libpng is the official PNG reference library. It supports almost
all PNG features, is extensible, and has been extensively tested for
over 29 years. The home site for development versions (i.e., may be
buggy or subject to change or include experimental features) is https://libpng.sourceforge.io/, and
the place to go for questions about the library is the png-mng-implement mailing list.
libpng is available as ANSI C (C89) source code and requires zlib 1.0.4
or later (1.2.13 or later recommended for performance and security
reasons). The current public release, libpng 1.6.44, includes minor
fixes and improvements:
- Hardened calculations in chroma handling to prevent overflows, and relaxed a constraint in cHRM validation to accomodate the standard ACES AP1 set of color primaries. (Contributed by John Bowler)
- Removed the ASM implementation of ARM Neon optimizations and updated the build accordingly. Only the remaining C implementation shall be used from now on, thus ensuring the support of the PAC/BTI security features on ARM64. (Contributed by Ross Burton and John Bowler)
- Fixed the pickup of the PNG_HARDWARE_OPTIMIZATIONS option in the CMake build on FreeBSD/amd64. This is an important performance fix on this platform.
- Applied various fixes and improvements to the CMake build. (Contributed by Eric Riff, Benjamin Buch and Erik Scholz)
- Added fuzzing targets for the simplified read API. (Contributed by Mikhail Khachayants)
- Fixed a build error involving pngtest.c under a custom config. This was a regression introduced in a code cleanup in libpng-1.6.43. (Contributed by Ben Wagner)
- Fixed and improved the config files for AppVeyor CI and Travis CI.
Portability Note
The libpng 1.6.x series continues the evolution of the
libpng API, finally hiding the contents of the venerable
and hoary png_struct and png_info
data structures inside private (i.e., non-installed) header
files. Instead of direct struct-access, applications should be
using the various png_get_xxx() and png_set_xxx()
accessor functions, which have existed for almost as long as libpng
itself.
libpng 1.8.x is now under development and will eliminate some long-deprecated
APIs and "features," potentially breaking compatibility with very old apps.
|
|
The portability notice should not come as a particular surprise
to anyone who has added libpng support to an application this millenium; the
manual has warned of it since at least July 2000. (Specifically:
"Starting with version 2.0.0, both structures are going to be hidden, and
the contents of the structures will only be accessible through the
png_get/png_set functions." OK, so the version number was off a
bit...and the grammar, too, but who's counting?) Those whose apps depend on
the older API need not panic, however (for now); libpng 1.2.x continues to
get security fixes, as has 1.0.x for well over a decade. (Greg no longer
bothers to list either series here; enough's enough, folks. Update those
apps now!)
The 1.5.x and later series also include a new, more thorough test program
(pngvalid.c) and a new pnglibconf.h header file that
tracks what features were enabled or disabled when libpng was built. On
the other hand, they no longer internally include the zlib.h header
file, so applications that formerly depended on png.h to provide
that will now need to include it explicitly.
Complete differences relative to libpng 1.4.x
are detailed here.
See the bottom of this page for warnings about
security and crash bugs
in versions up through libpng 1.6.36.
In addition to the main library sources,
all of the 1.2.x/1.4.x/1.5.x/1.6.x/1.7.x series include
the rpng, rpng2 and wpng demo programs,
the pngminus demo program, a subset of Willem van Schaik's
PngSuite test images,
and Willem's VisualPng demo program.
Current version:
|
1.6.44
|
Authors:
|
Guy Eric Schalnat,
Andreas Dilger,
John Bowler,
Glenn Randers-Pehrson,
Cosmin Truta
(current maintainer),
and others
|
License:
|
Open Source
|
Platforms:
|
Unix, DOS, OS/2, Windows, Mac OS, BeOS, Amiga, etc.
