libpng/ANNOUNCE
Glenn Randers-Pehrson 26849f4693 [libpng16] Consistently use png_memset(), png_memcpy(), and png_memcmp(),
except in pngtest.c and example.c where these macros are not visible.
2012-08-10 16:01:45 -05:00

444 lines
24 KiB
Plaintext

Libpng 1.6.0beta27 - August 10, 2012
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
Files available for download:
Source files with LF line endings (for Unix/Linux) and with a
"configure" script
1.6.0beta27.tar.xz (LZMA-compressed, recommended)
1.6.0beta27.tar.gz
1.6.0beta27.tar.bz2
Source files with CRLF line endings (for Windows), without the
"configure" script
lp160b27.7z (LZMA-compressed, recommended)
lp160b27.zip
Other information:
1.6.0beta27-README.txt
1.6.0beta27-LICENSE.txt
Changes since the last public release (1.5.7):
Version 1.6.0beta01 [December 15, 2011]
Removed machine-generated configure files from the GIT repository (they will
continue to appear in the tarball distributions).
Restored the new 'simplified' API, which was started in libpng-1.5.7beta02
but later deleted from libpng-1.5.7beta05.
Added example programs for the new 'simplified' API.
Added ANSI-C (C90) headers and require them, and take advantage of the
change. Also fixed some of the projects/* and contrib/* files that needed
updates for libpng16 and the move of pngvalid.c.
With this change the required ANSI-C header files are assumed to exist: the
implementation must provide float.h, limits.h, stdarg.h and stddef.h and
libpng relies on limits.h and stddef.h existing and behaving as defined
(the other two required headers aren't used). Non-ANSI systems that don't
have stddef.h or limits.h will have to provide an appropriate fake
containing the relevant types and #defines.
The use of FAR/far has been eliminated and the definition of png_alloc_size_t
is now controlled by a flag so that 'small size_t' systems can select it
if necessary. Libpng 1.6 may not currently work on such systems -- it
seems likely that it will ask 'malloc' for more than 65535 bytes with any
image that has a sufficiently large row size (rather than simply failing
to read such images).
New tools directory containing tools used to generate libpng code.
Fixed race conditions in parallel make builds. With higher degrees of
parallelism during 'make' the use of the same temporary file names such
as 'dfn*' can result in a race where a temporary file from one arm of the
build is deleted or overwritten in another arm. This changes the
temporary files for suffix rules to always use $* and ensures that the
non-suffix rules use unique file names.
Version 1.6.0beta02 [December 21, 2011]
Correct configure builds where build and source directories are separate.
The include path of 'config.h' was erroneously made relative in pngvalid.c
in libpng 1.5.7.
Version 1.6.0beta03 [December 22, 2011]
Start-up code size improvements, error handler flexibility. These changes
alter how the tricky allocation of the initial png_struct and png_info
structures are handled. png_info is now handled in pretty much the same
way as everything else, except that the allocations handle NULL return
silently. png_struct is changed in a similar way on allocation and on
deallocation a 'safety' error handler is put in place (which should never
be required). The error handler itself is changed to permit mismatches
in the application and libpng error buffer size; however, this means a
silent change to the API to return the jmp_buf if the size doesn't match
the size from the libpng compilation; libpng now allocates the memory and
this may fail. Overall these changes result in slight code size
reductions; however, this is a reduction in code that is always executed
so is particularly valuable. Overall on a 64-bit system the libpng DLL
decreases in code size by 1733 bytes. pngerror.o increases in size by
about 465 bytes because of the new functionality.
Added png_convert_to_rfc1123_buffer() and deprecated png_convert_to_rfc1123()
to avoid including a spurious buffer in the png_struct.
Version 1.6.0beta04 [December 30, 2011]
Regenerated configure scripts with automake-1.11.2
Eliminated png_info_destroy(). It is now used only in png.c and only calls
one other internal function and memset().
Enabled png_get_sCAL_fixed() if floating point APIs are enabled. Previously
it was disabled whenever internal fixed point arithmetic was selected,
which meant it didn't exist even on systems where FP was available but not
preferred.
Added pngvalid.c compile time checks for const APIs.
Implemented 'restrict' for png_info and png_struct. Because of the way
libpng works both png_info and png_struct are always accessed via a
single pointer. This means adding C99 'restrict' to the pointer gives
the compiler some opportunity to optimize the code. This change allows
that.
Moved AC_MSG_CHECKING([if libraries can be versioned]) later to the proper
location in configure.ac (Gilles Espinasse).
