am 791d8f2: Upgrading libpng to 1.2.46 to fix a few vulnerabilities. …

…DO NOT MERGE

* commit '791d8f2ed98581c67bf9c1ad56d3140719c1882a':
  Upgrading libpng to 1.2.46 to fix a few vulnerabilities. DO NOT MERGE

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.2.44 - June 26, 2010
+Libpng 1.2.46 - July 9, 2011
 
 This is a public release of libpng, intended for use in production codes.
 
@@ -8,48 +8,56 @@ Files available for download:
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
 
-   libpng-1.2.44.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.44.tar.gz
-   libpng-1.2.44.tar.bz2
+   libpng-1.2.46.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.46.tar.gz
+   libpng-1.2.46.tar.bz2
 
 Source files with LF line endings (for Unix/Linux) without the
 "configure" script
 
-   libpng-1.2.44-no-config.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.44-no-config.tar.gz
-   libpng-1.2.44-no-config.tar.bz2
+   libpng-1.2.46-no-config.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.46-no-config.tar.gz
+   libpng-1.2.46-no-config.tar.bz2
 
 Source files with CRLF line endings (for Windows), without the
 "configure" script
 
-   lpng1244.zip
-   lpng1244.7z
-   lpng1244.tar.bz2
+   lpng1246.zip
+   lpng1246.7z
+   lpng1246.tar.bz2
 
 Project files
 
-   libpng-1.2.44-project-netware.zip
-   libpng-1.2.44-project-wince.zip
+   libpng-1.2.46-project-netware.zip
+   libpng-1.2.46-project-wince.zip
 
 Other information:
 
-   libpng-1.2.44-README.txt
-   libpng-1.2.44-KNOWNBUGS.txt
-   libpng-1.2.44-LICENSE.txt
-   libpng-1.2.44-Y2K-compliance.txt
-   libpng-1.2.44-[previous version]-diff.txt
+   libpng-1.2.46-README.txt
+   libpng-1.2.46-KNOWNBUGS.txt
+   libpng-1.2.46-LICENSE.txt
+   libpng-1.2.46-Y2K-compliance.txt
+   libpng-1.2.46-[previous version]-diff.txt
 
 Changes since the last public release (1.2.43):
 
-version 1.2.44 [June 26, 2010]
-
-  Rewrote png_process_IDAT_data to consistently treat extra data as warnings
-    and handle end conditions more cleanly.
-  Removed the now-redundant check for out-of-bounds new_row from example.c
-
+version 1.2.45 [July 9, 2011]
+
+  Fixed uninitialized memory read in png_format_buffer() (Bug
+    report by Frank Busse, related to CVE-2004-0421).
+  Pass "" instead of '\0' to png_default_error() in png_err().  This mistake
+    was introduced in libpng-1.2.20beta01.
+  Check for up->location !PNG_AFTER_IDAT when writing unknown chunks
+    before IDAT.
+  Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image,
+    always expand to RGBA if transparency is present.
+  Check for integer overflow in png_set_rgb_to_gray().
+  Check for sCAL chunk too short.
+  Added CMakeLists.txt, projects/xcode, and pnggccrd.c to EXTRA_DIST in
+    Makefile.am and Makefile.in
+  Udated copyright year to 2011.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
-
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
 to subscribe) or to glennrp at users.sourceforge.net

CHANGES

@@ -1478,7 +1478,7 @@ version 1.2.9beta5 [March 4, 2006]
   Removed trailing blanks from source files.
   Put version and date of latest change in each source file, and changed
     copyright year accordingly.
-  More cleanup of configure.ac, Makefile.ac, and associated scripts.
+  More cleanup of configure.ac, Makefile.am, and associated scripts.
   Restored scripts/makefile.elf which was inadvertently deleted.
 
 version 1.2.9beta6 [March 6, 2006]
@@ -2704,6 +2704,38 @@ version 1.2.44rc03 [June 23, 2010]
 version 1.2.44 [June 26, 2010]
   Updated some of the "last changed" dates.
 
