CVS commit: pkgsrc/graphics/png

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Thu Mar 26 07:42:55 UTC 2026

Modified Files:
        pkgsrc/graphics/png: Makefile distinfo

Log Message:
png: update to 1.6.56.

Version 1.6.56 [March 25, 2026]
  Fixed CVE-2026-33416 (high severity):
    Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`.
    (Reported by Halil Oktay and Ryo Shimada;
    fixed by Halil Oktay and Cosmin Truta.)
  Fixed CVE-2026-33636 (high severity):
    Out-of-bounds read/write in the palette expansion on ARM Neon.
    (Reported by Taegu Ha; fixed by Taegu Ha and Cosmin Truta.)
  Fixed uninitialized reads beyond `num_trans` in `trans_alpha` buffers.
    (Contributed by Halil Oktay.)
  Fixed stale `info_ptr->palette` after in-place gamma and background
    transforms.
  Fixed wrong channel indices in `png_image_read_and_map` RGB_ALPHA path.
    (Contributed by Yuelin Wang.)
  Fixed wrong background color in colormap read.
    (Contributed by Yuelin Wang.)
  Fixed dead loop in sPLT write.
    (Contributed by Yuelin Wang.)
  Added missing null pointer checks in four public API functions.
    (Contributed by Yuelin Wang.)
  Validated shift bit depths in `png_set_shift` to prevent infinite loop.
    (Contributed by Yuelin Wang.)
  Avoided undefined behavior in library and tests.
  Deprecated the hardly-ever-tested POINTER_INDEXING config option.
  Added negative-stride test coverage for the simplified API.
  Fixed memory leaks and API misuse in oss-fuzz.
    (Contributed by Owen Sanzas.)
  Implemented various fixes and improvements in oss-fuzz.
    (Contributed by Bob Friesenhahn and Philippe Antoine.)
  Performed various refactorings and cleanups.


To generate a diff of this commit:
cvs rdiff -u -r1.220 -r1.221 pkgsrc/graphics/png/Makefile
cvs rdiff -u -r1.166 -r1.167 pkgsrc/graphics/png/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/png/Makefile
diff -u pkgsrc/graphics/png/Makefile:1.220 pkgsrc/graphics/png/Makefile:1.221
--- pkgsrc/graphics/png/Makefile:1.220  Tue Feb 10 07:01:20 2026
+++ pkgsrc/graphics/png/Makefile        Thu Mar 26 07:42:55 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.220 2026/02/10 07:01:20 wiz Exp $
+# $NetBSD: Makefile,v 1.221 2026/03/26 07:42:55 wiz Exp $
 
-DISTNAME=      libpng-1.6.55
+DISTNAME=      libpng-1.6.56
 PKGNAME=       ${DISTNAME:S/lib//}
 CATEGORIES=    graphics
 MASTER_SITES+= ${MASTER_SITE_SOURCEFORGE:=libpng/}

Index: pkgsrc/graphics/png/distinfo
diff -u pkgsrc/graphics/png/distinfo:1.166 pkgsrc/graphics/png/distinfo:1.167
--- pkgsrc/graphics/png/distinfo:1.166  Tue Feb 10 07:01:20 2026
+++ pkgsrc/graphics/png/distinfo        Thu Mar 26 07:42:55 2026
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.166 2026/02/10 07:01:20 wiz Exp $
+$NetBSD: distinfo,v 1.167 2026/03/26 07:42:55 wiz Exp $
 
 BLAKE2s (apng-20260116.patch) = b60bc1c57608e79afb87ba55fb152137d1910ba986d6aacad6d600392096b48a
 SHA512 (apng-20260116.patch) = f8de2168a1a8ed546de7eb6c3da993f99139f385ceaf008ecd8dc64869bb86a4cf61b749ee4060fa207a89917ead7c61d35e409ff477b6240e1a7bc141e2de24
 Size (apng-20260116.patch) = 49195 bytes
-BLAKE2s (libpng-1.6.55.tar.xz) = 113370cfbaf0f461395c4aa9e2b00fc28599089675c25f319c12deefb135dc4a
-SHA512 (libpng-1.6.55.tar.xz) = a9846fc32cb042bcce05f719a5b31255957e1c36ad6ad14dd23cf5eac3ce0b981dc5c34b18dc255e1fffc2cc064d0a77e3a1beb3c7167a0bdc3e1d0103383b4a
-Size (libpng-1.6.55.tar.xz) = 1064676 bytes
+BLAKE2s (libpng-1.6.56.tar.xz) = f197f3661f2bde5843bb12dd02e5e68d9d371e8bdc34db01b14565b3ecfa7438
+SHA512 (libpng-1.6.56.tar.xz) = e405c46d7c9cf8c6c9fb6cf35b7e8498bb863bb24a918f4a6b1aca9f1e61d8b9feb46cb67a5478b6d87da74b2baf1d1f25c43889866408fc23c0ac498094081f
+Size (libpng-1.6.56.tar.xz) = 1067028 bytes
 SHA1 (patch-libpng-config.in) = 04f8d6af31114017ce9d1280e62f1768c35c289d
 SHA1 (patch-pngpriv.h) = 16f80df18a2f58eec784e2d821e8bb93c3e81747