libpng is the official PNG reference library. It supports almost
all PNG features, is extensible, and has been extensively tested for
over 14 years. The home site for development versions (i.e., may be
buggy or subject to change or include experimental features) is http://libpng.sourceforge.net/, and
the place to go for questions about the library is the png-mng-implement mailing list.
libpng is available as ANSI C (C89) source code and requires zlib 1.0.4
or later (1.2.3 recommended for performance and security reasons).
The current public release, libpng 1.4.1, supports the PNG iTXt chunk,
includes a new memory-limiting function to help protect against malicious
images, fixes a small memory leak, and has significantly better performance
when decoding highly compressed chunks. Differences relative to libpng 1.2.x
are detailed here.
See the bottom of this page for warnings about
security and crash bugs
in versions up through libpng 1.2.36.
In addition to the main library sources,
both the 1.4.x series and the older libpng 1.2.43 include
the rpng, rpng2 and wpng demo programs,
the pngminus demo program, a subset of Willem van Schaik's
PngSuite test images,
and Willem's VisualPng demo program.
Current
version:
|
1.4.1
|
|
Authors:
|
Guy Eric Schalnat,
Andreas Dilger,
Glenn Randers-Pehrson
(current maintainer),
and others
|
|
License:
|
Open Source
|
|
Platforms:
|
Unix, DOS, OS/2, Windows, Mac OS, BeOS, Amiga, etc.
|
|
README:
|
local web site
http://www.libpng.org/pub/png/src/
http://prdownloads.sourceforge.net/libpng/
ftp://ftp.simplesystems.org/pub/libpng/png/src/
|
|
Manual:
|
plain text format
PDF format (version 1.4.0
[Jan 2010], courtesy of Alex Yau)
|
Mailing
list:
|
png-mng-implement
|
Source
code:
|
MD5 checksums:
fa0b2a84733463f90d3ac9f43ccafabc libpng-1.4.1.tar.gz
d4cb0236cce9ce8ff49a22994a01f9e0 libpng-1.4.1.tar.xz
fb9a95cc87f1b72d0c81f4d9b1674cae lpng141.zip
|
|
Patches:
|
|
Beta
code:
|
http://libpng.sourceforge.net/
git repository:
access:
git://libpng.git.sourceforge.net/gitroot/libpng/libpng
browse: http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng
|
Current
binaries:
|
operating system
|
platform
|
version
|
Mac OS X
|
x86,PowerPC
|
1.4.1
|
(these are "unofficial" binaries compiled by third parties)
|
Previous
binaries:
|
(these are "unofficial" binaries compiled by third parties)
|
Old
binaries:
|
operating system
|
platform
|
version
|
|
|
|
|
(these are "unofficial" binaries compiled by third parties)
|
Supporting
libraries
and tools:
|
zlib
XZ
|
Security and Crash Bugs in Older Versions
|
Vulnerability Warning
Jeff Phillips reported that several versions of libpng through 1.2.35
contain an uninitialized-memory-read bug that may have security
implications. Specifically, 1-bit (2-color) interlaced images whose
widths are not divisible by 8 may result in several uninitialized bits
at the end of certain rows in certain interlace passes being returned
to the user. An application that failed to mask these out-of-bounds
pixels might display or process them, albeit presumably with benign
results in most cases. This bug may be fixed in version 1.2.36,
released 7 May 2009, but the correct fix is in version 1.2.37,
released 4 June 2009.
|
|
|
Vulnerability Warning
All versions of libpng from 0.89c through 1.2.34 contain an
uninitialized-data bug that can be triggered by a malicious user.
Specifically, there are several instances in which a malloc'd array
of pointers is then initialized by a secondary sequence of malloc()
calls. If one of these calls fails, libpng's cleanup routine will
attempt to free the entire array, including any uninitialized pointers,
which could lead to execution of an attacker's code with the privileges
of the libpng user (including remote compromise in the case of a
libpng-based browser visiting a hostile web site). This vulnerability
has been assigned ID
CVE-2009-0040 and is fixed in version 1.2.35, released
18 February 2009.
|
|
|
Vulnerability Warning
Versions 1.2.30 and 1.2.31 of libpng can crash when reading images with
multiple zTXt chunks; it is likely that this vulnerability could lead to
a remote compromise in the case of a libpng-based browser visiting a
hostile web site. This vulnerability has been assigned
ID CVE-2008-3964 and is fixed in version 1.2.32, released
18 September 2008.
|
|
|
Vulnerability Warning
All versions of libpng from 1.0.6 through 1.2.26 have a bug when handling
unknown (to libpng) chunks with zero data length. Applications that call
either png_set_read_user_chunk_fn() or
png_set_keep_unknown_chunks(), when used with standard builds
of libpng (i.e., built with either PNG_READ_UNKNOWN_CHUNKS_SUPPORTED or
PNG_READ_USER_CHUNKS_SUPPORTED defined), can crash when attempting to
free a non-existent data buffer for the unknown chunk. The pngtest
sample application distributed with libpng, pngcrush, and certain
versions of ImageMagick are known to be affected, but the bug is
otherwise believed to be quite rare. This vulnerability has been assigned
ID CVE-2008-1382 and is fixed in version 1.2.27, released
28 April 2008.
|
|
|
Crash Warning
Most versions of libpng up through 1.2.24 have a number of minor coding
errors that could lead to crashes in exceptional cases. For example, if
memory allocation fails while processing certain ancillary chunks, libpng
could crash while attempting to write to the NULL pointer; or if the
application author failed to set up the info_ptr as required,
some parts of libpng fail to check for NULL and could crash trying to
read the pointer (though it's probable that the error would have caused
libpng to terminate upstream of these parts). The bugs are fixed in
version 1.2.25, released 18 February 2008.