+version 1.2.45beta01 [June 7, 2011]
+  Fixed uninitialized memory read in png_format_buffer() (Bug
+    report by Frank Busse, related to CVE-2004-0421).
+  Pass "" instead of '\0' to png_default_error() in png_err().  This mistake
+    was introduced in libpng-1.2.20beta01.
+  Check for up->location !PNG_AFTER_IDAT when writing unknown chunks
+    before IDAT.
+  Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image,
+    always expand to RGBA if transparency is present.
+
+version 1.2.45beta02 [June 8, 2011]
+  Check for integer overflow in png_set_rgb_to_gray().
+
+version 1.2.45beta03 [June 19, 2011]
+  Check for sCAL chunk too short.
+
+version 1.2.45rc01 and 1.0.55rc01 [June 30, 2011]
+  Updated "last changed" dates and copyright year.
+
+version 1.2.45 and 1.0.55 [July 7, 2011]
+  No changes.
+
+version 1.2.46rc01 and 1.0.56rc01 [July 8, 2011]
+  Reverted changes to Makefile.am and Makefile.in to libpng-1.2.44 versions.
+
+version 1.2.46rc02 and 1.0.56rc02 [July 8, 2011]
+  Added CMakeLists.txt, projects/xcode, and pnggccrd.c to EXTRA_DIST in
+    Makefile.am and Makefile.in
+
+version 1.2.46 and 1.0.56 [July 9, 2011]
+  Udated copyright year to 2011.
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement

CMakeLists.txt

@@ -22,7 +22,7 @@ enable_testing()
 
 set(PNGLIB_MAJOR 1)
 set(PNGLIB_MINOR 2)
-set(PNGLIB_RELEASE 44)
+set(PNGLIB_RELEASE 46)
 set(PNGLIB_NAME libpng${PNGLIB_MAJOR}${PNGLIB_MINOR})
 set(PNGLIB_VERSION ${PNGLIB_MAJOR}.${PNGLIB_MINOR}.${PNGLIB_RELEASE})
 
@@ -215,7 +215,7 @@ configure_file(${CMAKE_CURRENT_SOURCE_DIR}/scripts/libpng-config.in
 # SET UP LINKS
 if(PNG_SHARED)
   set_target_properties(${PNG_LIB_NAME} PROPERTIES
-#   VERSION 0.${PNGLIB_RELEASE}.1.2.44
+#   VERSION 0.${PNGLIB_RELEASE}.1.2.46
     VERSION 0.${PNGLIB_RELEASE}.0
     SOVERSION 0
     CLEAN_DIRECT_OUTPUT 1)

INSTALL

@@ -1,5 +1,5 @@
 
-Installing libpng version 1.2.44 - June 26, 2010
+Installing libpng version 1.2.46 - July 9, 2011
 
 On Unix/Linux and similar systems, you can simply type
 
@@ -46,7 +46,7 @@ to have access to the zlib.h and zconf.h include files that
 correspond to the version of zlib that's installed.
 
 You can rename the directories that you downloaded (they
-might be called "libpng-1.2.44" or "libpng12" and "zlib-1.2.3"
+might be called "libpng-1.2.46" or "libpng12" and "zlib-1.2.3"
 or "zlib123") so that you have directories called "zlib" and "libpng".
 
 Your directory structure should look like this:

KNOWNBUG

@@ -1,24 +1,17 @@
 
-Known bugs in libpng version 1.2.44
+Known bugs in libpng version 1.2.46
 
-1. December 4, 2009: The PNG_NO_ERROR_NUMBERS macro was inadvertently
-   defined in libpng-1.2.41/pngconf.h, which may cause a problem with
-   building a binary-compatible library.
-
-   STATUS: This will be fixed in libpng-1.2.42.  In the meantime, simply
-   delete the definition from line :
-
-2. February 23, 2006: The custom makefiles don't build libpng with -lz.
+1. February 23, 2006: The custom makefiles don't build libpng with -lz.
 
