diff options
| author | ManoloFLTK <41016272+ManoloFLTK@users.noreply.github.com> | 2026-01-20 18:01:12 +0100 |
|---|---|---|
| committer | ManoloFLTK <41016272+ManoloFLTK@users.noreply.github.com> | 2026-01-20 18:01:12 +0100 |
| commit | 2f7d7adfcf4bec55fa5e007947e4a455e85d8930 (patch) | |
| tree | 2258a700e13d8582fcf5eedb30394c78641d739a /png/CHANGES | |
| parent | d30ca1866463c4091c3e0bcf5ca730f409ddc78d (diff) | |
Update bundled libpng to last upstream version 1.6.54
Diffstat (limited to 'png/CHANGES')
| -rw-r--r-- | png/CHANGES | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/png/CHANGES b/png/CHANGES index b6499b1f3..3bb1baecd 100644 --- a/png/CHANGES +++ b/png/CHANGES @@ -6278,6 +6278,59 @@ Version 1.6.50 [July 1, 2025] (Contributed by John Bowler) Fixed the CMake file for cross-platform builds that require `libm`. +Version 1.6.51 [November 21, 2025] + Fixed CVE-2025-64505 (moderate severity): + Heap buffer overflow in `png_do_quantize` via malformed palette index. + (Reported by Samsung; analyzed by Fabio Gritti.) + Fixed CVE-2025-64506 (moderate severity): + Heap buffer over-read in `png_write_image_8bit` with 8-bit input and + `convert_to_8bit` enabled. + (Reported by Samsung and <weijinjinnihao@users.noreply.github.com>; + analyzed by Fabio Gritti.) + Fixed CVE-2025-64720 (high severity): + Buffer overflow in `png_image_read_composite` via incorrect palette + premultiplication. + (Reported by Samsung; analyzed by John Bowler.) + Fixed CVE-2025-65018 (high severity): + Heap buffer overflow in `png_combine_row` triggered via + `png_image_finish_read`. + (Reported by <yosiimich@users.noreply.github.com>.) + Fixed a memory leak in `png_set_quantize`. + (Reported by Samsung; analyzed by Fabio Gritti.) + Removed the experimental and incomplete ERROR_NUMBERS code. + (Contributed by Tobias Stoeckmann.) + Improved the RISC-V vector extension support; required RVV 1.0 or newer. + (Contributed by Filip Wasil.) + Added GitHub Actions workflows for automated testing. + Performed various refactorings and cleanups. + +Version 1.6.52 [December 3, 2025] + Fixed CVE-2025-66293 (high severity): + Out-of-bounds read in `png_image_read_composite`. + (Reported by flyfish101 <flyfish101@users.noreply.github.com>.) + Fixed the Paeth filter handling in the RISC-V RVV implementation. + (Reported by Filip Wasil; fixed by Liang Junzhao.) + Improved the performance of the RISC-V RVV implementation. + (Contributed by Liang Junzhao.) + Added allocation failure fuzzing to oss-fuzz. + (Contributed by Philippe Antoine.) + +Version 1.6.53 [December 5, 2025] + Fixed a build failure on RISC-V RVV caused by a misspelled intrinsic. + (Contributed by Alexander Smorkalov.) + Fixed a build failure with CMake 4.1 or newer, on Windows, when using + Visual C++ without MASM installed. + +Version 1.6.54 [January 12, 2026] + Fixed CVE-2026-22695 (medium severity): + Heap buffer over-read in `png_image_read_direct_scaled. + (Reported and fixed by Petr Simecek.) + Fixed CVE-2026-22801 (medium severity): + Integer truncation causing heap buffer over-read in `png_image_write_*`. + Implemented various improvements in oss-fuzz. + (Contributed by Philippe Antoine.) + + Send comments/corrections/commendations to png-mng-implement at lists.sf.net. Subscription is required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement |