libpng

libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over 13 years. The home site for development versions (i.e., may be buggy or subject to change or include experimental features) is http://libpng.sourceforge.net/, and the place to go for questions about the library is the png-mng-implement mailing list.

libpng is available as ANSI C (C89) source code and requires zlib 1.0.4 or later (1.2.3 recommended for performance and security reasons). The current public release, libpng 1.2.31, fixes a cHRM-reading bug introduced in 1.2.30 and reverts the png_flush() behavior.

See the bottom of this page for warnings about security and crash bugs in versions up through libpng 1.2.26.

In addition to the main library sources, libpng includes the rpng, rpng2 and wpng demo programs, the pngminus demo program, a subset of Willem van Schaik's PngSuite test images, and Willem's VisualPng demo program.

Current
version: 		1.2.31
Authors: Guy Eric Schalnat, Andreas Dilger, Glenn Randers-Pehrson (current maintainer), and others
License: Open Source
Platforms: Unix, DOS, OS/2, Windows, Mac OS, BeOS, Amiga, etc.
README: local web site
http://www.libpng.org/pub/png/src/
http://prdownloads.sourceforge.net/libpng/
ftp://ftp.simplesystems.org/pub/libpng/png/src/
Manual: plain text format
HTML format (version 1.2.5, courtesy of Deron Meranda)
MS Word format (version 1.2.0, courtesy of Pierre Delaage)
Mailing
list: 		png-mng-implement
Source
code:
    with config script   without config script
prdownloads.sourceforge.net
ftp.simplesystems.org
download.sourceforge.net
archive sizes (bytes):
    .tar.bz2 
 .tar.bz2 
 .tar.bz2 
 625715 
  .tar.gz 
 .tar.gz 
 .tar.gz 
 792139 
    .tar.bz2 
 .tar.bz2 
 .tar.bz2 
 401066 
  .tar.gz 
 .tar.gz 
 .tar.gz 
 514729 
  .zip 
 .zip 
 .zip 
 630360 

MD5 checksums:

4cd2685f1eda1096f15e0523c7272f74  libpng-1.2.31-no-config.tar.bz2
a8d1aee82644656fc43c7af251c82ecd  libpng-1.2.31-no-config.tar.gz
78d2f8c4e0d64f8948819563587302d3  libpng-1.2.31.tar.bz2
4f48a84ab6e2ca3c98301129a8c93639  libpng-1.2.31.tar.gz
48f1d15768028cfa5aa5698546637c6d  lpng1231.zip
Patches:  
Beta
code: 		http://libpng.sourceforge.net/
Current
binaries:
operating system
 platform
 version
Linux (.rpm) (libpng3devdev3)
Linux (.rpm) (libpng3devdev3)
 many
many
  1.2.31-
 1.2.31-

(these are "unofficial" binaries compiled  by third parties)
Previous
binaries:
operating system
 platform
 version
Solaris 2.5-10
HP-UX
 SPARC,x86
PA-RISC,IA64
  1.2.30-
 1.2.30-

(these are "unofficial" binaries compiled  by third parties)
Old
binaries:
operating system
 platform
 version
Mac OS X
Mac OS X
FreeBSD (.tbz)
Linux (.tgz)
Linux (.deb)
GnuWin32
SCO OpenServer 5
Amiga/StormC 4
Windows CE
 x86,PowerPC
x86,PowerPC
x86
x86
many
x86
x86
68k,PPC
many
  1.2.29-
 1.2.29
 1.2.28
 1.2.27-
 1.2.27-
 1.2.24-
 1.2.4
 1.2.3
 1.2.3

(these are "unofficial" binaries compiled  by third parties)
Supporting
libraries: 		zlib

Security and Crash Bugs in Older Versions

Vulnerability Warning

All versions of libpng from 1.0.6 through 1.2.26 have a bug when handling unknown (to libpng) chunks with zero data length. Applications that call either png_set_read_user_chunk_fn() or png_set_keep_unknown_chunks(), when used with standard builds of libpng (i.e., built with either PNG_READ_UNKNOWN_CHUNKS_SUPPORTED or PNG_READ_USER_CHUNKS_SUPPORTED defined), can crash when attempting to free a non-existent data buffer for the unknown chunk. The pngtest sample application distributed with libpng, pngcrush, and certain versions of ImageMagick are known to be affected, but the bug is otherwise believed to be quite rare. This vulnerability has been assigned ID CVE-2008-1382 and is fixed in version 1.2.27, released released 28 April 2008.

Crash Warning

Most versions of libpng up through 1.2.24 have a number of minor coding errors that could lead to crashes in exceptional cases. For example, if memory allocation fails while processing certain ancillary chunks, libpng could crash while attempting to write to the NULL pointer; or if the application author failed to set up the info_ptr as required, some parts of libpng fail to check for NULL and could crash trying to read the pointer (though it's probable that the error would have caused libpng to terminate upstream of these parts). The bugs are fixed in version 1.2.25, released 18 February 2008.