|
README:
|
local web site
http://www.libpng.org/pub/png/src/
http://prdownloads.sourceforge.net/libpng/
|
Manual:
|
plain text format
PDF format (version 1.4.0
[Jan 2010], courtesy of Alex Yau)
|
Mailing list:
|
png-mng-implement
|
Source code:
|
SHA-256 checksums:
8c25a7792099a0089fa1cc76c94260d0bb3f1ec52b93671b572f8bb61577b732 libpng-1.6.44.tar.gz
60c4da1d5b7f0aa8d158da48e8f8afa9773c1c8baa5d21974df61f1886b8ce8e libpng-1.6.44.tar.xz
7d7571a1faa1898b69888716dfdea0e4d466f1a5cf518e6aa626df2242bbadbe lpng1644.zip
|
Beta code:
|
https://libpng.sourceforge.io/
git repository:
access:
git://git.code.sf.net/p/libpng/code
browse: https://sourceforge.net/p/libpng/code/ci/libpng16/tree/
|
Current binaries:
|
(these are "unofficial" binaries compiled by third parties)
|
Older binaries:
|
operating system
|
platform
|
version
|
Linux (.deb)
HP-UX
Mac OS X
|
many
PA-RISC,IA64
x86,PowerPC
|
1.6.43-
1.6.43-
1.6.43-
|
(these are "unofficial" binaries compiled by third parties)
|
Supporting libraries and tools:
|
zlib
XZ (needed only to decompress tar.xz source archive)
|
Security and Crash Bugs in Older Versions
Vulnerability Warning
libpng versions 1.6.36 and earlier have a use-after-free bug in the simplified
libpng API png_image_free(). It has been assigned ID
CVE-2019-7317.
The vulnerability is fixed in version 1.6.37,
released on 15 April 2019.
|
|
Vulnerability Warning
libpng version 1.6.31 added png_handle_eXIf(), which has a
null-pointer-dereference bug as well as a potential memory leak. Insofar
as the function has existed for only four weeks and the chunk itself for
only six, it's unlikely there are any applications affected by it at this
time, but they might come into existence in the future.
The vulnerability is fixed in version 1.6.32,
released on 24 August 2017.
|
|
Vulnerability Warning
Virtually all libpng versions through 1.6.26, 1.5.27, 1.4.19, 1.2.56,
and 1.0.66, respectively, have a null-pointer-dereference bug in
png_set_text_2() when an image-editing application adds, removes,
and re-adds text chunks to a PNG image. (This bug does not affect
pure viewers, nor are there any known editors that could trigger it without
interactive user input. It has been assigned ID
CVE-2016-10087.)
The vulnerability is fixed in versions 1.6.27, 1.5.28,
1.4.20, 1.2.57, and 1.0.67,
released on 29 December 2016.
|
|
Vulnerability Warning
Virtually all old-branch libpng versions through 1.5.25, 1.4.18, 1.2.55,
and 1.0.65, respectively, have a potential out-of-bounds read in
png_check_keyword(), which has been assigned ID
CVE-2015-8540).
The vulnerability is fixed in versions 1.5.26,
1.4.19, 1.2.56, and 1.0.66,
released on 17 December 2015.
The current branch (1.6.x) is not vulnerable to this bug.
|
|
Vulnerability Warning
Virtually all libpng versions through 1.6.19, 1.5.24, 1.4.17, 1.2.54,
and 1.0.64, respectively, have a potential pointer overflow/underflow in
png_handle_sPLT()/png_handle_pCAL() (and in
png_handle_iTXt()/png_handle_zTXt() in the pre-1.6 branches),
and all such versions likewise have a bug in their png_set_PLTE()
implementations that left it open to the out-of-bounds write
(CVE-2015-8126) that was supposed to have been fixed in the previous
release. The bugs are fixed in versions 1.6.20,
1.5.25, 1.4.18, 1.2.55, and 1.0.65,
released on 3 December 2015.
|
|
Vulnerability Warning
Virtually all libpng versions through 1.6.18, 1.5.23, 1.4.16, 1.2.53,
and 1.0.63, respectively, have a potential out-of-bounds read in
png_set_tIME()/png_convert_to_rfc1123() and an out-of-bounds
write in png_get_PLTE()/png_set_PLTE(). The former
vulnerability has been assigned ID
CVE-2015-7981 and the latter
CVE-2015-8126. The first is fixed in versions 1.6.19,
1.5.24, 1.4.17, 1.2.54, and 1.0.64,
released on 12 November 2015; see the subsequent vulnerability
warning for info about the latter fix.
|
|
Vulnerability Warning
libpng versions 1.6.9 through 1.6.15 (and some subset of versions up
through 1.5.20) have an integer-overflow vulnerability in
png_combine_row() when decoding very wide interlaced images,
which can allow an attacker to overwrite an arbitrary amount of memory
with arbitrary (attacker-controlled) data.
