libpng

libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over 13 years. The home site for development versions (i.e., may be buggy or subject to change or include experimental features) is http://libpng.sourceforge.net/, and the place to go for questions about the library is the png-mng-implement mailing list.

libpng is available as ANSI C (C89) source code and requires zlib 1.0.4 or later (1.2.3 recommended for performance and security reasons). The current public release, libpng 1.2.33, fixes a memory leak associated with reading malformed tEXt chunks.

See the bottom of this page for warnings about security and crash bugs in versions up through libpng 1.2.31.

In addition to the main library sources, libpng includes the rpng, rpng2 and wpng demo programs, the pngminus demo program, a subset of Willem van Schaik's PngSuite test images, and Willem's VisualPng demo program.

Current
version: 		1.2.33
Authors: Guy Eric Schalnat, Andreas Dilger, Glenn Randers-Pehrson (current maintainer), and others
License: Open Source
Platforms: Unix, DOS, OS/2, Windows, Mac OS, BeOS, Amiga, etc.
README: local web site
http://www.libpng.org/pub/png/src/
http://prdownloads.sourceforge.net/libpng/
ftp://ftp.simplesystems.org/pub/libpng/png/src/
Manual: plain text format
HTML format (version 1.2.5, courtesy of Deron Meranda)
MS Word format (version 1.2.0, courtesy of Pierre Delaage)
Mailing
list: 		png-mng-implement
Source
code:
    with config script   without config script
prdownloads.sourceforge.net
ftp.simplesystems.org
download.sourceforge.net
archive sizes (bytes):
    .tar.bz2 
 .tar.bz2 
 .tar.bz2 
 651555 
  .tar.gz 
 .tar.gz 
 .tar.gz 
 800321 
    .tar.bz2 
 .tar.bz2 
 .tar.bz2 
 390315 
  .tar.gz 
 .tar.gz 
 .tar.gz 
 521857 
  .zip 
 .zip 
 .zip 
 630800 

MD5 checksums:

6b10635315323768748b1ccf3aeee37a  libpng-1.2.33-no-config.tar.bz2
faa04f80d2f4e94172d85596bf80665c  libpng-1.2.33-no-config.tar.gz
0532c28ba1b17ee2095ad50731c2c75c  libpng-1.2.33.tar.bz2
38b174a0eef727eaccc3e5a3cb03b85f  libpng-1.2.33.tar.gz
c90ba3c0c966570b3bf125e8a45f0fb1  lpng1233.zip
Patches:  
Beta
code: 		http://libpng.sourceforge.net/
Current
binaries:
operating system
 platform
 version
Solaris 2.5-10
Linux (.rpm) (libpng3devdev3)
Linux (.rpm) (libpng3devdev3)
Linux (.deb)
 SPARC,x86
many
many
many
  1.2.33-
 1.2.33-
 1.2.33-
 1.2.33-

(these are "unofficial" binaries compiled  by third parties)
Previous
binaries:
operating system
 platform
 version
Linux (.tgz)
HP-UX
FreeBSD (.tbz)
 x86
PA-RISC,IA64
x86
  1.2.32-
 1.2.32-
 1.2.32

(these are "unofficial" binaries compiled  by third parties)
Old
binaries:
operating system
 platform
 version
Mac OS X
Mac OS X
GnuWin32
SCO OpenServer 5
Amiga/StormC 4
Windows CE
 x86,PowerPC
x86,PowerPC
x86
x86
68k,PPC
many
  1.2.31-
 1.2.29
 1.2.24-
 1.2.4
 1.2.3
 1.2.3

(these are "unofficial" binaries compiled  by third parties)
Supporting
libraries: 		zlib

Security and Crash Bugs in Older Versions

Vulnerability Warning

Versions 1.2.30 and 1.2.31 of libpng can crash when reading images with multiple zTXt chunks; it is likely that this vulnerability could lead to a remote compromise in the case of a libpng-based browser visiting a hostile web site. This vulnerability has been assigned ID CVE-2008-3964 and is fixed in version 1.2.32, released 18 September 2008.

Vulnerability Warning

All versions of libpng from 1.0.6 through 1.2.26 have a bug when handling unknown (to libpng) chunks with zero data length. Applications that call either png_set_read_user_chunk_fn() or png_set_keep_unknown_chunks(), when used with standard builds of libpng (i.e., built with either PNG_READ_UNKNOWN_CHUNKS_SUPPORTED or PNG_READ_USER_CHUNKS_SUPPORTED defined), can crash when attempting to free a non-existent data buffer for the unknown chunk. The pngtest sample application distributed with libpng, pngcrush, and certain versions of ImageMagick are known to be affected, but the bug is otherwise believed to be quite rare. This vulnerability has been assigned ID CVE-2008-1382 and is fixed in version 1.2.27, released 28 April 2008.

Crash Warning

Most versions of libpng up through 1.2.24 have a number of minor coding errors that could lead to crashes in exceptional cases. For example, if memory allocation fails while processing certain ancillary chunks, libpng could crash while attempting to write to the NULL pointer; or if the application author failed to set up the info_ptr as required, some parts of libpng fail to check for NULL and could crash trying to read the pointer (though it's probable that the error would have caused libpng to terminate upstream of these parts). The bugs are fixed in version 1.2.25, released 18 February 2008.