    STATUS: This is a subject of debate. The change will probably be made
    as a part of a major overhaul of the makefiles in libpng version 1.4.0.
 
-3. February 24, 2006: The Makefile generated by the "configure" script
+2. February 24, 2006: The Makefile generated by the "configure" script
    fails to install symbolic links
    libpng12.so => libpng12.so.0.1.2.9betaN
    that are generated by the custom makefiles.
 
-4. September 4, 2007:  There is a report that pngtest crashes on MacOS 10.
+3. September 4, 2007:  There is a report that pngtest crashes on MacOS 10.
 
    STATUS: workarounds are
       1) Compile without optimization (crashes are observed with

LICENSE

@@ -10,7 +10,7 @@ this sentence.
 
 This code is released under the libpng license.
 
-libpng versions 1.2.6, August 15, 2004, through 1.2.44, June 26, 2010, are
+libpng versions 1.2.6, August 15, 2004, through 1.2.46, July 9, 2011, are
 Copyright (c) 2004, 2006-2009 Glenn Randers-Pehrson, and are
 distributed according to the same disclaimer and license as libpng-1.2.5
 with the following individual added to the list of Contributing Authors
@@ -108,4 +108,4 @@ certification mark of the Open Source Initiative.
 
 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-June 26, 2010
+July 9, 2011

Makefile.am

@@ -74,19 +74,22 @@ pkgconfig_DATA = libpng12.pc
 EXTRA_DIST= \
 	ANNOUNCE CHANGES INSTALL KNOWNBUG LICENSE README TODO Y2KINFO \
 	pngtest.png pngbar.png pngnow.png pngbar.jpg autogen.sh \
+        CMakeLists.txt \
 	${srcdir}/projects/cbuilder5/* \
 	${srcdir}/projects/beos/* \
 	${srcdir}/projects/visualc6/* \
 	${srcdir}/projects/visualc71/* \
 	${srcdir}/projects/wince.txt \
 	${srcdir}/projects/netware.txt \
+	${srcdir}/projects/xcode/* \
 	${srcdir}/scripts/* \
 	${srcdir}/contrib/gregbook/* \
+	${srcdir}/contrib/pngminim/* \
 	${srcdir}/contrib/pngminus/* \
 	${srcdir}/contrib/pngsuite/* \
 	${srcdir}/contrib/visupng/* \
 	$(TESTS) \
-	example.c libpng-1.2.44.txt pngvcrd.c
+	example.c libpng-1.2.46.txt pnggccrd.c pngvcrd.c
 
 CLEANFILES= pngout.png libpng12.pc libpng12-config libpng.vers \
 libpng.sym

Makefile.in

@@ -338,20 +338,23 @@ pkgconfig_DATA = libpng12.pc
 #extra source distribution files.
 EXTRA_DIST = \
 	ANNOUNCE CHANGES INSTALL KNOWNBUG LICENSE README TODO Y2KINFO \
+        CMakeLists.txt \
 	pngtest.png pngbar.png pngnow.png pngbar.jpg autogen.sh \
 	${srcdir}/projects/cbuilder5/* \
 	${srcdir}/projects/beos/* \
 	${srcdir}/projects/visualc6/* \
 	${srcdir}/projects/visualc71/* \
 	${srcdir}/projects/wince.txt \
+	${srcdir}/projects/xcode/* \
 	${srcdir}/projects/netware.txt \
 	${srcdir}/scripts/* \
 	${srcdir}/contrib/gregbook/* \
+	${srcdir}/contrib/pngminim/* \
 	${srcdir}/contrib/pngminus/* \
 	${srcdir}/contrib/pngsuite/* \
 	${srcdir}/contrib/visupng/* \
 	$(TESTS) \
-	example.c libpng-1.2.44.txt pngvcrd.c
+	example.c libpng-1.2.46.txt pnggccrd.c pngvcrd.c
 
 CLEANFILES = pngout.png libpng12.pc libpng12-config libpng.vers \
 libpng.sym

NOTICE

@@ -8,8 +8,10 @@ COPYRIGHT NOTICE, DISCLAIMER, and LICENSE:
 If you modify libpng you may insert additional notices immediately following
 this sentence.
 
