pngcheck Home Page

pngcheck

pngcheck verifies the integrity of PNG, JNG and MNG files (by checking the internal 32-bit CRCs, a.k.a. checksums, and decompressing the image data); it can optionally dump almost all of the chunk-level information in the image in human-readable form. For example, it can be used to print the basic statistics about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette (assuming it has one); or to extract the embedded text annotations. This is a command-line program with batch capabilities.

"Change of Address" Note

Chris Lilley of the W3C has taken over development of pngcheck since 2021. The current code (post-3.0.3) is available at github:

https://github.com/pnggroup/pngcheck

And it is official despite its leftover README comments to the contrary (as of late February 2025; no doubt that will get fixed shortly). Note that the github repo has a relatively accurate commit history that was manually reconstructed by Cosmin Truta using Greg's old snapshots and Chris's fork. It dates back to 13 March 1995, just six days after the PNG spec was finalized; only the earliest commits/releases (just 1.0 and 1.1?) by Alexander Lehmann are missing.

This page will otherwise remain as-is because Greg is suuuuuper-lazy, but it is now as historical as (most of the rest of) the PNG site itself.

Here's some sample output (screen shots, eh?):

    % pngcheck -cvt ArcTriomphe-iCCP-red-blue-swap.png
    File: ArcTriomphe-iCCP-red-blue-swap.png (5171 bytes)
      chunk IHDR at offset 0x0000c, length 13
        64 x 64 image, 8-bit colormap, non-interlaced
      chunk iCCP at offset 0x00025, length 461
        profile name = Swapped red & blue channel
        compression method = 0 (deflate), compressed profile = 433 bytes
      chunk PLTE at offset 0x001fe, length 759: 253 palette entries
      chunk IDAT at offset 0x00501, length 3616
        zlib: deflated, 32K window, default compression
      chunk tEXt at offset 0x0132d, length 68, keyword: Title
        PNG color-correction test image, swapped red and blue channels
      chunk tEXt at offset 0x0137d, length 143, keyword: Copyright
        Copyright 2005 Greg Roelofs. Licensed under Creative Commons
        AttributionNonCommercial, http://creativecommons.org/licenses/by-nc/2.5/
      chunk tIME at offset 0x01418, length 7: 16 Aug 2005 07:07:07 GMT
      chunk IEND at offset 0x0142b, length 0
    No errors detected in ArcTriomphe-iCCP-red-blue-swap.png (8 chunks, -26.2% compression).

    % pngcheck -c *.png
    OK: 000000.png (48x48, 1-bit grayscale, non-interlaced, 71.2%).
    OK: 000033.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    OK: 000066.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    OK: 000099.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
     [...]
    OK: ffff66.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    OK: ffff99.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    OK: ffffcc.png (48x48, 1-bit colormap, non-interlaced, 66.0%).
    OK: ffffff.png (48x48, 1-bit grayscale, non-interlaced, 70.1%).
    ataylor-bad-text-length.png  illegal (unless recently approved) unknown, public chunk xORk
    ERROR: ataylor-bad-text-length.png
    google-island-96x69.png  zlib: inflate error = -3 (data error)
    ERROR: google-island-96x69.png

    Errors were detected in 2 of the 218 files tested.
    No errors were detected in 216 of the 218 files tested.

Vulnerability Warning
pngcheck versions 3.0.2 and earlier have a divide-by-zero bug when zlib-decoding interlaced PNGs with extra data beyond what is required for the declared image dimensions. This bug is fixed in version 3.0.3, released on 25 April 2021. Again, while all known vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

The current release supports all PNG, MNG and JNG chunks, including the newer sTER (stereo layout) and eXIf (EXIF metadata) chunks. It correctly reports errors in all but two of the images in Chris Nokleberg's brokensuite-20061204. Also included (since version 2.1.0) are two helper utilities:

pngsplit - break a PNG, MNG or JNG image into constituent chunks (numbered for easy reassembly)
png-fix-IDAT-windowsize - fix minor zlib-header breakage caused by libpng 1.2.6

The extra utilities are licensed under the GNU General Public License (GPL); pngcheck itself remains under its original, MIT/X11-style license.

Current version:

~~3.0.3~~ see github site

Authors:

Alexander Lehmann, Andreas Dilger, Greg Roelofs, Chris Lilley

License:

Open Source

Platforms:

Unix, DOS, OS/2, Windows, Macintosh, Amiga, etc.

Old README:

local web site
http://www.libpng.org/pub/png/src/

Old ChangeLog:

local web site
http://www.libpng.org/pub/png/src/

Old binaries:

operating system

platform

version(s) at last check

Win32 (.zip)
HP-UX
Linux (.rpm)

FreeBSD
Linux (.deb)

Mac OS X 10.2

x86,x86_64
PA-RISC
many

x86
many

PPC

3.0.3
3.0.3
3.0.3-

3.0.2
3.0.2-

1.99.3

(most of these are "unofficial" binaries compiled by third parties)

Old source code:

local web site (.tar.gz)
local web site (.zip)

SHA-256 checksums:

c36a4491634af751f7798ea421321642f9590faa032eccb0dd5fb4533609dee6  pngcheck-3.0.3.tar.gz
13135c2cedff3083574b79856d7c2604b9487af0dcb8067f32ddf526ed395107  pngcheck-3.0.3.zip

Supporting libraries:

zlib

Related software:

PNG file chunk inspector - PNG file integrity checker and chunk dissector
pngmeta - PNG meta-information extractor

Security and Crash Bugs in Older Versions

Vulnerability Warning
pngcheck versions 3.0.1 and earlier have a buffer-overrun bug related to the MNG LOOP chunk (which gets noticed even in PNG files if the -s option is used). This bug is fixed in version 3.0.2, released on 31 January 2021. Again, while all known vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

Vulnerability Warning
pngcheck versions 3.0.0 and earlier have a pair of buffer-overrun bugs related to the sPLT and PPLT chunks (the latter is a MNG-only chunk, but it gets noticed even in PNG files if the -s option is used). Both bugs are fixed in version 3.0.1, released on 24 January 2021. Again, while all known vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

Vulnerability Warning
pngcheck versions 2.4.0 and earlier have a number of buffer-overrun bugs, most (but not all) of which are related to the -f option ("force continued parsing after major errors"). As such, the option has been removed altogether in version 3.0.0 (which is the reason for the major-version bump), released on 12 December 2020. All known vulnerabilities are fixed in this version, but the code is pretty crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

Last updated 24 February 2025.