libpng

libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over 28 years. The home site for development versions (i.e., may be buggy or subject to change or include experimental features) is https://libpng.sourceforge.io/, and the place to go for questions about the library is the png-mng-implement mailing list.

libpng is available as ANSI C (C89) source code and requires zlib 1.0.4 or later (1.2.13 or later recommended for performance and security reasons). The current public release, libpng 1.6.43, adds support for the eXIf chunk in the push-style PNG API (courtesy of Chris Blume) as well as numerous minor fixes and improvements. The pngexifinfo utility can now be found in contrib/pngexif as well.

Portability Note

The libpng 1.6.x series continues the evolution of the libpng API, finally hiding the contents of the venerable and hoary png_struct and png_info data structures inside private (i.e., non-installed) header files. Instead of direct struct-access, applications should be using the various png_get_xxx() and png_set_xxx() accessor functions, which have existed for almost as long as libpng itself.

The portability notice should not come as a particular surprise to anyone who has added libpng support to an application this millenium; the manual has warned of it since at least July 2000. (Specifically: "Starting with version 2.0.0, both structures are going to be hidden, and the contents of the structures will only be accessible through the png_get/png_set functions." OK, so the version number was off a bit...and the grammar, too, but who's counting?) Those whose apps depend on the older API need not panic, however (for now); libpng 1.2.x continues to get security fixes, as has 1.0.x for well over a decade. (Greg no longer bothers to list either series here; enough's enough, folks. Update those apps now!)

The 1.5.x and later series also include a new, more thorough test program (pngvalid.c) and a new pnglibconf.h header file that tracks what features were enabled or disabled when libpng was built. On the other hand, they no longer internally include the zlib.h header file, so applications that formerly depended on png.h to provide that will now need to include it explicitly. Complete differences relative to libpng 1.4.x are detailed here.

See the bottom of this page for warnings about security and crash bugs in versions up through libpng 1.6.36.

In addition to the main library sources, all of the 1.2.x/1.4.x/1.5.x/1.6.x/1.7.x series include the rpng, rpng2 and wpng demo programs, the pngminus demo program, a subset of Willem van Schaik's PngSuite test images, and Willem's VisualPng demo program.

Current
version:
1.6.43
Authors: Guy Eric Schalnat, Andreas Dilger, John Bowler, Glenn Randers-Pehrson, Cosmin Truta (current maintainer), and others
License: Open Source
Platforms: Unix, DOS, OS/2, Windows, Mac OS, BeOS, Amiga, etc.
README: local web site
http://www.libpng.org/pub/png/src/
http://prdownloads.sourceforge.net/libpng/
Manual: plain text format

PDF format (version 1.4.0 [Jan 2010], courtesy of Alex Yau)
Mailing
list:
png-mng-implement
Source
code:
sourceforge.net
archive sizes (bytes):
   .tar.xz 
 .tar.xz 
 1044076 
 .tar.gz 
 .tar.gz 
 1542747 
 .zip 
 .zip 
 1812260 

SHA-256 checksums:

e804e465d4b109b5ad285a8fb71f0dd3f74f0068f91ce3cdfde618180c174925  libpng-1.6.43.tar.gz
6a5ca0652392a2d7c9db2ae5b40210843c0bbc081cbd410825ab00cc59f14a6c  libpng-1.6.43.tar.xz
fc466a1e638e635d6c66363bdf3f38555b81b0141d0b06ba45b49ccca327436d  lpng1643.zip
Beta
code:
https://libpng.sourceforge.io/

git repository:
access:   git://git.code.sf.net/p/libpng/code
browse:   https://sourceforge.net/p/libpng/code/ci/libpng16/tree/

Current
binaries:
operating system
platform
version
Linux (.txz)
Linux (.txz)
Linux (.deb)
x86
x86_64
many
 1.6.43-
 1.6.43-
 1.6.43-

(these are "unofficial" binaries compiled  by third parties)
Older
binaries:
operating system
platform
version
HP-UX
Linux (.rpm) (dev)
Mac OS X
PA-RISC,IA64
many
x86,PowerPC
 1.6.42-
 1.6.40-
 1.6.39-

(these are "unofficial" binaries compiled  by third parties)
Supporting
libraries
and tools:
zlib
XZ (needed only to decompress tar.xz source archive)


Security and Crash Bugs in Older Versions

Vulnerability Warning

libpng versions 1.6.36 and earlier have a use-after-free bug in the simplified libpng API png_image_free(). It has been assigned ID CVE-2019-7317. The vulnerability is fixed in version 1.6.37, released on 15 April 2019.

Vulnerability Warning

libpng version 1.6.31 added png_handle_eXIf(), which has a null-pointer-dereference bug as well as a potential memory leak. Insofar as the function has existed for only four weeks and the chunk itself for only six, it's unlikely there are any applications affected by it at this time, but they might come into existence in the future. The vulnerability is fixed in version 1.6.32, released on 24 August 2017.

Vulnerability Warning

Virtually all libpng versions through 1.6.26, 1.5.27, 1.4.19, 1.2.56, and 1.0.66, respectively, have a null-pointer-dereference bug in png_set_text_2() when an image-editing application adds, removes, and re-adds text chunks to a PNG image. (This bug does not affect pure viewers, nor are there any known editors that could trigger it without interactive user input. It has been assigned ID CVE-2016-10087.) The vulnerability is fixed in versions 1.6.27, 1.5.28, 1.4.20, 1.2.57, and 1.0.67, released on 29 December 2016.

Vulnerability Warning

Virtually all old-branch libpng versions through 1.5.25, 1.4.18, 1.2.55, and 1.0.65, respectively, have a potential out-of-bounds read in png_check_keyword(), which has been assigned ID CVE-2015-8540). The vulnerability is fixed in versions 1.5.26, 1.4.19, 1.2.56, and 1.0.66, released on 17 December 2015. The current branch (1.6.x) is not vulnerable to this bug.

Vulnerability Warning

Virtually all libpng versions through 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64, respectively, have a potential pointer overflow/underflow in png_handle_sPLT()/png_handle_pCAL() (and in png_handle_iTXt()/png_handle_zTXt() in the pre-1.6 branches), and all such versions likewise have a bug in their png_set_PLTE() implementations that left it open to the out-of-bounds write (CVE-2015-8126) that was supposed to have been fixed in the previous release. The bugs are fixed in versions 1.6.20, 1.5.25, 1.4.18, 1.2.55, and 1.0.65, released on 3 December 2015.

Vulnerability Warning

Virtually all libpng versions through 1.6.18, 1.5.23, 1.4.16, 1.2.53, and 1.0.63, respectively, have a potential out-of-bounds read in png_set_tIME()/png_convert_to_rfc1123() and an out-of-bounds write in png_get_PLTE()/png_set_PLTE(). The former vulnerability has been assigned ID CVE-2015-7981 and the latter CVE-2015-8126. The first is fixed in versions 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64, released on 12 November 2015; see the subsequent vulnerability warning for info about the latter fix.

Vulnerability Warning

libpng versions 1.6.9 through 1.6.15 (and some subset of versions up through 1.5.20) have an integer-overflow vulnerability in png_combine_row() when decoding very wide interlaced images, which can allow an attacker to overwrite an arbitrary amount of memory with arbitrary (attacker-controlled) data. This vulnerability has been assigned ID CVE-2014-9495 and is fixed in versions 1.6.16 and 1.5.21, released on 21 December 2014.

Vulnerability Warning

Virtually all libpng versions through 1.6.14, 1.5.19, 1.4.13, 1.2.51, and 1.0.61, respectively, have an out-of-bounds memory access in png_user_version_check(). It is unclear whether this could lead to an actual exploit. The bug is fixed in versions 1.6.15, 1.5.20, etc., released on 20 November 2014.

Vulnerability Warning

libpng versions 1.6.0 through 1.6.9 hang when reading images that have zero-length IDAT chunks with the progressive (streaming) reader; a malicious web site could use this bug to cause a (minor) denial of service. This vulnerability has been assigned ID CVE-2014-0333 and is fixed in version 1.6.10, released 6 March 2014.

Vulnerability Warning

libpng versions 1.6.1 through 1.6.7 fail to reject colormapped images with empty palettes, leading to a null-pointer dereference (crash) in png_do_expand_palette(). This vulnerability has been assigned ID CVE-2013-6954 and is fixed in version 1.6.8, released 19 December 2013.

Vulnerability Warning

Various versions of libpng through 1.5.11, 1.4.11, 1.2.49, and 1.0.59, respectively, set the top-level archive-extraction directory's permissions to be world-writable as part of the distcheck Makefile target's operations (configure-generated Makefile only). This could allow a local attacker on the build host to silently replace the extracted libpng library with a malicious version, conceivably poisoning an official binary distribution of libpng (though the likelihood of this seems remote), but more generally allowing the attacker to execute arbitrary commands with the permissions of the user running make. This vulnerability has been assigned ID CVE-2012-3386 and is fixed in version 1.5.12 (and versions 1.4.12, 1.2.50, and 1.0.60, respectively, on the older branches), released 10 July 2012.

Vulnerability Warning

All "modern" versions of libpng through 1.5.9, 1.4.10, 1.2.48, and 1.0.58, respectively, fail to correctly handle malloc() failure for text chunks (in png_set_text_2()), which can lead to memory corruption and the possibility of execution of hostile code. This serious vulnerability has been assigned ID CVE-2011-3048 and is fixed in version 1.5.10 (and versions 1.4.11, 1.2.49, and 1.0.59, respectively, on the older branches), released 29 March 2012.

Vulnerability Warning

All versions of libpng from 1.0.6 through 1.5.8, 1.4.8, 1.2.46, and 1.0.56, respectively, fail to correctly validate a heap allocation in png_decompress_chunk(), which can lead to a buffer-overrun and the possibility of execution of hostile code on 32-bit systems. This serious vulnerability has been assigned ID CVE-2011-3026 and is fixed in version 1.5.9 (and versions 1.4.9, 1.2.47, and 1.0.57, respectively, on the older branches), released 18 February 2012.

Vulnerability Warning

libpng 1.5.4 through 1.5.7 contain a one-byte (stack) buffer-overrun bug in png_formatted_warning(), which could lead to crashes (denial of service) or, conceivably, execution of hostile code. This vulnerability has been assigned ID CVE-2011-3464 and is fixed in version 1.5.8, released 1 February 2012.

Vulnerability Warning

libpng 1.5.4 (only) introduced a divide-by-zero bug in png_handle_cHRM(), which could lead to crashes (denial of service) in applications that support color correction. This vulnerability has been assigned ID CVE-2011-3328 (CERT VU#477046) and is fixed in version 1.5.5, released 22 September 2011.

Vulnerability Warning

All released versions of libpng (from 1.0 onward) have a buffer overrun in the code that promotes palette images with transparency (1 channel) to grayscale+alpha images (2 channels), but only for applications that call png_rgb_to_gray() and not png_set_expand(). (None are known.) An arbitrary amount of memory may be overwritten in this case, with arbitrary (attacker-controlled) data. This vulnerability has been assigned ID CVE-2011-2690.

libpng 1.2.20 and later crashes in png_default_error() due to internal use of a NULL pointer instead of the empty string (""). This vulnerability has been assigned ID CVE-2011-2691.

Many (most?) versions of libpng read uninitialized memory when handling empty sCAL chunks, and they handle malformed sCAL chunks (those lacking a delimiting NULL between the internal strings) incorrectly. This vulnerability has been assigned ID CVE-2011-2692.

All of these issues are fixed in version 1.5.4 (as well as 1.4.8, 1.2.45, and 1.0.55 on the older branches), released 7 July 2011.

Vulnerability Warning

libpng 1.5.0 (only) introduced a bug in the RGB-to-grayscale transform code, which can lead to buffer overruns due to incorrect calculation of the number of bytes per pixel. (Since 1.5.0 was just released, no apps or OS distributions are believed to ship with it, so the risk should be minimal.) This vulnerability has been assigned ID CVE-2011-0408 (CERT VU#643140) and is fixed in version 1.5.1, released 3 February 2011.

Vulnerability Warning

Several versions of libpng through 1.4.2 (and through 1.2.43 in the older series) contain a bug whereby progressive applications such as web browsers (or the rpng2 demo app included in libpng) could receive an extra row of image data beyond the height reported in the header, potentially leading to an out-of-bounds write to memory (depending on how the application is written) and the possibility of execution of an attacker's code with the privileges of the libpng user (including remote compromise in the case of a libpng-based browser visiting a hostile web site). This vulnerability has been assigned ID CVE-2010-1205 (via Mozilla).

An additional memory-leak bug, involving images with malformed sCAL chunks, is also present; it could lead to an application crash (denial of service) when viewing such images.

Both bugs are fixed in versions 1.4.3 and 1.2.44, released 25 June 2010.

Vulnerability Warning

Jeff Phillips reported that several versions of libpng through 1.2.35 contain an uninitialized-memory-read bug that may have security implications. Specifically, 1-bit (2-color) interlaced images whose widths are not divisible by 8 may result in several uninitialized bits at the end of certain rows in certain interlace passes being returned to the user. An application that failed to mask these out-of-bounds pixels might display or process them, albeit presumably with benign results in most cases. This bug may be fixed in version 1.2.36, released 7 May 2009, but the correct fix is in version 1.2.37, released 4 June 2009.

Vulnerability Warning

All versions of libpng from 0.89c through 1.2.34 contain an uninitialized-data bug that can be triggered by a malicious user. Specifically, there are several instances in which a malloc'd array of pointers is then initialized by a secondary sequence of malloc() calls. If one of these calls fails, libpng's cleanup routine will attempt to free the entire array, including any uninitialized pointers, which could lead to execution of an attacker's code with the privileges of the libpng user (including remote compromise in the case of a libpng-based browser visiting a hostile web site). This vulnerability has been assigned ID CVE-2009-0040 and is fixed in version 1.2.35, released 18 February 2009.

Vulnerability Warning

Versions 1.2.30 and 1.2.31 of libpng can crash when reading images with multiple zTXt chunks; it is likely that this vulnerability could lead to a remote compromise in the case of a libpng-based browser visiting a hostile web site. This vulnerability has been assigned ID CVE-2008-3964 and is fixed in version 1.2.32, released 18 September 2008.

Vulnerability Warning

All versions of libpng from 1.0.6 through 1.2.26 have a bug when handling unknown (to libpng) chunks with zero data length. Applications that call either png_set_read_user_chunk_fn() or png_set_keep_unknown_chunks(), when used with standard builds of libpng (i.e., built with either PNG_READ_UNKNOWN_CHUNKS_SUPPORTED or PNG_READ_USER_CHUNKS_SUPPORTED defined), can crash when attempting to free a non-existent data buffer for the unknown chunk. The pngtest sample application distributed with libpng, pngcrush, and certain versions of ImageMagick are known to be affected, but the bug is otherwise believed to be quite rare. This vulnerability has been assigned ID CVE-2008-1382 and is fixed in version 1.2.27, released 28 April 2008.

Crash Warning

Most versions of libpng up through 1.2.24 have a number of minor coding errors that could lead to crashes in exceptional cases. For example, if memory allocation fails while processing certain ancillary chunks, libpng could crash while attempting to write to the NULL pointer; or if the application author failed to set up the info_ptr as required, some parts of libpng fail to check for NULL and could crash trying to read the pointer (though it's probable that the error would have caused libpng to terminate upstream of these parts). The bugs are fixed in version 1.2.25, released 18 February 2008.

Vulnerability Warning

Version 1.2.21 has a crash bug when reading the ICC-profile chunk, iCCP (CVE-2007-5267). This bug is fixed in version 1.2.22, released 13 October 2007.

Vulnerability Warning

Versions 1.2.20 and earlier have a number of potential crash-bugs due to out-of-bounds reads in certain chunk-handlers; MITRE has collectively assigned them the identifiers CVE-2007-5266, CVE-2007-5268 and CVE-2007-5269. These bugs are fixed in version 1.2.21, released 4 October 2007, but another crash bug (related to the ICC-profile chunk) remains to be fixed in version 1.2.22.

