libpng

libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over 12 years. The home site for development versions (i.e., may be buggy or subject to change or include experimental features) is http://libpng.sourceforge.net/, and the place to go for questions about the library is the png-mng-implement mailing list.

libpng is available as ANSI C (C89) source code and requires zlib 1.0.4 or later (1.2.3 recommended for performance and security reasons). The current public release, libpng 1.2.29, is identical to its week-old predecessors except for the configure-related build scripts, which were rebuilt with a consistent set of autotools (autoconf, automake, libtool) and macros to avoid compatibility problems in the previous two releases. Both this release and the two previous ones contain a security fix involving the handling of unknown PNG chunks (see below), a reversion to older behavior for handling of images with out-of-range tRNS-chunk values, a fix for unintentional gray-to-RGB conversion in png_set_expand_gray_1_2_4_to_8(), and various other small fixes.

Vulnerability Warning

All versions of libpng from 1.0.6 through 1.2.26 have a bug when handling unknown (to libpng) chunks with zero data length. Applications that call either png_set_read_user_chunk_fn() or png_set_keep_unknown_chunks(), when used with standard builds of libpng (i.e., built with either PNG_READ_UNKNOWN_CHUNKS_SUPPORTED or PNG_READ_USER_CHUNKS_SUPPORTED defined), can crash when attempting to free a non-existent data buffer for the unknown chunk. The pngtest sample application distributed with libpng, pngcrush, and certain versions of ImageMagick are known to be affected, but the bug is otherwise believed to be quite rare. This vulnerability has been assigned ID CVE-2008-1382 and is fixed in version 1.2.27, released released 28 April 2008.

See the bottom of this page for warnings about other security and crash bugs in versions up through libpng 1.2.24.

In addition to the main library sources, libpng includes the rpng, rpng2 and wpng demo programs, the pngminus demo program, a subset of Willem van Schaik's PngSuite test images, and Willem's VisualPng demo program.

Current
version: 		1.2.29
Authors: Guy Eric Schalnat, Andreas Dilger, Glenn Randers-Pehrson (current maintainer), and others
License: Open Source
Platforms: Unix, DOS, OS/2, Windows, Mac OS, BeOS, Amiga, etc.
README: local web site
http://www.libpng.org/pub/png/src/
http://prdownloads.sourceforge.net/libpng/
ftp://ftp.simplesystems.org/pub/libpng/png/src/
Manual: plain text format
HTML format (version 1.2.5, courtesy of Deron Meranda)
MS Word format (version 1.2.0, courtesy of Pierre Delaage)
Mailing
list: 		png-mng-implement
Source
code:
    with config script   without config script
prdownloads.sourceforge.net
ftp.simplesystems.org
download.sourceforge.net
archive sizes (bytes):
    .tar.bz2 
 .tar.bz2 
 .tar.bz2 
 624606 
  .tar.gz 
 .tar.gz 
 .tar.gz 
 796551 
    .tar.bz2 
 .tar.bz2 
 .tar.bz2 
 407534 
  .tar.gz 
 .tar.gz 
 .tar.gz 
 518599 
  .zip 
 .zip 
 .zip 
 627641 

MD5 checksums:

94df866761400dcc26f1b93d0982ed18  libpng-1.2.29-no-config.tar.bz2
b28ad48c6bb7c6f15a2aa48241484199  libpng-1.2.29-no-config.tar.gz
f588cb4ee39e3a333604096f937ea157  libpng-1.2.29.tar.bz2
a388004b7d7492660c19a2d611a8ca62  libpng-1.2.29.tar.gz
d6d25430b7847340da3b22aeb82f0344  lpng1229.zip
Patches:  
Beta
code: 		http://libpng.sourceforge.net/
Current
binaries:
operating system
 platform
 version
Linux (.rpm) (libpng3devdev3)
Solaris 2.5-10
HP-UX
 many
SPARC,x86
PA-RISC,IA64
  1.2.29-
 1.2.29-
 1.2.29-

(these are "unofficial" binaries compiled  by third parties)
Previous
binaries:
operating system
 platform
 version
FreeBSD (.tbz)
 x86
  1.2.28

(these are "unofficial" binaries compiled  by third parties)
Old
binaries:
operating system
 platform
 version
Linux (.tgz)
Mac OS X
Linux (.rpm) (libpng3devdev3)
GnuWin32
Linux (.deb)
Mac OS X
SCO OpenServer 5
Amiga/StormC 4
Windows CE
 x86
PowerPC,x86
many
x86
many
PowerPC
x86
68k,PPC
many
  1.2.27-
 1.2.27
 1.2.26-
 1.2.24-
 1.2.15beta5-
 1.2.12-
 1.2.4
 1.2.3
 1.2.3

(these are "unofficial" binaries compiled  by third parties)
Supporting
libraries: 		zlib

Security and Crash Bugs in Older Versions

Crash Warning

Most versions of libpng up through 1.2.24 have a number of minor coding errors that could lead to crashes in exceptional cases. For example, if memory allocation fails while processing certain ancillary chunks, libpng could crash while attempting to write to the NULL pointer; or if the application author failed to set up the info_ptr as required, some parts of libpng fail to check for NULL and could crash trying to read the pointer (though it's probable that the error would have caused libpng to terminate upstream of these parts). The bugs are fixed in version 1.2.25, released 18 February 2008.

