Update libpng to newer version in order to fix some vulnerabilities.

I decided to just make a bug-fix update and keep the 1.5.x series because newer versions may also need the zlib update.
supertuxkart · Jun 5, 2017 · 9ebdb5f · 9ebdb5f
1 parent 37a2752
commit 9ebdb5f
Show file tree

Hide file tree

Showing 166 changed files with 57,106 additions and 7,323 deletions.
diff --git a/lib/libpng/ANNOUNCE b/lib/libpng/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.5.9 - February 18, 2012
+Libpng 1.5.28 - December 29, 2016
 
 This is a public release of libpng, intended for use in production codes.
 
@@ -8,30 +8,49 @@ Files available for download:
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
 
-   libpng-1.5.9.tar.xz (LZMA-compressed, recommended)
-   libpng-1.5.9.tar.gz
-   libpng-1.5.9.tar.bz2
+   libpng-1.5.28.tar.xz (LZMA-compressed, recommended)
+   libpng-1.5.28.tar.gz
 
 Source files with CRLF line endings (for Windows), without the
 "configure" script
 
-   lpng159.7z  (LZMA-compressed, recommended)
-   lpng159.zip
+   lpng1528.7z  (LZMA-compressed, recommended)
+   lpng1528.zip
 
 Other information:
 
-   libpng-1.5.9-README.txt
-   libpng-1.5.9-LICENSE.txt
-
-Changes since the last public release (1.5.8):
-
-  Rebuilt configure scripts in the tar distributions.
-  Removed two unused definitions from scripts/pnglibconf.h.prebuilt
-  Removed some unused arrays (with #ifdef) from png_read_push_finish_row().
-  Removed tests for no-longer-used *_EMPTY_PLTE_SUPPORTED from pngstruct.h
-  Fixed CVE-2011-3026 buffer overrun bug.  Deal more correctly with the test
-    on iCCP chunk length. Also removed spurious casts that may hide problems
-    on 16-bit systems.
+   libpng-1.5.28-README.txt
+   libpng-1.5.28-LICENSE.txt
+   libpng-1.5.28-*.asc (armored detached GPG signatures)
+
+Changes since the last public release (1.5.27):
+
+  Merged with current libpng16 gregbook, pngvalid.c, pngtest.c, pngminim,
+    pngminus
+  Added "Common linking failures" section to INSTALL.
+  Fixed undefined behavior in png_push_save_buffer(). Do not call
+    memcpy() with a null source, even if count is zero (Leon Scroggins III).
+  Merge contrib/pngminim/*/makefile with libpng-1.6.24
+  Minor editing of INSTALL, (whitespace, added copyright line)
+  Removed the use of a macro containing the pre-processor 'defined'
+    operator.  It is unclear whether this is valid; a macro that
+    "generates" 'defined' is not permitted, but the use of the word
+    "generates" within the C90 standard seems to imply more than simple
+    substitution of an expression itself containing a well-formed defined
+    operation.
+  Previously the pngtrans.c code always resulted in an unsigned arithmetic
+    overflow. This is well defined but produces errors from clang with the
+    option to detect unsigned overflow. As the expression only gets
+    evaluated once per row in this version of libpng it is easier just
+    to rewrite it.
+  The previous version of png.c produced a signed overflow as a result of
+    both the "& 0xffff" on the most significant bits of a negative argument;
+    this converted (-1) into 65535 which resulted in a subsequent overflow.
+    Since signed overflow is undefined in C90 the code has been modified to
+    correctly calculate a signed result.  This requires changing the 'hi'
+    result parameter to a signed value.
+  Fixed a potential null pointer dereference in png_set_text_2() (bug report
+    and patch by Patrick Keshishian).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit