From 66dce0da6a5db51ee0c2875517d3a6ca6cbbe53d Mon Sep 17 00:00:00 2001 From: Eric Vannier Date: Wed, 20 Jul 2011 17:03:29 -0700 Subject: Upgrading libpng to 1.2.46 to fix a few vulnerabilities. Bug: 5057432 Bug: 5055636 Change-Id: I9e1b51881386aa9f574a38abc844e036baef9091 --- ANNOUNCE | 56 ++++++++++++++++++++++++++++++++------------------------ 1 file changed, 32 insertions(+), 24 deletions(-) (limited to 'ANNOUNCE') diff --git a/ANNOUNCE b/ANNOUNCE index b0824ee..02a24bd 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.2.44 - June 26, 2010 +Libpng 1.2.46 - July 9, 2011 This is a public release of libpng, intended for use in production codes. @@ -8,48 +8,56 @@ Files available for download: Source files with LF line endings (for Unix/Linux) and with a "configure" script - libpng-1.2.44.tar.xz (LZMA-compressed, recommended) - libpng-1.2.44.tar.gz - libpng-1.2.44.tar.bz2 + libpng-1.2.46.tar.xz (LZMA-compressed, recommended) + libpng-1.2.46.tar.gz + libpng-1.2.46.tar.bz2 Source files with LF line endings (for Unix/Linux) without the "configure" script - libpng-1.2.44-no-config.tar.xz (LZMA-compressed, recommended) - libpng-1.2.44-no-config.tar.gz - libpng-1.2.44-no-config.tar.bz2 + libpng-1.2.46-no-config.tar.xz (LZMA-compressed, recommended) + libpng-1.2.46-no-config.tar.gz + libpng-1.2.46-no-config.tar.bz2 Source files with CRLF line endings (for Windows), without the "configure" script - lpng1244.zip - lpng1244.7z - lpng1244.tar.bz2 + lpng1246.zip + lpng1246.7z + lpng1246.tar.bz2 Project files - libpng-1.2.44-project-netware.zip - libpng-1.2.44-project-wince.zip + libpng-1.2.46-project-netware.zip + libpng-1.2.46-project-wince.zip Other information: - libpng-1.2.44-README.txt - libpng-1.2.44-KNOWNBUGS.txt - libpng-1.2.44-LICENSE.txt - libpng-1.2.44-Y2K-compliance.txt - libpng-1.2.44-[previous version]-diff.txt + libpng-1.2.46-README.txt + libpng-1.2.46-KNOWNBUGS.txt + libpng-1.2.46-LICENSE.txt + libpng-1.2.46-Y2K-compliance.txt + libpng-1.2.46-[previous version]-diff.txt Changes since the last public release (1.2.43): -version 1.2.44 [June 26, 2010] - - Rewrote png_process_IDAT_data to consistently treat extra data as warnings - and handle end conditions more cleanly. - Removed the now-redundant check for out-of-bounds new_row from example.c - +version 1.2.45 [July 9, 2011] + + Fixed uninitialized memory read in png_format_buffer() (Bug + report by Frank Busse, related to CVE-2004-0421). + Pass "" instead of '\0' to png_default_error() in png_err(). This mistake + was introduced in libpng-1.2.20beta01. + Check for up->location !PNG_AFTER_IDAT when writing unknown chunks + before IDAT. + Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image, + always expand to RGBA if transparency is present. + Check for integer overflow in png_set_rgb_to_gray(). + Check for sCAL chunk too short. + Added CMakeLists.txt, projects/xcode, and pnggccrd.c to EXTRA_DIST in + Makefile.am and Makefile.in + Udated copyright year to 2011. Send comments/corrections/commendations to png-mng-implement at lists.sf.net - (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement to subscribe) or to glennrp at users.sourceforge.net -- cgit v1.1