Changed png_memcpy to C assignment where appropriate. Changed all those
uses of png_memcpy that were doing a simple assignment to assignments
(all those cases where the thing being copied is a non-array C L-value).
Added some error checking to png_set_*() routines.
Removed the reference to the non-exported function png_memcpy() from
example.c.
Fixed the Visual C 64-bit build - it requires jmp_buf to be aligned, but
it had become misaligned.
Revised contrib/pngminus/pnm2png.c to avoid warnings when png_uint_32
and unsigned long are of different sizes.
Version 1.6.0beta05 [January 15, 2012]
Updated manual with description of the simplified API (copied from png.h)
Fix bug in pngerror.c: some long warnings were being improperly truncated
(CVE-2011-3464, bug introduced in libpng-1.5.3beta05).
Version 1.6.0beta06 [January 24, 2012]
Added palette support to the simplified APIs. This commit
changes some of the macro definitions in png.h, app code
may need corresponding changes.
Increased the formatted warning buffer to 192 bytes.
Added color-map support to simplified API. This is an initial version for
review; the documentation has not yet been updated.
Fixed Min/GW uninstall to remove libpng.dll.a
Version 1.6.0beta07 [January 28, 2012]
Eliminated Intel icc/icl compiler warnings. The Intel (GCC derived)
compiler issues slightly different warnings from those issued by the
current vesions of GCC. This eliminates those warnings by
adding/removing casts and small code rewrites.
Updated configure.ac from autoupdate: added --enable-werror option.
Also some layout regularization and removal of introduced tab characters
(replaced with 3-character indentation). Obsolete macros identified by
autoupdate have been removed; the replacements are all in 2.59 so
the pre-req hasn't been changed. --enable-werror checks for support
for -Werror (or the given argument) in the compiler. This mimics the
gcc configure option by allowing -Werror to be turned on safely; without
the option the tests written in configure itself fail compilation because
they cause compiler warnings.
Rewrote autogen.sh to run autoreconf instead of running tools one-by-one.
Conditionalize the install rules for MINGW and CYGWIN in CMakeLists.txt and
set CMAKE_LIBRARY_OUTPUT_DIRECTORY to "lib" on all platforms (C. Yapp).
Freeze libtool files in the 'scripts' directory. This version of autogen.sh
attempts to dissuade people from running it when it is not, or should not,
be necessary. In fact, autogen.sh does not work when run in a libpng
directory extracted from atar distribution anymore. You must run it in
a GIT clone instead.
Added two images to contrib/pngsuite (1-bit and 2-bit transparent grayscale),
and renamed three whose names were inconsistent with those in
pngsuite/README.txt.
Version 1.6.0beta08 [February 1, 2012]
Fixed Image::colormap misalignment in pngstest.c
Check libtool/libtoolize version number (2.4.2) in configure.ac
Divide test-pngstest.sh into separate pngstest runs for basic and
transparent images.
Moved automake options to AM_INIT_AUTOMAKE in configure.ac
Added color-tests, silent-rules (Not yet implemented in Makefile.am) and
version checking to configure.ac
Improved pngstest speed by not doing redundant tests and add const to
the background parameter of png_image_finish_read. The --background
option is now done automagically only when required, so that commandline
option no longer exists.
Cleaned up pngpriv.h to consistently declare all functions and data.
Also eliminated PNG_CONST_DATA, which is apparently not needed but we
can't be sure until it is gone.
Added symbol prefixing that allows all the libpng external symbols
to be prefixed (suggested by Reuben Hawkins).
Updated "ftbb*.png" list in the owatcom and vstudio projects.
Fixed 'prefix' builds on clean systems. The generation of pngprefix.h
should not require itself.
Updated INSTALL to explain that autogen.sh must be run in a GIT clone,
not in a libpng directory extracted from a tar distribution.
Version 1.6.0beta09 [February 1, 2012]
Reverted the prebuilt configure files to libpng-1.6.0beta05 condition.
Version 1.6.0beta10 [February 3, 2012]
Added Z_SOLO for zlib-1.2.6+ and correct pngstest tests
Updated list of test images in CMakeLists.txt
Updated the prebuilt configure files to current condition.
Revised INSTALL information about autogen.sh; it works in tar distributions.
Version 1.6.0beta11 [February 16, 2012]
Fix character count in pngstest command in projects/owatcom/pngstest.tgt
Revised test-pngstest.sh to report PASS/FAIL for each image.
Updated documentation about the simplified API.
Corrected estimate of error in libpng png_set_rgb_to_gray API. The API is
extremely inaccurate for sRGB conversions because it uses an 8-bit
intermediate linear value and it does not use the sRGB transform, so it
suffers from the known instability in gamma transforms for values close
to 0 (see Poynton). The net result is that the calculation has a maximum
error of 14.99/255; 0.5/255^(1/2.2). pngstest now uses 15 for the
permitted 8-bit error. This may still not be enough because of arithmetic
error.
Removed some unused arrays (with #ifdef) from png_read_push_finish_row().
Fixed a memory overwrite bug in simplified read of RGB PNG with
non-linear gamma Also bugs in the error checking in pngread.c and changed
quite a lot of the checks in pngstest.c to be correct; either correctly
written or not over-optimistic. The pngstest changes are insufficient to
allow all possible RGB transforms to be passed; pngstest cmppixel needs
to be rewritten to make it clearer which errors it allows and then changed
to permit known inaccuracies.
Removed tests for no-longer-used *_EMPTY_PLTE_SUPPORTED from pngstruct.h
Fixed fixed/float API export conditionals. 1) If FIXED_POINT or
FLOATING_POINT options were switched off, png.h ended up with lone ';'
characters. This is not valid ANSI-C outside a function. The ';'
characters have been moved inside the definition of PNG_FP_EXPORT and
PNG_FIXED_EXPORT. 2) If either option was switched off, the declaration
of the corresponding functions were completely omitted, even though some
of them are still used internally. The result is still valid, but
produces warnings from gcc with some warning options (including -Wall). The
fix is to cause png.h to declare the functions with PNG_INTERNAL_FUNCTION
when png.h is included from pngpriv.h.
Check for invalid palette index while reading paletted PNG. When one is
found, issue a warning and increase png_ptr->num_palette accordingly.
Apps are responsible for checking to see if that happened.
Version 1.6.0beta12 [February 18, 2012]
Do not increase num_palette on invalid_index.
Relocated check for invalid palette index to pngrtran.c, after unpacking
the sub-8-bit pixels.
Fixed CVE-2011-3026 buffer overrun bug. Deal more correctly with the test
on iCCP chunk length. Also removed spurious casts that may hide problems
on 16-bit systems.
Version 1.6.0beta13 [February 24, 2012]
Eliminated redundant png_push_read_tEXt|zTXt|iTXt|unknown code from
pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c;
now that png_ptr->buffer is inaccessible to applications, the special
handling is no longer useful.
Added PNG_SAFE_LIMITS feature to pnglibconf.dfa, pngpriv.h, and new
pngusr.dfa to reset the user limits to safe ones if PNG_SAFE_LIMITS is
defined. To enable, use "CPPFLAGS=-DPNG_SAFE_LIMITS_SUPPORTED=1" on the
configure command or put #define PNG_SAFE_LIMITS_SUPPORTED in
pnglibconf.h.prebuilt and pnglibconf.h.
Version 1.6.0beta14 [February 27, 2012]
Added information about the new limits in the manual.
Updated Makefile.in
Version 1.6.0beta15 [March 2, 2012]
Removed unused "current_text" members of png_struct and the png_free()
of png_ptr->current_text from pngread.c
Rewrote pngstest.c for substantial speed improvement.
Fixed transparent pixel and 16-bit rgb tests in pngstest and removed a
spurious check in pngwrite.c
Added PNG_IMAGE_FLAG_FAST for the benefit of applications that store
intermediate files, or intermediate in-memory data, while processing
image data with the simplified API. The option makes the files larger
but faster to write and read. pngstest now uses this by default; this
can be disabled with the --slow option.
Improved pngstest fine tuning of error numbers, new test file generator.
The generator generates images that test the full range of sample values,
allow the error numbers in pngstest to be tuned and checked. makepng
also allows generation of images with extra chunks, although this is
still work-in-progress.
Added tests for invalid palette index while reading and writing (work in
progress, the latter isn't finished).
Fixed some bugs in ICC profile writing. The code should now accept
all potentially valid ICC profiles and reject obviously invalid ones.
It now uses png_error() to do so rather than casually writing a PNG
without the necessary color data.
Removed whitespace from the end of lines in all source files and scripts.
Version 1.6.0beta16 [March 6, 2012]
Relocated palette-index checking function from pngrutil.c to pngtrans.c
Added palette-index checking while writing.
Changed png_inflate() and calling routines to avoid overflow problems.
This is an intermediate check-in that solves the immediate problems and
introduces one performance improvement (avoiding a copy via png_ptr->zbuf.)