Vulnerability Warning

Version 1.2.21 has a crash bug when reading the ICC-profile chunk, iCCP (CVE-2007-5267). This bug is fixed in version 1.2.22, released 13 October 2007.

Vulnerability Warning

Versions 1.2.20 and earlier have a number of potential crash-bugs due to out-of-bounds reads in certain chunk-handlers; MITRE has collectively assigned them the identifiers CVE-2007-5266, CVE-2007-5268 and CVE-2007-5269. These bugs are fixed in version 1.2.21, released 4 October 2007, but another crash bug (related to the ICC-profile chunk) remains to be fixed in version 1.2.22.

Vulnerability Warning

Versions up through 1.2.16 (and 1.0.24) have an NULL-pointer-dereference vulnerability involving palette images with a malformed tRNS chunk (i.e., one with a bad CRC value). This bug can, at a minimum, cause crashes in browsers simply by visiting a page displaying such an image; reportedly it also crashes the Microsoft Windows display manager. CERT refers to it as VU#684664 and MITRE as CVE-2007-2445. It's fixed in versions libpng 1.2.18 and libpng 1.0.26 (also 1.2.17 and 1.0.25, which had a bug in their configure scripts), released 15 May 2007.

Vulnerability Warning

Versions 1.0.6 through 1.2.12 and 1.0.20 have a bug in the decoder for the sPLT ("suggested palette") chunk; this can lead to crashes and, accordingly, a denial of service (e.g., crashing your browser when you visit a site displaying a specially crafted PNG). The bug is fixed in libpng 1.2.13 and libpng 1.0.21, released 15 November 2006. MITRE refers to this bug as CVE-2006-5793.

The same releases also include fixes for a specific class of application error (NULL png_ptr) and for a bug in the code that writes the iCCP ("ICC profile") chunk.

Vulnerability Warning

Versions up through 1.2.11 and 1.0.19 have a buffer-overrun vulnerability when a particular error message is triggered. The overrun is always by exactly two bytes ('k' and NULL) so it seems highly unlikely that it could be used for anything more nefarious than denial of service (e.g., crashing your browser when you visit a site displaying a specially crafted PNG). Nevertheless, it's worth fixing, and versions libpng 1.2.12 and libpng 1.0.20, released 27 June 2006, do just that. (Note that 1.2.11 and 1.0.19 erroneously claimed to include the fix, but in fact it had been inadvertently omitted.) MITRE refers to this bug as CVE-2006-3334.

The same releases (and their immediate predecessors) also fix an out-of-bounds (by one) memory read and a second buffer overrun, this one in the code that writes the sCAL ("physical scale of subject") chunk (which is rather rare in any case).

There have been other issues in older versions released in 2004:

Crash Warning

Versions 1.2.7, 1.2.6, 1.0.17, and 1.0.16 have a bug that will cause applications that strip the alpha channel (while reading a PNG) to crash. The bug is fixed in versions 1.2.8 and 1.0.18, which were released on 3 December 2004. MITRE refers to this bug as CVE-2006-0481.

The release before that fixed another bug, this one in the PNG-writing code:

Broken-Image Warning

Versions 1.2.6 and 1.0.16 can write an invalid zlib header within the PNG datastream. This is not quite as bad as it sounds since the two-byte header can be corrected fairly easily (e.g., use pngcrush to rewrite the images and, perhaps, compress them slightly better, or run the png-fix-IDAT-windowsize utility bundled with pngcheck 2.1.0 or later), but some applications will display the images incorrectly. Microsoft Word and Internet Explorer are known to be affected. A libpng patch is available, and versions 1.2.7 and 1.0.17 (incorporating the fix) were released on 11 September 2004.

Finally--and most important--there were several security vulnerabilities present in versions of libpng prior to 1.2.6 and 1.0.16, one of which is quite dangerous:

Vulnerability Warning

On 4 August 2004 a new jumbo security patch was released to address several potential vulnerabilities in libpng, at least one of which is quite serious. It was followed on 15 August by the full libpng 1.2.6 and libpng 1.0.16 releases, which, like subsequent releases, incorporate the fix. All users are strongly urged to upgrade to the latest release of libpng or to patch any affected applications as soon as possible. (Graphical browsers and e-mail clients are particularly at risk.) Get the latest releases or an appropriate combo patch either from SourceForge (headings 1.2.5-security-patches and 1.2.5and-older-sec-patchs) or from Simple Systems.

Here's the CERT advisory, along with the relevant CERT and MITRE vulnerability pages:

These vulnerabilities were discovered by Chris Evans and are also described in his alert. (Many thanks to Chris for notifying the libpng team and for providing time to fix the bugs before the public announcement!)

[primary site hosted by SourceForge.net] Last modified 25 August 2008. Please direct libpng comments and questions to the png-mng-implement mailing list.

Web page copyright © 2000-2008 Greg Roelofs. libpng copyright 1995-2008 contributing authors.