_const_structrp png_ptr, png_const_inforp info_ptr)
#ifdef PNG_FLOATING_POINT_SUPPORTED
float PNGAPI
png_get_pixel_aspect_ratio(png_const_structrp png_ptr, png_const_inforp
info_ptr)
png_get_pixel_aspect_ratio(png_const_structrp png_ptr,
png_const_inforp info_ptr)
{
#ifdef PNG_READ_pHYs_SUPPORTED
png_debug(1, "in png_get_pixel_aspect_ratio");
@ -766,7 +766,6 @@ png_get_iCCP(png_const_structrp png_ptr, png_inforp info_ptr,
}
return 0;
}
#endif

4
src/java.desktop/share/native/libsplashscreen/libpng/pnglibconf.h
View File

@ -31,9 +31,9 @@
* However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed:
*/
/* libpng version 1.6.51 */
/* libpng version 1.6.54 */
/* Copyright (c) 2018-2025 Cosmin Truta */
/* Copyright (c) 2018-2026 Cosmin Truta */
/* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson */
/* This code is released under the libpng license. */

19
src/java.desktop/share/native/libsplashscreen/libpng/pngmem.c
View File

@ -75,7 +75,8 @@ png_destroy_png_struct(png_structrp png_ptr)
* have the ability to do that.
*/
PNG_FUNCTION(png_voidp,PNGAPI
png_calloc,(png_const_structrp png_ptr, png_alloc_size_t size),PNG_ALLOCATED)
png_calloc,(png_const_structrp png_ptr, png_alloc_size_t size),
PNG_ALLOCATED)
{
png_voidp ret;
@ -147,7 +148,8 @@ png_malloc_array_checked(png_const_structrp png_ptr, int nelements,
PNG_FUNCTION(png_voidp /* PRIVATE */,
png_malloc_array,(png_const_structrp png_ptr, int nelements,
size_t element_size),PNG_ALLOCATED)
size_t element_size),
PNG_ALLOCATED)
{
if (nelements <= 0 || element_size == 0)
png_error(png_ptr, "internal error: array alloc");
@ -157,7 +159,8 @@ png_malloc_array,(png_const_structrp png_ptr, int nelements,
PNG_FUNCTION(png_voidp /* PRIVATE */,
png_realloc_array,(png_const_structrp png_ptr, png_const_voidp old_array,
int old_elements, int add_elements, size_t element_size),PNG_ALLOCATED)
int old_elements, int add_elements, size_t element_size),
PNG_ALLOCATED)
{
/* These are internal errors: */
if (add_elements <= 0 || element_size == 0 || old_elements < 0 ||
@ -196,7 +199,8 @@ png_realloc_array,(png_const_structrp png_ptr, png_const_voidp old_array,
* function png_malloc_default is also provided.
*/
PNG_FUNCTION(png_voidp,PNGAPI
png_malloc,(png_const_structrp png_ptr, png_alloc_size_t size),PNG_ALLOCATED)
png_malloc,(png_const_structrp png_ptr, png_alloc_size_t size),
PNG_ALLOCATED)
{
png_voidp ret;
@ -270,7 +274,8 @@ png_free(png_const_structrp png_ptr, png_voidp ptr)
}
PNG_FUNCTION(void,PNGAPI
png_free_default,(png_const_structrp png_ptr, png_voidp ptr),PNG_DEPRECATED)
png_free_default,(png_const_structrp png_ptr, png_voidp ptr),
PNG_DEPRECATED)
{
if (png_ptr == NULL || ptr == NULL)
return;
@ -284,8 +289,8 @@ png_free_default,(png_const_structrp png_ptr, png_voidp ptr),PNG_DEPRECATED)
* of allocating and freeing memory.
*/
void PNGAPI
png_set_mem_fn(png_structrp png_ptr, png_voidp mem_ptr, png_malloc_ptr
malloc_fn, png_free_ptr free_fn)
png_set_mem_fn(png_structrp png_ptr, png_voidp mem_ptr,
png_malloc_ptr malloc_fn, png_free_ptr free_fn)
{
if (png_ptr != NULL)
{

