8382047: Update Libpng to 1.6.57

GoeLin · RealCLanger · commit 629b94d66ba6 · 2026-04-17T21:07:54.000+02:00
Reviewed-by: andrew Backport-of: 20e8ea0
diff --git a/src/java.desktop/share/legal/libpng.md b/src/java.desktop/share/legal/libpng.md
@@ -1,4 +1,4 @@
-## libpng v1.6.56
+## libpng v1.6.57
 
 ### libpng License
 <pre>
@@ -180,6 +180,7 @@ Authors, for copyright and licensing purposes.
  * Mans Rullgard
  * Matt Sarett
  * Mike Klein
+ * Mohammad Seet
  * Pascal Massimino
  * Paul Schmidt
  * Petr Simecek
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/CHANGES b/src/java.desktop/share/native/libsplashscreen/libpng/CHANGES
@@ -6368,6 +6368,17 @@ Version 1.6.56 [March 25, 2026]
     (Contributed by Bob Friesenhahn and Philippe Antoine.)
   Performed various refactorings and cleanups.
 
+Version 1.6.57 [April 8, 2026]
+  Fixed CVE-2026-34757 (medium severity):
+    Use-after-free in `png_set_PLTE`, `png_set_tRNS` and `png_set_hIST`
+    leading to corrupted chunk data and potential heap information disclosure.
+    Also hardened the append-style setters (`png_set_text`, `png_set_sPLT`,
+    `png_set_unknown_chunks`) against a theoretical variant of the same
+    aliasing pattern.
+    (Reported by Iv4n <Iv4n550@users.noreply.github.com>.)
+  Fixed integer overflow in rowbytes computation in read transforms.
+    (Contributed by Mohammad Seet.)
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net.
 Subscription is required; visit
 <https://lists.sourceforge.net/lists/listinfo/png-mng-implement>
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/README b/src/java.desktop/share/native/libsplashscreen/libpng/README
@@ -1,4 +1,4 @@
-README for libpng version 1.6.56
+README for libpng version 1.6.57
 ================================
 
 See the note about version numbers near the top of `png.h`.
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/png.c b/src/java.desktop/share/native/libsplashscreen/libpng/png.c
@@ -42,7 +42,7 @@
 #include "pngpriv.h"
 
 /* Generate a compiler error if there is an old png.h in the search path. */
-typedef png_libpng_version_1_6_56 Your_png_h_is_not_version_1_6_56;
+typedef png_libpng_version_1_6_57 Your_png_h_is_not_version_1_6_57;
 
 /* Sanity check the chunks definitions - PNG_KNOWN_CHUNKS from pngpriv.h and the
  * corresponding macro definitions.  This causes a compile time failure if
@@ -849,7 +849,7 @@ png_get_copyright(png_const_structrp png_ptr)
    return PNG_STRING_COPYRIGHT
 #else
    return PNG_STRING_NEWLINE \
-      "libpng version 1.6.56" PNG_STRING_NEWLINE \
+      "libpng version 1.6.57" PNG_STRING_NEWLINE \
       "Copyright (c) 2018-2026 Cosmin Truta" PNG_STRING_NEWLINE \
       "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
       PNG_STRING_NEWLINE \
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/png.h b/src/java.desktop/share/native/libsplashscreen/libpng/png.h
@@ -29,7 +29,7 @@
  * However, the following notice accompanied the original version of this
  * file and, per its terms, should not be removed:
  *
- * libpng version 1.6.56
+ * libpng version 1.6.57
  *
  * Copyright (c) 2018-2026 Cosmin Truta
  * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
@@ -43,7 +43,7 @@
  *   libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger
  *   libpng versions 0.97, January 1998, through 1.6.35, July 2018:
  *     Glenn Randers-Pehrson
- *   libpng versions 1.6.36, December 2018, through 1.6.56, March 2026:
+ *   libpng versions 1.6.36, December 2018, through 1.6.57, April 2026:
  *     Cosmin Truta
  *   See also "Contributing Authors", below.
  */
@@ -267,7 +267,7 @@
  *    ...
  *    1.5.30                  15    10530  15.so.15.30[.0]
  *    ...
- *    1.6.56                  16    10656  16.so.16.56[.0]
+ *    1.6.57                  16    10657  16.so.16.57[.0]
  *
  *    Henceforth the source version will match the shared-library major and
  *    minor numbers; the shared-library major version number will be used for
@@ -303,7 +303,7 @@
  */
 
 /* Version information for png.h - this should match the version in png.c */
-#define PNG_LIBPNG_VER_STRING "1.6.56"
+#define PNG_LIBPNG_VER_STRING "1.6.57"
 #define PNG_HEADER_VERSION_STRING " libpng version " PNG_LIBPNG_VER_STRING "\n"
 