This vulnerability has been assigned ID
CVE-2014-9495 and is fixed in versions 1.6.16 and
1.5.21, released on 21 December 2014.
|
|
Vulnerability Warning
Virtually all libpng versions through 1.6.14, 1.5.19, 1.4.13, 1.2.51,
and 1.0.61, respectively, have an out-of-bounds memory access in
png_user_version_check(). It is unclear whether this could
lead to an actual exploit. The bug is fixed in versions 1.6.15,
1.5.20, etc., released on 20 November 2014.
|
|
Vulnerability Warning
libpng versions 1.6.0 through 1.6.9 hang when reading images that have
zero-length IDAT chunks with the progressive (streaming) reader; a
malicious web site could use this bug to cause a (minor) denial of
service. This vulnerability has been assigned ID
CVE-2014-0333 and is fixed in version 1.6.10,
released 6 March 2014.
|
|
Vulnerability Warning
libpng versions 1.6.1 through 1.6.7 fail to reject colormapped images
with empty palettes, leading to a null-pointer dereference (crash) in
png_do_expand_palette(). This vulnerability has been assigned ID
CVE-2013-6954 and is fixed in version 1.6.8,
released 19 December 2013.
|
|
Vulnerability Warning
Various versions of libpng through 1.5.11, 1.4.11, 1.2.49, and
1.0.59, respectively, set the top-level archive-extraction directory's
permissions to be world-writable as part of the distcheck
Makefile target's operations (configure-generated Makefile only).
This could allow a local attacker on the build host to silently replace
the extracted libpng library with a malicious version, conceivably
poisoning an official binary distribution of libpng (though the likelihood
of this seems remote), but more generally allowing the attacker to execute
arbitrary commands with the permissions of the user running make. This
vulnerability has been assigned ID
CVE-2012-3386 and is fixed in version 1.5.12 (and versions
1.4.12, 1.2.50, and 1.0.60, respectively, on the
older branches), released 10 July 2012.
|
|
Vulnerability Warning
All "modern" versions of libpng through 1.5.9, 1.4.10, 1.2.48, and
1.0.58, respectively, fail to correctly handle malloc() failure
for text chunks (in png_set_text_2()), which can lead to memory
corruption and the possibility of execution of hostile code.
This serious vulnerability has been assigned ID
CVE-2011-3048 and is fixed in version 1.5.10 (and versions
1.4.11, 1.2.49, and 1.0.59, respectively, on the
older branches), released 29 March 2012.
|
|
Vulnerability Warning
All versions of libpng from 1.0.6 through 1.5.8, 1.4.8, 1.2.46, and
1.0.56, respectively, fail to correctly validate a heap allocation in
png_decompress_chunk(), which can lead to a buffer-overrun
and the possibility of execution of hostile code on 32-bit systems.
This serious vulnerability has been assigned ID
CVE-2011-3026 and is fixed in version 1.5.9 (and versions
1.4.9, 1.2.47, and 1.0.57, respectively, on the
older branches), released 18 February 2012.
|
|
Vulnerability Warning
libpng 1.5.4 through 1.5.7 contain a one-byte (stack) buffer-overrun bug
in png_formatted_warning(), which could lead to crashes (denial
of service) or, conceivably, execution of hostile code. This
vulnerability has been assigned ID
CVE-2011-3464 and is fixed in version 1.5.8, released
1 February 2012.
|
|
Vulnerability Warning
libpng 1.5.4 (only) introduced a divide-by-zero bug in
png_handle_cHRM(), which could lead to crashes (denial of
service) in applications that support color correction. This
vulnerability has been assigned ID
CVE-2011-3328 (CERT VU#477046) and is fixed in version 1.5.5, released
22 September 2011.
|
|
Vulnerability Warning
All released versions of libpng (from 1.0 onward) have a buffer overrun
in the code that promotes palette images with transparency (1 channel) to
grayscale+alpha images (2 channels), but only for applications that call
png_rgb_to_gray() and not png_set_expand(). (None are
known.) An arbitrary amount of memory may be overwritten in this case,
with arbitrary (attacker-controlled) data.
This vulnerability has been assigned ID
CVE-2011-2690.
libpng 1.2.20 and later crashes in png_default_error() due to
internal use of a NULL pointer instead of the empty string ("").
This vulnerability has been assigned ID
CVE-2011-2691.
Many (most?) versions of libpng read uninitialized memory when handling
empty sCAL chunks, and they handle malformed sCAL chunks (those lacking
a delimiting NULL between the internal strings) incorrectly.
This vulnerability has been assigned ID
CVE-2011-2692.