|
|
|
Vulnerability Warning
Version 1.2.21 has a crash bug when reading the ICC-profile chunk, iCCP
(CVE-2007-5267). This bug is fixed in version 1.2.22,
released 13 October 2007.
|
|
|
Vulnerability Warning
Versions 1.2.20 and earlier have a number of potential crash-bugs due to
out-of-bounds reads in certain chunk-handlers; MITRE has collectively
assigned them the identifiers CVE-2007-5266, CVE-2007-5268 and CVE-2007-5269. These bugs are fixed in version 1.2.21,
released 4 October 2007, but another crash bug (related to the
ICC-profile chunk) remains to be fixed in version 1.2.22.
|
|
|
Vulnerability Warning
Versions up through 1.2.16 (and 1.0.24) have an NULL-pointer-dereference
vulnerability involving palette images with a malformed tRNS chunk (i.e.,
one with a bad CRC value). This bug can, at a minimum, cause crashes in
browsers simply by visiting a page displaying such an image; reportedly
it also crashes the Microsoft Windows display manager. CERT refers to
it as VU#684664
and MITRE as CVE-2007-2445. It's fixed in versions libpng 1.2.18 and
libpng 1.0.26 (also 1.2.17 and 1.0.25, which had a
bug in their configure scripts), released 15 May 2007.
|
|
|
Vulnerability Warning
Versions 1.0.6 through 1.2.12 and 1.0.20 have a bug in the decoder for
the sPLT ("suggested palette") chunk; this can lead to crashes and,
accordingly, a denial of service (e.g., crashing your browser when you
visit a site displaying a specially crafted PNG). The bug is fixed in
libpng 1.2.13 and libpng 1.0.21, released 15 November
2006. MITRE refers to this bug as CVE-2006-5793.
The same releases also include fixes for a specific class of application
error (NULL png_ptr) and for a bug in the code that writes the
iCCP ("ICC profile") chunk.
|
|
|
Vulnerability Warning
Versions up through 1.2.11 and 1.0.19 have a buffer-overrun vulnerability
when a particular error message is triggered. The overrun is always by
exactly two bytes ('k' and NULL) so it seems highly unlikely that it
could be used for anything more nefarious than denial of service (e.g.,
crashing your browser when you visit a site displaying a specially
crafted PNG). Nevertheless, it's worth fixing, and versions libpng
1.2.12 and libpng 1.0.20, released 27 June 2006, do just
that. (Note that 1.2.11 and 1.0.19 erroneously claimed to include the
fix, but in fact it had been inadvertently omitted.) MITRE refers to
this bug as CVE-2006-3334.
The same releases (and their immediate predecessors) also fix an
out-of-bounds (by one) memory read and a second buffer overrun, this one
in the code that writes the sCAL ("physical scale of subject")
chunk (which is rather rare in any case).
|
|
There have been other issues in older versions released in 2004:
|
Crash Warning
Versions 1.2.7, 1.2.6, 1.0.17, and 1.0.16 have a bug that will cause
applications that strip the alpha channel (while reading a PNG) to crash.
The bug is fixed in versions 1.2.8 and 1.0.18, which were
released on 3 December 2004. MITRE refers to this bug as CVE-2006-0481.
|
|
The release before that fixed another bug, this one in the PNG-writing code:
|
Broken-Image Warning
Versions 1.2.6 and 1.0.16 can write an invalid zlib header within the
PNG datastream. This is not quite as bad as it sounds since the two-byte
header can be corrected fairly easily (e.g., use pngcrush to rewrite the images and,
perhaps, compress them slightly better, or run the
png-fix-IDAT-windowsize utility bundled with pngcheck 2.1.0 or later), but some applications
will display the images incorrectly. Microsoft Word and Internet
Explorer are known to be affected. A libpng patch is available, and versions 1.2.7 and
1.0.17 (incorporating the fix) were released on 11 September
2004.
|
|
Finally--and most important--there were several security vulnerabilities
present in versions of libpng prior to 1.2.6 and 1.0.16, one of which is
quite dangerous:
|
Vulnerability Warning
On 4 August 2004 a new jumbo security patch was released to
address several potential vulnerabilities in libpng, at least one of
which is quite serious. It was followed on 15 August by
the full libpng 1.2.6 and libpng 1.0.16 releases, which,
like subsequent releases, incorporate the fix. All users are strongly
urged to upgrade to the latest release of libpng or to patch any affected
applications as soon as possible.
(Graphical browsers and e-mail clients are particularly at risk.)
Get the latest releases or an appropriate combo patch either from
SourceForge (headings 1.2.5-security-patches and 1.2.5and-older-sec-patchs)
or from Simple
Systems.
Here's the CERT advisory, along with the relevant CERT and MITRE vulnerability
pages:
These vulnerabilities were discovered by Chris Evans and are also
described in his alert. (Many thanks to Chris for notifying the libpng team and
for providing time to fix the bugs before the public announcement!)
|
|
![[primary site hosted by SourceForge]](http://sflogo.sourceforge.net/sflogo.php?group_id=32355&type=9)
Last modified 27 February 2010.
Please direct libpng comments and questions to the png-mng-implement mailing list.
Web page copyright © 2000-2010 Greg
Roelofs. libpng copyright 1995-2010 contributing authors.