libpng 1.6.56 - March 25, 2026 ============================== This is a public release of libpng, intended for use in production code. Files available for download ---------------------------- Source files: * libpng-1.6.56.tar.xz (LZMA-compressed, recommended) * libpng-1.6.56.tar.gz (deflate-compressed) * lpng1656.7z (LZMA-compressed) * lpng1656.zip (deflate-compressed) Other information: * README.md * LICENSE.md * AUTHORS.md * TRADEMARK.md Changes from version 1.6.55 to version 1.6.56 --------------------------------------------- * Fixed CVE-2026-33416 (high severity): Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`. (Reported by Halil Oktay and Ryo Shimada; fixed by Halil Oktay and Cosmin Truta.) * Fixed CVE-2026-33636 (high severity): Out-of-bounds read/write in the palette expansion on ARM Neon. (Reported by Taegu Ha; fixed by Taegu Ha and Cosmin Truta.) * Fixed uninitialized reads beyond `num_trans` in `trans_alpha` buffers. (Contributed by Halil Oktay.) * Fixed stale `info_ptr->palette` after in-place gamma and background transforms. * Fixed wrong channel indices in `png_image_read_and_map` RGB_ALPHA path. (Contributed by Yuelin Wang.) * Fixed wrong background color in colormap read. (Contributed by Yuelin Wang.) * Fixed dead loop in sPLT write. (Contributed by Yuelin Wang.) * Added missing null pointer checks in four public API functions. (Contributed by Yuelin Wang.) * Validated shift bit depths in `png_set_shift` to prevent infinite loop. (Contributed by Yuelin Wang.) * Avoided undefined behavior in library and tests. * Deprecated the hardly-ever-tested POINTER_INDEXING config option. * Added negative-stride test coverage for the simplified API. * Fixed memory leaks and API misuse in oss-fuzz. (Contributed by Owen Sanzas.) * Implemented various fixes and improvements in oss-fuzz. (Contributed by Bob Friesenhahn and Philippe Antoine.) * Performed various refactorings and cleanups. Send comments/corrections/commendations to png-mng-implement at lists.sf.net. Subscription is required; visit to subscribe.