921
src/java.desktop/share/native/libsplashscreen/libpng/pngpriv.h
View File

File diff suppressed because it is too large Load Diff

188
src/java.desktop/share/native/libsplashscreen/libpng/pngread.c
View File

@ -29,7 +29,7 @@
* However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed:
*
* Copyright (c) 2018-2025 Cosmin Truta
* Copyright (c) 2018-2026 Cosmin Truta
* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
* Copyright (c) 1996-1997 Andreas Dilger
* Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
@ -52,7 +52,8 @@
/* Create a PNG structure for reading, and allocate any memory needed. */
PNG_FUNCTION(png_structp,PNGAPI
png_create_read_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
png_error_ptr error_fn, png_error_ptr warn_fn),PNG_ALLOCATED)
png_error_ptr error_fn, png_error_ptr warn_fn),
PNG_ALLOCATED)
{
#ifndef PNG_USER_MEM_SUPPORTED
png_structp png_ptr = png_create_png_struct(user_png_ver, error_ptr,
@ -68,7 +69,8 @@ png_create_read_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
PNG_FUNCTION(png_structp,PNGAPI
png_create_read_struct_2,(png_const_charp user_png_ver, png_voidp error_ptr,
png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
png_malloc_ptr malloc_fn, png_free_ptr free_fn),
PNG_ALLOCATED)
{
png_structp png_ptr = png_create_png_struct(user_png_ver, error_ptr,
error_fn, warn_fn, mem_ptr, malloc_fn, free_fn);
@ -548,7 +550,6 @@ png_read_row(png_structrp png_ptr, png_bytep row, png_bytep dsp_row)
if (png_ptr->read_row_fn != NULL)
(*(png_ptr->read_row_fn))(png_ptr, png_ptr->row_number, png_ptr->pass);
}
#endif /* SEQUENTIAL_READ */
@ -896,7 +897,7 @@ png_set_read_status_fn(png_structrp png_ptr, png_read_status_ptr read_row_fn)
#ifdef PNG_INFO_IMAGE_SUPPORTED
void PNGAPI
png_read_png(png_structrp png_ptr, png_inforp info_ptr,
int transforms, voidp params)
int transforms, png_voidp params)
{
png_debug(1, "in png_read_png");
@ -1133,19 +1134,20 @@ png_read_png(png_structrp png_ptr, png_inforp info_ptr,
typedef struct
{
/* Arguments: */
/* Arguments */
png_imagep image;
png_voidp buffer;
png_voidp buffer;
png_int_32 row_stride;
png_voidp colormap;
png_voidp colormap;
png_const_colorp background;
/* Local variables: */
png_voidp local_row;
png_voidp first_row;
ptrdiff_t row_bytes; /* step between rows */
int file_encoding; /* E_ values above */
png_fixed_point gamma_to_linear; /* For P_FILE, reciprocal of gamma */
int colormap_processing; /* PNG_CMAP_ values above */
/* Instance variables */
png_voidp local_row;
png_voidp first_row;
ptrdiff_t row_step; /* step between rows */
int file_encoding; /* E_ values above */
png_fixed_point gamma_to_linear; /* For P_FILE, reciprocal of gamma */
int colormap_processing; /* PNG_CMAP_ values above */
} png_image_read_control;
/* Do all the *safe* initialization - 'safe' means that png_error won't be
@ -2866,17 +2868,17 @@ png_image_read_and_map(png_voidp argument)
}
{
png_uint_32 height = image->height;
png_uint_32 width = image->width;
int proc = display->colormap_processing;
png_bytep first_row = png_voidcast(png_bytep, display->first_row);
ptrdiff_t step_row = display->row_bytes;
png_uint_32 height = image->height;
png_uint_32 width = image->width;
int proc = display->colormap_processing;
png_bytep first_row = png_voidcast(png_bytep, display->first_row);
ptrdiff_t row_step = display->row_step;
int pass;
for (pass = 0; pass < passes; ++pass)
{
unsigned int startx, stepx, stepy;
png_uint_32 y;
unsigned int startx, stepx, stepy;
png_uint_32 y;
if (png_ptr->interlaced == PNG_INTERLACE_ADAM7)
{
@ -2900,7 +2902,7 @@ png_image_read_and_map(png_voidp argument)
for (; y<height; y += stepy)
{
png_bytep inrow = png_voidcast(png_bytep, display->local_row);
png_bytep outrow = first_row + y * step_row;
png_bytep outrow = first_row + y * row_step;
png_const_bytep end_row = outrow + width;
/* Read read the libpng data into the temporary buffer. */
@ -3109,20 +3111,20 @@ png_image_read_colormapped(png_voidp argument)
*/
{
png_voidp first_row = display->buffer;
ptrdiff_t row_bytes = display->row_stride;
ptrdiff_t row_step = display->row_stride;