Vulnerability Warning

Versions up through 1.2.16 (and 1.0.24) have an NULL-pointer-dereference vulnerability involving palette images with a malformed tRNS chunk (i.e., one with a bad CRC value). This bug can, at a minimum, cause crashes in browsers simply by visiting a page displaying such an image; reportedly it also crashes the Microsoft Windows display manager. CERT refers to it as VU#684664 and MITRE as CVE-2007-2445. It's fixed in versions libpng 1.2.18 and libpng 1.0.26 (also 1.2.17 and 1.0.25, which had a bug in their configure scripts), released 15 May 2007.

Vulnerability Warning

Versions 1.0.6 through 1.2.12 and 1.0.20 have a bug in the decoder for the sPLT ("suggested palette") chunk; this can lead to crashes and, accordingly, a denial of service (e.g., crashing your browser when you visit a site displaying a specially crafted PNG). The bug is fixed in libpng 1.2.13 and libpng 1.0.21, released 15 November 2006. MITRE refers to this bug as CVE-2006-5793.

The same releases also include fixes for a specific class of application error (NULL png_ptr) and for a bug in the code that writes the iCCP ("ICC profile") chunk.

Vulnerability Warning

Versions up through 1.2.11 and 1.0.19 have a buffer-overrun vulnerability when a particular error message is triggered. The overrun is always by exactly two bytes ('k' and NULL) so it seems highly unlikely that it could be used for anything more nefarious than denial of service (e.g., crashing your browser when you visit a site displaying a specially crafted PNG). Nevertheless, it's worth fixing, and versions libpng 1.2.12 and libpng 1.0.20, released 27 June 2006, do just that. (Note that 1.2.11 and 1.0.19 erroneously claimed to include the fix, but in fact it had been inadvertently omitted.) MITRE refers to this bug as CVE-2006-3334.

The same releases (and their immediate predecessors) also fix an out-of-bounds (by one) memory read and a second buffer overrun, this one in the code that writes the sCAL ("physical scale of subject") chunk (which is rather rare in any case).

There have been other issues in older versions released in 2004:

Crash Warning

Versions 1.2.7, 1.2.6, 1.0.17, and 1.0.16 have a bug that will cause applications that strip the alpha channel (while reading a PNG) to crash. The bug is fixed in versions 1.2.8 and 1.0.18, which were released on 3 December 2004. MITRE refers to this bug as CVE-2006-0481.

The release before that fixed another bug, this one in the PNG-writing code:

Broken-Image Warning

Versions 1.2.6 and 1.0.16 can write an invalid zlib header within the PNG datastream. This is not quite as bad as it sounds since the two-byte header can be corrected fairly easily (e.g., use pngcrush to rewrite the images and, perhaps, compress them slightly better, or run the png-fix-IDAT-windowsize utility bundled with pngcheck 2.1.0 or later), but some applications will display the images incorrectly. Microsoft Word and Internet Explorer are known to be affected. A libpng patch is available, and versions 1.2.7 and 1.0.17 (incorporating the fix) were released on 11 September 2004.

Finally--and most important--there were several security vulnerabilities present in versions of libpng prior to 1.2.6 and 1.0.16, one of which is quite dangerous:

Vulnerability Warning

On 4 August 2004 a new jumbo security patch was released to address several potential vulnerabilities in libpng, at least one of which is quite serious. It was followed on 15 August by the full libpng 1.2.6 and libpng 1.0.16 releases, which, like subsequent releases, incorporate the fix. All users are strongly urged to upgrade to the latest release of libpng or to patch any affected applications as soon as possible. (Graphical browsers and e-mail clients are particularly at risk.) Get the latest releases or an appropriate combo patch either from SourceForge (headings 1.2.5-security-patches and 1.2.5and-older-sec-patchs) or from Oregon State's Open Source Lab.

Here's the CERT advisory, along with the relevant CERT and MITRE vulnerability pages:

These vulnerabilities were discovered by Chris Evans and are also described in his alert. (Many thanks to Chris for notifying the libpng team and for providing time to fix the bugs before the public announcement!)



[primary site hosted by SourceForge] Last modified 2 March 2024. Please direct libpng comments and questions to the png-mng-implement mailing list.

Web page copyright © 2000-2024 Greg Roelofs. libpng copyright © 1995-2024 contributing authors.