All of these issues are fixed in version 1.5.4 (as well as
1.4.8, 1.2.45, and 1.0.55 on the older branches),
released 7 July 2011.
|
|
Vulnerability Warning
libpng 1.5.0 (only) introduced a bug in the RGB-to-grayscale transform
code, which can lead to buffer overruns due to incorrect calculation
of the number of bytes per pixel. (Since 1.5.0 was just released, no
apps or OS distributions are believed to ship with it, so the risk
should be minimal.) This vulnerability has been assigned ID
CVE-2011-0408 (CERT VU#643140) and is fixed in version 1.5.1, released
3 February 2011.
|
|
Vulnerability Warning
Several versions of libpng through 1.4.2 (and through 1.2.43 in the
older series) contain a bug whereby progressive applications such as
web browsers (or the rpng2 demo app included in libpng) could receive
an extra row of image data beyond the height reported in the header,
potentially leading to an out-of-bounds write to memory (depending on
how the application is written) and the possibility of execution of an
attacker's code with the privileges of the libpng user (including remote
compromise in the case of a libpng-based browser visiting a hostile web
site). This vulnerability has been assigned ID
CVE-2010-1205 (via Mozilla).
An additional memory-leak bug, involving images with malformed sCAL
chunks, is also present; it could lead to an application crash (denial
of service) when viewing such images.
Both bugs are fixed in versions 1.4.3 and 1.2.44, released
25 June 2010.
|
|
Vulnerability Warning
Jeff Phillips reported that several versions of libpng through 1.2.35
contain an uninitialized-memory-read bug that may have security
implications. Specifically, 1-bit (2-color) interlaced images whose
widths are not divisible by 8 may result in several uninitialized bits
at the end of certain rows in certain interlace passes being returned
to the user. An application that failed to mask these out-of-bounds
pixels might display or process them, albeit presumably with benign
results in most cases. This bug may be fixed in version 1.2.36,
released 7 May 2009, but the correct fix is in version 1.2.37,
released 4 June 2009.
|
|
Vulnerability Warning
All versions of libpng from 0.89c through 1.2.34 contain an
uninitialized-data bug that can be triggered by a malicious user.
Specifically, there are several instances in which a malloc'd array
of pointers is then initialized by a secondary sequence of malloc()
calls. If one of these calls fails, libpng's cleanup routine will
attempt to free the entire array, including any uninitialized pointers,
which could lead to execution of an attacker's code with the privileges
of the libpng user (including remote compromise in the case of a
libpng-based browser visiting a hostile web site). This vulnerability
has been assigned ID
CVE-2009-0040 and is fixed in version 1.2.35, released
18 February 2009.
|
|
Vulnerability Warning
Versions 1.2.30 and 1.2.31 of libpng can crash when reading images with
multiple zTXt chunks; it is likely that this vulnerability could lead to
a remote compromise in the case of a libpng-based browser visiting a
hostile web site. This vulnerability has been assigned
ID CVE-2008-3964 and is fixed in version 1.2.32, released
18 September 2008.
|
|
Vulnerability Warning
All versions of libpng from 1.0.6 through 1.2.26 have a bug when handling
unknown (to libpng) chunks with zero data length. Applications that call
either png_set_read_user_chunk_fn() or
png_set_keep_unknown_chunks(), when used with standard builds
of libpng (i.e., built with either PNG_READ_UNKNOWN_CHUNKS_SUPPORTED or
PNG_READ_USER_CHUNKS_SUPPORTED defined), can crash when attempting to
free a non-existent data buffer for the unknown chunk. The pngtest
sample application distributed with libpng, pngcrush, and certain
versions of ImageMagick are known to be affected, but the bug is
otherwise believed to be quite rare. This vulnerability has been assigned
ID CVE-2008-1382 and is fixed in version 1.2.27, released
28 April 2008.
|
|
Crash Warning
Most versions of libpng up through 1.2.24 have a number of minor coding
errors that could lead to crashes in exceptional cases. For example, if
memory allocation fails while processing certain ancillary chunks, libpng
could crash while attempting to write to the NULL pointer; or if the
application author failed to set up the info_ptr as required,
some parts of libpng fail to check for NULL and could crash trying to
read the pointer (though it's probable that the error would have caused
libpng to terminate upstream of these parts). The bugs are fixed in
version 1.2.25, released 18 February 2008.
|
|
Vulnerability Warning
Version 1.2.21 has a crash bug when reading the ICC-profile chunk, iCCP
(CVE-2007-5267). This bug is fixed in version 1.2.22,
released 13 October 2007.
|
|
Vulnerability Warning
Versions 1.2.20 and earlier have a number of potential crash-bugs due to
out-of-bounds reads in certain chunk-handlers; MITRE has collectively
assigned them the identifiers CVE-2007-5266, CVE-2007-5268 and CVE-2007-5269. These bugs are fixed in version 1.2.21,
released 4 October 2007, but another crash bug (related to the
ICC-profile chunk) remains to be fixed in version 1.2.22.