/* The following expression is designed to work correctly whether it gives
* a signed or an unsigned result.
/* The following adjustment is to ensure that calculations are correct,
* regardless whether row_step is positive or negative.
*/
if (row_bytes < 0)
if (row_step < 0)
{
char *ptr = png_voidcast(char*, first_row);
ptr += (image->height-1) * (-row_bytes);
ptr += (image->height-1) * (-row_step);
first_row = png_voidcast(png_voidp, ptr);
}
display->first_row = first_row;
display->row_bytes = row_bytes;
display->row_step = row_step;
}
if (passes == 0)
@ -3140,17 +3142,17 @@ png_image_read_colormapped(png_voidp argument)
else
{
png_alloc_size_t row_bytes = (png_alloc_size_t)display->row_bytes;
ptrdiff_t row_step = display->row_step;
while (--passes >= 0)
{
png_uint_32 y = image->height;
png_bytep row = png_voidcast(png_bytep, display->first_row);
png_uint_32 y = image->height;
png_bytep row = png_voidcast(png_bytep, display->first_row);
for (; y > 0; --y)
{
png_read_row(png_ptr, row, NULL);
row += row_bytes;
row += row_step;
}
}
@ -3166,9 +3168,11 @@ png_image_read_direct_scaled(png_voidp argument)
argument);
png_imagep image = display->image;
png_structrp png_ptr = image->opaque->png_ptr;
png_inforp info_ptr = image->opaque->info_ptr;
png_bytep local_row = png_voidcast(png_bytep, display->local_row);
png_bytep first_row = png_voidcast(png_bytep, display->first_row);
ptrdiff_t row_bytes = display->row_bytes;
ptrdiff_t row_step = display->row_step;
size_t row_bytes = png_get_rowbytes(png_ptr, info_ptr);
int passes;
/* Handle interlacing. */
@ -3197,9 +3201,14 @@ png_image_read_direct_scaled(png_voidp argument)
/* Read into local_row (gets transformed 8-bit data). */
png_read_row(png_ptr, local_row, NULL);
/* Copy from local_row to user buffer. */
memcpy(output_row, local_row, (size_t)row_bytes);
output_row += row_bytes;
/* Copy from local_row to user buffer.
* Use row_bytes (i.e. the actual size in bytes of the row data) for
* copying into output_row. Use row_step for advancing output_row,
* to respect the caller's stride for padding or negative (bottom-up)
* layouts.
*/
memcpy(output_row, local_row, row_bytes);
output_row += row_step;
}
}
@ -3231,17 +3240,18 @@ png_image_read_composite(png_voidp argument)
}
{
png_uint_32 height = image->height;
png_uint_32 width = image->width;
ptrdiff_t step_row = display->row_bytes;
png_uint_32 height = image->height;
png_uint_32 width = image->width;
ptrdiff_t row_step = display->row_step;
unsigned int channels =
(image->format & PNG_FORMAT_FLAG_COLOR) != 0 ? 3 : 1;
int optimize_alpha = (png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0;
int pass;
for (pass = 0; pass < passes; ++pass)
{
unsigned int startx, stepx, stepy;
png_uint_32 y;
unsigned int startx, stepx, stepy;
png_uint_32 y;
if (png_ptr->interlaced == PNG_INTERLACE_ADAM7)
{
@ -3273,7 +3283,7 @@ png_image_read_composite(png_voidp argument)
png_read_row(png_ptr, inrow, NULL);
outrow = png_voidcast(png_bytep, display->first_row);
outrow += y * step_row;
outrow += y * row_step;
end_row = outrow + width * channels;
/* Now do the composition on each pixel in this row. */
@ -3292,20 +3302,44 @@ png_image_read_composite(png_voidp argument)
if (alpha < 255) /* else just use component */
{
/* This is PNG_OPTIMIZED_ALPHA, the component value
* is a linear 8-bit value. Combine this with the
* current outrow[c] value which is sRGB encoded.
* Arithmetic here is 16-bits to preserve the output
* values correctly.
*/
component *= 257*255; /* =65535 */
component += (255-alpha)*png_sRGB_table[outrow[c]];
if (optimize_alpha != 0)
{
/* This is PNG_OPTIMIZED_ALPHA, the component value
* is a linear 8-bit value. Combine this with the
* current outrow[c] value which is sRGB encoded.
* Arithmetic here is 16-bits to preserve the output
* values correctly.
*/
component *= 257*255; /* =65535 */
component += (255-alpha)*png_sRGB_table[outrow[c]];
/* So 'component' is scaled by 255*65535 and is
* therefore appropriate for the sRGB to linear
* conversion table.
*/
component = PNG_sRGB_FROM_LINEAR(component);
/* Clamp to the valid range to defend against
* unforeseen cases where the data might be sRGB