Vulnerability Warning

Version 1.2.21 has a crash bug when reading the ICC-profile chunk, iCCP (CVE-2007-5267). This bug is fixed in version 1.2.22, released 13 October 2007.

Vulnerability Warning

Versions 1.2.20 and earlier have a number of potential crash-bugs due to out-of-bounds reads in certain chunk-handlers; MITRE has collectively assigned them the identifiers CVE-2007-5266, CVE-2007-5268 and CVE-2007-5269. These bugs are fixed in version 1.2.21, released 4 October 2007, but another crash bug (related to the ICC-profile chunk) remains to be fixed in version 1.2.22.

Vulnerability Warning

Versions up through 1.2.16 (and 1.0.24) have an NULL-pointer-dereference vulnerability involving palette images with a malformed tRNS chunk (i.e., one with a bad CRC value). This bug can, at a minimum, cause crashes in browsers simply by visiting a page displaying such an image; reportedly it also crashes the Microsoft Windows display manager. CERT refers to it as VU#684664 and MITRE as CVE-2007-2445. It's fixed in versions libpng 1.2.18 and libpng 1.0.26 (also 1.2.17 and 1.0.25, which had a bug in their configure scripts), released 15 May 2007.

Vulnerability Warning

Versions 1.0.6 through 1.2.12 and 1.0.20 have a bug in the decoder for the sPLT ("suggested palette") chunk; this can lead to crashes and, accordingly, a denial of service (e.g., crashing your browser when you visit a site displaying a specially crafted PNG). The bug is fixed in libpng 1.2.13 and libpng 1.0.21, released 15 November 2006. MITRE refers to this bug as CVE-2006-5793.

The same releases also include fixes for a specific class of application error (NULL png_ptr) and for a bug in the code that writes the iCCP ("ICC profile") chunk.

Vulnerability Warning

Versions up through 1.2.11 and 1.0.19 have a buffer-overrun vulnerability when a particular error message is triggered. The overrun is always by exactly two bytes ('k' and NULL) so it seems highly unlikely that it could be used for anything more nefarious than denial of service (e.g., crashing your browser when you visit a site displaying a specially crafted PNG). Nevertheless, it's worth fixing, and versions libpng 1.2.12 and libpng 1.0.20, released 27 June 2006, do just that. (Note that 1.2.11 and 1.0.19 erroneously claimed to include the fix, but in fact it had been inadvertently omitted.) MITRE refers to this bug as CVE-2006-3334.

The same releases (and their immediate predecessors) also fix an out-of-bounds (by one) memory read and a second buffer overrun, this one in the code that writes the sCAL ("physical scale of subject") chunk (which is rather rare in any case).

There have been other issues in older versions released in 2004:

Crash Warning

Versions 1.2.7, 1.2.6, 1.0.17, and 1.0.16 have a bug that will cause applications that strip the alpha channel (while reading a PNG) to crash. The bug is fixed in versions 1.2.8 and 1.0.18, which were released on 3 December 2004. MITRE refers to this bug as CVE-2006-0481.

The release before that fixed another bug, this one in the PNG-writing code:

Broken-Image Warning

Versions 1.2.6 and 1.0.16 can write an invalid zlib header within the PNG datastream. This is not quite as bad as it sounds since the two-byte header can be corrected fairly easily (e.g., use pngcrush to rewrite the images and, perhaps, compress them slightly better, or run the png-fix-IDAT-windowsize utility bundled with pngcheck 2.1.0 or later), but some applications will display the images incorrectly. Microsoft Word and Internet Explorer are known to be affected. A libpng patch is available, and versions 1.2.7 and 1.0.17 (incorporating the fix) were released on 11 September 2004.

Finally--and most important--there were several security vulnerabilities present in versions of libpng prior to 1.2.6 and 1.0.16, one of which is quite dangerous:

Vulnerability Warning

On 4 August 2004 a new jumbo security patch was released to address several potential vulnerabilities in libpng, at least one of which is quite serious. It was followed on 15 August by the full libpng 1.2.6 and libpng 1.0.16 releases, which, like subsequent releases, incorporate the fix. All users are strongly urged to upgrade to the latest release of libpng or to patch any affected applications as soon as possible. (Graphical browsers and e-mail clients are particularly at risk.) Get the latest releases or an appropriate combo patch either from SourceForge (headings 1.2.5-security-patches and 1.2.5and-older-sec-patchs) or from Simple Systems.

Here's the CERT advisory, along with the relevant CERT and MITRE vulnerability pages:

These vulnerabilities were discovered by Chris Evans and are also described in his alert. (Many thanks to Chris for notifying the libpng team and for providing time to fix the bugs before the public announcement!)

[primary site hosted by SourceForge.net] Last modified 10 May 2008. Please direct libpng comments and questions to the png-mng-implement mailing list.

Web page copyright © 2000-2008 Greg Roelofs. libpng copyright 1995-2008 contributing authors.