|
|
Vulnerability Warning
Versions up through 1.2.16 (and 1.0.24) have an NULL-pointer-dereference
vulnerability involving palette images with a malformed tRNS chunk (i.e.,
one with a bad CRC value). This bug can, at a minimum, cause crashes in
browsers simply by visiting a page displaying such an image; reportedly
it also crashes the Microsoft Windows display manager. CERT refers to
it as VU#684664
and MITRE as CVE-2007-2445. It's fixed in versions libpng 1.2.18 and
libpng 1.0.26 (also 1.2.17 and 1.0.25, which had a
bug in their configure scripts), released 15 May 2007.
|
|
Vulnerability Warning
Versions 1.0.6 through 1.2.12 and 1.0.20 have a bug in the decoder for
the sPLT ("suggested palette") chunk; this can lead to crashes and,
accordingly, a denial of service (e.g., crashing your browser when you
visit a site displaying a specially crafted PNG). The bug is fixed in
libpng 1.2.13 and libpng 1.0.21, released 15 November
2006. MITRE refers to this bug as CVE-2006-5793.
The same releases also include fixes for a specific class of application
error (NULL png_ptr) and for a bug in the code that writes the
iCCP ("ICC profile") chunk.
|
|
Vulnerability Warning
Versions up through 1.2.11 and 1.0.19 have a buffer-overrun vulnerability
when a particular error message is triggered. The overrun is always by
exactly two bytes ('k' and NULL) so it seems highly unlikely that it
could be used for anything more nefarious than denial of service (e.g.,
crashing your browser when you visit a site displaying a specially
crafted PNG). Nevertheless, it's worth fixing, and versions libpng
1.2.12 and libpng 1.0.20, released 27 June 2006, do just
that. (Note that 1.2.11 and 1.0.19 erroneously claimed to include the
fix, but in fact it had been inadvertently omitted.) MITRE refers to
this bug as CVE-2006-3334.
The same releases (and their immediate predecessors) also fix an
out-of-bounds (by one) memory read and a second buffer overrun, this one
in the code that writes the sCAL ("physical scale of subject")
chunk (which is rather rare in any case).
|
|
There have been other issues in older versions released in 2004:
Crash Warning
Versions 1.2.7, 1.2.6, 1.0.17, and 1.0.16 have a bug that will cause
applications that strip the alpha channel (while reading a PNG) to crash.
The bug is fixed in versions 1.2.8 and 1.0.18, which were
released on 3 December 2004. MITRE refers to this bug as CVE-2006-0481.
|
|
The release before that fixed another bug, this one in the PNG-writing code:
Broken-Image Warning
Versions 1.2.6 and 1.0.16 can write an invalid zlib header within the
PNG datastream. This is not quite as bad as it sounds since the two-byte
header can be corrected fairly easily (e.g., use pngcrush to rewrite the images and,
perhaps, compress them slightly better, or run the
png-fix-IDAT-windowsize utility bundled with pngcheck 2.1.0 or later), but some applications
will display the images incorrectly. Microsoft Word and Internet
Explorer are known to be affected. A libpng patch is available, and versions 1.2.7 and
1.0.17 (incorporating the fix) were released on 11 September
2004.
|
|
Finally--and most important--there were several security vulnerabilities
present in versions of libpng prior to 1.2.6 and 1.0.16, one of which is
quite dangerous:
Vulnerability Warning
On 4 August 2004 a new jumbo security patch was released to
address several potential vulnerabilities in libpng, at least one of
which is quite serious. It was followed on 15 August by
the full libpng 1.2.6 and libpng 1.0.16 releases, which,
like subsequent releases, incorporate the fix. All users are strongly
urged to upgrade to the latest release of libpng or to patch any affected
applications as soon as possible.
(Graphical browsers and e-mail clients are particularly at risk.)
Get the latest releases or an appropriate combo patch either from
SourceForge (headings 1.2.5-security-patches and 1.2.5and-older-sec-patchs)
or from Oregon
State's Open Source Lab.
Here's the CERT advisory, along with the relevant CERT and MITRE vulnerability
pages:
These vulnerabilities were discovered by Chris Evans and are also
described in his alert. (Many thanks to Chris for notifying the libpng team and
for providing time to fix the bugs before the public announcement!)
|
|
Last modified 15 September 2024.
Please direct libpng comments and questions to the png-mng-implement mailing list.
Web page copyright © 2000-2024 Greg Roelofs.
libpng copyright © 1995-2024 contributing authors.