* instead of linear premultiplied.
* (Belt-and-suspenders for CVE-2025-66293.)
*/
if (component > 255*65535)
component = 255*65535;
/* So 'component' is scaled by 255*65535 and is
* therefore appropriate for the sRGB-to-linear
* conversion table.
*/
component = PNG_sRGB_FROM_LINEAR(component);
}
else
{
/* Compositing was already done on the palette
* entries. The data is sRGB premultiplied on black.
* Composite with the background in sRGB space.
* This is not gamma-correct, but matches what was
* done to the palette.
*/
png_uint_32 background = outrow[c];
component += ((255-alpha) * background + 127) / 255;
if (component > 255)
component = 255;
}
}
outrow[c] = (png_byte)component;
@ -3394,12 +3428,12 @@ png_image_read_background(png_voidp argument)
*/
{
png_bytep first_row = png_voidcast(png_bytep, display->first_row);
ptrdiff_t step_row = display->row_bytes;
ptrdiff_t row_step = display->row_step;
for (pass = 0; pass < passes; ++pass)
{
unsigned int startx, stepx, stepy;
png_uint_32 y;
unsigned int startx, stepx, stepy;
png_uint_32 y;
if (png_ptr->interlaced == PNG_INTERLACE_ADAM7)
{
@ -3426,7 +3460,7 @@ png_image_read_background(png_voidp argument)
{
png_bytep inrow = png_voidcast(png_bytep,
display->local_row);
png_bytep outrow = first_row + y * step_row;
png_bytep outrow = first_row + y * row_step;
png_const_bytep end_row = outrow + width;
/* Read the row, which is packed: */
@ -3471,7 +3505,7 @@ png_image_read_background(png_voidp argument)
{
png_bytep inrow = png_voidcast(png_bytep,
display->local_row);
png_bytep outrow = first_row + y * step_row;
png_bytep outrow = first_row + y * row_step;
png_const_bytep end_row = outrow + width;
/* Read the row, which is packed: */
@ -3517,9 +3551,9 @@ png_image_read_background(png_voidp argument)
png_uint_16p first_row = png_voidcast(png_uint_16p,
display->first_row);
/* The division by two is safe because the caller passed in a
* stride which was multiplied by 2 (below) to get row_bytes.
* stride which was multiplied by 2 (below) to get row_step.
*/
ptrdiff_t step_row = display->row_bytes / 2;
ptrdiff_t row_step = display->row_step / 2;
unsigned int preserve_alpha = (image->format &
PNG_FORMAT_FLAG_ALPHA) != 0;
unsigned int outchannels = 1U+preserve_alpha;
@ -3533,8 +3567,8 @@ png_image_read_background(png_voidp argument)
for (pass = 0; pass < passes; ++pass)
{
unsigned int startx, stepx, stepy;
png_uint_32 y;
unsigned int startx, stepx, stepy;
png_uint_32 y;
/* The 'x' start and step are adjusted to output components here.
*/
@ -3561,7 +3595,7 @@ png_image_read_background(png_voidp argument)
for (; y<height; y += stepy)
{
png_const_uint_16p inrow;
png_uint_16p outrow = first_row + y*step_row;
png_uint_16p outrow = first_row + y * row_step;
png_uint_16p end_row = outrow + width * outchannels;
/* Read the row, which is packed: */
@ -3998,23 +4032,23 @@ png_image_read_direct(png_voidp argument)
*/
{
png_voidp first_row = display->buffer;
ptrdiff_t row_bytes = display->row_stride;
ptrdiff_t row_step = display->row_stride;
if (linear != 0)
row_bytes *= 2;
row_step *= 2;
/* The following expression is designed to work correctly whether it gives
* a signed or an unsigned result.
/* The following adjustment is to ensure that calculations are correct,
* regardless whether row_step is positive or negative.
*/
if (row_bytes < 0)
if (row_step < 0)
{
char *ptr = png_voidcast(char*, first_row);
ptr += (image->height-1) * (-row_bytes);
ptr += (image->height - 1) * (-row_step);
first_row = png_voidcast(png_voidp, ptr);
}
display->first_row = first_row;
display->row_bytes = row_bytes;
display->row_step = row_step;
}
if (do_local_compose != 0)
@ -4063,17 +4097,17 @@ png_image_read_direct(png_voidp argument)
else
{
png_alloc_size_t row_bytes = (png_alloc_size_t)display->row_bytes;
ptrdiff_t row_step = display->row_step;
while (--passes >= 0)
{
png_uint_32 y = image->height;
png_bytep row = png_voidcast(png_bytep, display->first_row);
png_uint_32 y = image->height;
png_bytep row = png_voidcast(png_bytep, display->first_row);
for (; y > 0; --y)
{
png_read_row(png_ptr, row, NULL);
row += row_bytes;
row += row_step;
}
}