Further changes will be made to make ICC profile handling more secure.
Fixed build warnings (MSVC, GCC, GCC v3). Cygwin GCC with default options
declares 'index' as a global, causing a warning if it is used as a local
variable. GCC 64-bit warns about assigning a (size_t) (unsigned 64-bit)
to an (int) (signed 32-bit). MSVC, however, warns about using the
unary '-' operator on an unsigned value (even though it is well defined
by ANSI-C to be ~x+1). The padding calculation was changed to use a
different method. Removed the tests on png_ptr->pass.
Added contrib/libtests/tarith.c to test internal arithmetic functions from
png.c. This is a libpng maintainer program used to validate changes to the
internal arithmetic functions.
Made read 'inflate' handling like write 'deflate' handling. The read
code now claims and releases png_ptr->zstream, like the write code.
The bug whereby the progressive reader failed to release the zstream
is now fixed, all initialization is delayed, and the code checks for
changed parameters on deflate rather than always calling
deflatedEnd/deflateInit.
Validate the zTXt strings in pngvalid.
Added code to validate the windowBits value passed to deflateInit2().
If the call to deflateInit2() is wrong a png_warning will be issued
(in fact this is harmless, but the PNG data produced may be sub-optimal).
Version 1.6.0beta17 [March 10, 2012]
Fixed PNG_LIBPNG_BUILD_BASE_TYPE definition.
Reject all iCCP chunks after the first, even if the first one is invalid.
Deflate/inflate was reworked to move common zlib calls into single
functions [rw]util.c. A new shared keyword check routine was also added
and the 'zbuf' is no longer allocated on progressive read. It is now
possible to call png_inflate() incrementally.
If benign errors are disabled use maximum window on ancilliary inflate.
This works round a bug introduced in 1.5.4 where compressed ancillary
chunks could end up with a too-small windowBits value in the deflate
header.
Version 1.6.0beta18 [March 16, 2012]
Issue a png_benign_error() instead of png_warning() about bad palette index.
In pngtest, treat benign errors as errors if "-strict" is present.
Fixed an off-by-one error in the palette index checking function.
Fixed a compiler warning under Cygwin (Windows-7, 32-bit system)
Revised example.c to put text strings in a temporary character array
instead of directly assigning string constants to png_textp members.
This avoids compiler warnings when -Wwrite-strings is enabled.
Added output flushing to aid debugging under Visual Studio. Unfortunately
this is necessary because the VS2010 output window otherwise simply loses
the error messages on error (they weren't flushed to the window before
the process exited, apparently!)
Added configuration support for benign errors and changed the read
default. Also changed some warnings in the iCCP and sRGB handling
from to benign errors. Configuration now makes read benign
errors warnings and write benign errors to errors by default (thus
changing the behavior on read). The simplified API always forces
read benign errors to warnings (regardless of the system default, unless
this is disabled in which case the simplified API can't be built.)
Version 1.6.0beta19 [March 18,2012]
Work around for duplicate row start calls; added warning messages.
This turns on PNG_FLAG_DETECT_UNINITIALIZED to detect app code that
fails to call one of the 'start' routines (not enabled in libpng-1.5
because it is technically an API change, since it did normally work
before.) It also makes duplicate calls to png_read_start_row (an
internal function called at the start of the image read) benign, as
they were before changes to use png_inflate_claim. Somehow webkit is
causing this to happen; this is probably a mis-feature in the zlib
changes so this commit is only a work-round.
Removed erroneous setting of DETECT_UNINITIALIZED and added more
checks. The code now does a png_error if an attempt is made to do the
row initialization twice; this is an application error and it has
serious consequences because the transform data in png_struct is
changed by each call.
Added application error reporting and added chunk names to read
benign errors; also added --strict to pngstest - not enabled
yet because a warning is produced.
Avoid the double gamma correction warning in the simplified API.
This allows the --strict option to pass in the pngstest checks
Version 1.6.0beta20 [March 29, 2012]
Changed chunk handler warnings into benign errors, incrementally load iCCP
Added checksum-icc.c to contrib/tools
Prevent PNG_EXPAND+PNG_SHIFT doing the shift twice.
Recognize known sRGB ICC profiles while reading; prefer writing the
iCCP profile over writing the sRGB chunk, controlled by the
PNG_sRGB_PROFILE_CHECKS option.
Revised png_set_text_2() to avoid potential memory corruption (fixes
CVE-2011-3048, also known as CVE-2012-3425).