Vulnerability Warning

Version 1.2.21 has a crash bug when reading the ICC-profile chunk, iCCP (CVE-2007-5267). This bug is fixed in version 1.2.22, released 13 October 2007.

Vulnerability Warning

Versions 1.2.20 and earlier have a number of potential crash-bugs due to out-of-bounds reads in certain chunk-handlers; MITRE has collectively assigned them the identifiers CVE-2007-5266, CVE-2007-5268 and CVE-2007-5269. These bugs are fixed in version 1.2.21, released 4 October 2007, but another crash bug (related to the ICC-profile chunk) remains to be fixed in version 1.2.22.

Vulnerability Warning

Versions up through 1.2.16 (and 1.0.24) have an NULL-pointer-dereference vulnerability involving palette images with a malformed tRNS chunk (i.e., one with a bad CRC value). This bug can, at a minimum, cause crashes in browsers simply by visiting a page displaying such an image; reportedly it also crashes the Microsoft Windows display manager. CERT refers to it as VU#684664 and MITRE as CVE-2007-2445. It's fixed in versions libpng 1.2.18 and libpng 1.0.26 (also 1.2.17 and 1.0.25, which had a bug in their configure scripts), released 15 May 2007.

Vulnerability Warning

Versions 1.0.6 through 1.2.12 and 1.0.20 have a bug in the decoder for the sPLT ("suggested palette") chunk; this can lead to crashes and, accordingly, a denial of service (e.g., crashing your browser when you visit a site displaying a specially crafted PNG). The bug is fixed in libpng 1.2.13 and libpng 1.0.21, released 15 November 2006. MITRE refers to this bug as CVE-2006-5793.

The same releases also include fixes for a specific class of application error (NULL png_ptr) and for a bug in the code that writes the iCCP ("ICC profile") chunk.

Vulnerability Warning

Versions up through 1.2.11 and 1.0.19 have a buffer-overrun vulnerability when a particular error message is triggered. The overrun is always by exactly two bytes ('k' and NULL) so it seems highly unlikely that it could be used for anything more nefarious than denial of service (e.g., crashing your browser when you visit a site displaying a specially crafted PNG). Nevertheless, it's worth fixing, and versions libpng 1.2.12 and libpng 1.0.20, released 27 June 2006, do just that. (Note that 1.2.11 and 1.0.19 erroneously claimed to include the fix, but in fact it had been inadvertently omitted.) MITRE refers to this bug as CVE-2006-3334.

The same releases (and their immediate predecessors) also fix an out-of-bounds (by one) memory read and a second buffer overrun, this one in the code that writes the sCAL ("physical scale of subject") chunk (which is rather rare in any case).

There have been other issues in older versions released in 2004:

Crash Warning

Versions 1.2.7, 1.2.6, 1.0.17, and 1.0.16 have a bug that will cause applications that strip the alpha channel (while reading a PNG) to crash. The bug is fixed in versions 1.2.8 and 1.0.18, which were released on 3 December 2004. MITRE refers to this bug as CVE-2006-0481.

The release before that fixed another bug, this one in the PNG-writing code:

Broken-Image Warning

Versions 1.2.6 and 1.0.16 can write an invalid zlib header within the PNG datastream. This is not quite as bad as it sounds since the two-byte header can be corrected fairly easily (e.g., use pngcrush to rewrite the images and, perhaps, compress them slightly better, or run the png-fix-IDAT-windowsize utility bundled with pngcheck 2.1.0 or later), but some applications will display the images incorrectly. Microsoft Word and Internet Explorer are known to be affected. A libpng patch is available, and versions 1.2.7 and 1.0.17 (incorporating the fix) were released on 11 September 2004.

Finally--and most important--there were several security vulnerabilities present in versions of libpng prior to 1.2.6 and 1.0.16, one of which is quite dangerous:

Vulnerability Warning

On 4 August 2004 a new jumbo security patch was released to address several potential vulnerabilities in libpng, at least one of which is quite serious. It was followed on 15 August by the full libpng 1.2.6 and libpng 1.0.16 releases, which, like subsequent releases, incorporate the fix. All users are strongly urged to upgrade to the latest release of libpng or to patch any affected applications as soon as possible. (Graphical browsers and e-mail clients are particularly at risk.) Get the latest releases or an appropriate combo patch either from SourceForge (headings 1.2.5-security-patches and 1.2.5and-older-sec-patchs) or from Simple Systems.

Here's the CERT advisory, along with the relevant CERT and MITRE vulnerability pages:

These vulnerabilities were discovered by Chris Evans and are also described in his alert. (Many thanks to Chris for notifying the libpng team and for providing time to fix the bugs before the public announcement!)

[primary site hosted by SourceForge.net] Last modified 2 November 2008. Please direct libpng comments and questions to the png-mng-implement mailing list.

Web page copyright © 2000-2008 Greg Roelofs. libpng copyright 1995-2008 contributing authors.