5
src/java.desktop/share/native/libsplashscreen/libpng/pngrtran.c
View File

@ -1149,8 +1149,8 @@ png_set_rgb_to_gray(png_structrp png_ptr, int error_action, double red,
#if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) || \
defined(PNG_WRITE_USER_TRANSFORM_SUPPORTED)
void PNGAPI
png_set_read_user_transform_fn(png_structrp png_ptr, png_user_transform_ptr
read_user_transform_fn)
png_set_read_user_transform_fn(png_structrp png_ptr,
png_user_transform_ptr read_user_transform_fn)
{
png_debug(1, "in png_set_read_user_transform_fn");
@ -1872,6 +1872,7 @@ png_init_read_transformations(png_structrp png_ptr)
* transformations elsewhere.
*/
png_ptr->transformations &= ~(PNG_COMPOSE | PNG_GAMMA);
png_ptr->flags &= ~PNG_FLAG_OPTIMIZE_ALPHA;
} /* color_type == PNG_COLOR_TYPE_PALETTE */
/* if (png_ptr->background_gamma_type!=PNG_BACKGROUND_GAMMA_UNKNOWN) */

6
src/java.desktop/share/native/libsplashscreen/libpng/pngrutil.c
View File

@ -2415,7 +2415,7 @@ png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
static png_handle_result_code /* PRIVATE */
png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
{
png_text text_info;
png_text text_info;
png_bytep buffer;
png_charp key;
png_charp text;
@ -2488,8 +2488,8 @@ static png_handle_result_code /* PRIVATE */
png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
{
png_const_charp errmsg = NULL;
png_bytep buffer;
png_uint_32 keyword_length;
png_bytep buffer;
png_uint_32 keyword_length;
png_debug(1, "in png_handle_zTXt");

4
src/java.desktop/share/native/libsplashscreen/libpng/pngtrans.c
View File

@ -831,8 +831,8 @@ png_do_check_palette_indexes(png_structrp png_ptr, png_row_infop row_info)
defined(PNG_WRITE_USER_TRANSFORM_SUPPORTED)
#ifdef PNG_USER_TRANSFORM_PTR_SUPPORTED
void PNGAPI
png_set_user_transform_info(png_structrp png_ptr, png_voidp
user_transform_ptr, int user_transform_depth, int user_transform_channels)
png_set_user_transform_info(png_structrp png_ptr, png_voidp user_transform_ptr,
int user_transform_depth, int user_transform_channels)
{
png_debug(1, "in png_set_user_transform_info");