-libpng versions 1.2.6, August 15, 2004, through 1.2.29, May 8, 2008, are
-Copyright (c) 2004, 2006-2008 Glenn Randers-Pehrson, and are
+This code is released under the libpng license.
+
+libpng versions 1.2.6, August 15, 2004, through 1.2.46, July 9, 2011, are
+Copyright (c) 2004, 2006-2009 Glenn Randers-Pehrson, and are
 distributed according to the same disclaimer and license as libpng-1.2.5
 with the following individual added to the list of Contributing Authors
 
@@ -106,4 +108,4 @@ certification mark of the Open Source Initiative.
 
 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-May 8, 2008
+July 9, 2011

README

@@ -1,4 +1,4 @@
-README for libpng version 1.2.44 - June 26, 2010 (shared library 12.0)
+README for libpng version 1.2.46 - July 9, 2011 (shared library 12.0)
 See the note about version numbers near the top of png.h
 
 See INSTALL for instructions on how to install libpng.
@@ -199,11 +199,11 @@ Files in this distribution:
        makefile.std     =>  Generic UNIX makefile (cc, creates static
                             libpng.a)
        makefile.elf     =>  Linux/ELF gcc makefile symbol versioning,
-                            creates libpng12.so.0.1.2.44)
+                            creates libpng12.so.0.1.2.46)
        makefile.linux   =>  Linux/ELF makefile (gcc, creates
-                            libpng12.so.0.1.2.44)
+                            libpng12.so.0.1.2.46)
        makefile.gcmmx   =>  Linux/ELF makefile (gcc, creates
-                            libpng12.so.0.1.2.44, previously
+                            libpng12.so.0.1.2.46, previously
                             used assembler code tuned for Intel MMX
                             platform)
        makefile.gcc     =>  Generic makefile (gcc, creates static
@@ -228,12 +228,12 @@ Files in this distribution:
        makefile.openbsd =>  OpenBSD makefile
        makefile.sgi     =>  Silicon Graphics IRIX (cc, creates static lib)
        makefile.sggcc   =>  Silicon Graphics
-                            (gcc, creates libpng12.so.0.1.2.44)
+                            (gcc, creates libpng12.so.0.1.2.46)
        makefile.sunos   =>  Sun makefile
        makefile.solaris =>  Solaris 2.X makefile
-                            (gcc, creates libpng12.so.0.1.2.44)
+                            (gcc, creates libpng12.so.0.1.2.46)
        makefile.so9     =>  Solaris 9 makefile
-                            (gcc, creates libpng12.so.0.1.2.44)
+                            (gcc, creates libpng12.so.0.1.2.46)
        makefile.32sunu  =>  Sun Ultra 32-bit makefile
        makefile.64sunu  =>  Sun Ultra 64-bit makefile
        makefile.sco     =>  For SCO OSr5  ELF and Unixware 7 with Native cc

Y2KINFO

@@ -1,13 +1,13 @@
    Y2K compliance in libpng:
    =========================
 
-      June 26, 2010
+      July 9, 2011
 
       Since the PNG Development group is an ad-hoc body, we can't make
       an official declaration.
 
       This is your unofficial assurance that libpng from version 0.71 and
-      upward through 1.2.44 are Y2K compliant.  It is my belief that earlier
+      upward through 1.2.46 are Y2K compliant.  It is my belief that earlier
       versions were also Y2K compliant.
 
       Libpng only has three year fields.  One is a 2-byte unsigned integer