Version 1.6.0beta21 [April 27, 2012]
Revised scripts/makefile.darwin: use system zlib; remove quotes around
architecture list; add missing ppc architecture; add architecture options
to shared library link; don't try to create a shared lib based on missing
RELEASE variable.
Enable png_set_check_for_invalid_index() for both read and write.
Removed #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED in pngpriv.h around
declaration of png_handle_unknown().
Added -lssp_nonshared in a comment in scripts/makefile.freebsd
and changed deprecated NOOBJ and NOPROFILE to NO_OBJ and NO_PROFILE.
Version 1.6.0beta22 [May 23, 2012]
Removed need for -Wno-cast-align with clang. clang correctly warns on
alignment increasing pointer casts when -Wcast-align is passed. This
fixes the cases that clang warns about either by eliminating the
casts from png_bytep to png_uint_16p (pngread.c), or, for pngrutil.c
where the cast is previously verified or pngstest.c where it is OK, by
introducing new png_aligncast macros to do the cast in a way that clang
accepts.
Version 1.6.0beta23 [June 6, 2012]
Revised CMakeLists.txt to not attempt to make a symlink under mingw.
Made fixes for new optimization warnings from gcc 4.7.0. The compiler
performs an optimization which is safe; however it then warns about it.
Changing the type of 'palette_number' in pngvalid.c removes the warning.
Do not depend upon a GCC feature macro being available for use in generating
the linker mapfile symbol prefix.
Improved performance of new do_check_palette_indexes() function (only
update the value when it actually increases, move test for whether
the check is wanted out of the function.
Version 1.6.0beta24 [June 7, 2012]
Don't check palette indexes if num_palette is 0 (as it can be in MNG files).
Version 1.6.0beta25 [June 16, 2012]
Revised png_set_keep_unknown_chunks() so num_chunks < 0 means ignore all
unknown chunks and all known chunks except for IHDR, PLTE, tRNS, IDAT,
and IEND. Previously it only meant ignore all unknown chunks, the
same as num_chunks == 0. Revised png_image_skip_unused_chunks() to
provide a list of chunks to be processed instead of a list of chunks to
ignore. Revised contrib/gregbook/readpng2.c accordingly.
Version 1.6.0beta26 [July 10, 2012]
Removed scripts/makefile.cegcc from the *.zip and *.7z distributions; it
depends on configure, which is not included in those archives.
Moved scripts/chkfmt to contrib/tools.
Changed "a+w" to "u+w" in Makefile.in to fix CVE-2012-3386.
Version 1.6.0beta27 [August 10, 2012]
Do not compile PNG_DEPRECATED, PNG_ALLOC and PNG_PRIVATE when __GNUC__ < 3.
Do not use __restrict when GNUC is <= 3.1
Removed references to png_zalloc() and png_zfree() from the manual.
Fixed configurations where floating point is completely disabled. Because
of the changes to support symbol prefixing PNG_INTERNAL_FUNCTION declares
floating point APIs during libpng builds even if they are completely
disabled. This requires the png floating point types (png_double*) to be
declared even though the functions are never actually defined. This
change provides a dummy definition so that the declarations work, yet any
implementation will fail to compile because of an incomplete type.
Re-eliminated the use of strcpy() in pngtest.c. An unncessary use of
strcpy() was accidentally re-introduced in libpng16; this change replaces
it with strncpy().
Eliminated use of png_sizeof(); use sizeof() instead.
Use a consistent style for (sizeof type) and (sizeof (array))
Cleanup of png_set_filler(). This function does very different things on
read and write. In libpng 1.6 the two cases can be distinguished and
considerable code cleanup, and extra error checking, is possible. This
makes calls on the write side that have no effect be ignored with a
png_app_error(), which can be disabled in the app using
png_set_benign_errors(), and removes the spurious use of usr_channels
on the read side.
Insist on autotools 1.12.1 for git builds because there are security issues
with 1.12 and insisting on anything less would allow 1.12 to be used.
Removed info_ptr->signature[8] from WRITE-only builds.
Add some conditions for compiling png_fixed(). This is a small function
but it requires "-lm" on some platforms.
Cause pngtest --strict to fail on any warning from libpng (not just errors)
and cause it not to fail at the comparison step if libpng lacks support
for writing chunks that it reads from the input (currently only implemented
for compressed text chunks).
Consistently use png_memset(), png_memcpy(), and png_memcmp(), except in
pngtest.c and example.c where these macros are not visible.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement
to subscribe)
or to glennrp at users.sourceforge.net
Glenn R-P