 /* The versions of shared library builds should stay in sync, going forward */
@@ -314,7 +314,7 @@
 /* These should match the first 3 components of PNG_LIBPNG_VER_STRING: */
 #define PNG_LIBPNG_VER_MAJOR   1
 #define PNG_LIBPNG_VER_MINOR   6
-#define PNG_LIBPNG_VER_RELEASE 56
+#define PNG_LIBPNG_VER_RELEASE 57
 
 /* This should be zero for a public release, or non-zero for a
  * development version.
@@ -345,7 +345,7 @@
  * From version 1.0.1 it is:
  * XXYYZZ, where XX=major, YY=minor, ZZ=release
  */
-#define PNG_LIBPNG_VER 10656 /* 1.6.56 */
+#define PNG_LIBPNG_VER 10657 /* 1.6.57 */
 
 /* Library configuration: these options cannot be changed after
  * the library has been built.
@@ -455,7 +455,7 @@ extern "C" {
 /* This triggers a compiler error in png.c, if png.c and png.h
  * do not agree upon the version number.
  */
-typedef char *png_libpng_version_1_6_56;
+typedef char *png_libpng_version_1_6_57;
 
 /* Basic control structions.  Read libpng-manual.txt or libpng.3 for more info.
  *
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/pngconf.h b/src/java.desktop/share/native/libsplashscreen/libpng/pngconf.h
@@ -29,7 +29,7 @@
  * However, the following notice accompanied the original version of this
  * file and, per its terms, should not be removed:
  *
- * libpng version 1.6.56
+ * libpng version 1.6.57
  *
  * Copyright (c) 2018-2026 Cosmin Truta
  * Copyright (c) 1998-2002,2004,2006-2016,2018 Glenn Randers-Pehrson
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/pnglibconf.h b/src/java.desktop/share/native/libsplashscreen/libpng/pnglibconf.h
@@ -31,7 +31,7 @@
  * However, the following notice accompanied the original version of this
  * file and, per its terms, should not be removed:
  */
-/* libpng version 1.6.56 */
+/* libpng version 1.6.57 */
 
 /* Copyright (c) 2018-2026 Cosmin Truta */
 /* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson */
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/pngrtran.c b/src/java.desktop/share/native/libsplashscreen/libpng/pngrtran.c
@@ -2408,7 +2408,7 @@ png_do_unpack(png_row_infop row_info, png_bytep row)
       }
       row_info->bit_depth = 8;
       row_info->pixel_depth = (png_byte)(8 * row_info->channels);
-      row_info->rowbytes = row_width * row_info->channels;
+      row_info->rowbytes = (size_t)row_width * row_info->channels;
    }
 }
 #endif
@@ -2610,7 +2610,7 @@ png_do_scale_16_to_8(png_row_infop row_info, png_bytep row)
 
       row_info->bit_depth = 8;
       row_info->pixel_depth = (png_byte)(8 * row_info->channels);
-      row_info->rowbytes = row_info->width * row_info->channels;
+      row_info->rowbytes = (size_t)row_info->width * row_info->channels;
    }
 }
 #endif
@@ -2638,7 +2638,7 @@ png_do_chop(png_row_infop row_info, png_bytep row)
 
       row_info->bit_depth = 8;
       row_info->pixel_depth = (png_byte)(8 * row_info->channels);
-      row_info->rowbytes = row_info->width * row_info->channels;
+      row_info->rowbytes = (size_t)row_info->width * row_info->channels;
    }
 }
 #endif
@@ -2874,7 +2874,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
             *(--dp) = lo_filler;
             row_info->channels = 2;
             row_info->pixel_depth = 16;
-            row_info->rowbytes = row_width * 2;
+            row_info->rowbytes = (size_t)row_width * 2;
          }
 
          else
@@ -2889,7 +2889,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
             }
             row_info->channels = 2;
             row_info->pixel_depth = 16;
-            row_info->rowbytes = row_width * 2;
+            row_info->rowbytes = (size_t)row_width * 2;
          }
       }
 
@@ -2912,7 +2912,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
             *(--dp) = hi_filler;
             row_info->channels = 2;
             row_info->pixel_depth = 32;
-            row_info->rowbytes = row_width * 4;
+            row_info->rowbytes = (size_t)row_width * 4;
          }
 
          else
@@ -2929,7 +2929,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
             }
             row_info->channels = 2;
             row_info->pixel_depth = 32;
-            row_info->rowbytes = row_width * 4;
+            row_info->rowbytes = (size_t)row_width * 4;
          }
       }
 #endif
@@ -2953,7 +2953,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
             *(--dp) = lo_filler;
             row_info->channels = 4;
             row_info->pixel_depth = 32;
-            row_info->rowbytes = row_width * 4;
+            row_info->rowbytes = (size_t)row_width * 4;
          }
 
          else
@@ -2970,7 +2970,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
             }
             row_info->channels = 4;
             row_info->pixel_depth = 32;
-            row_info->rowbytes = row_width * 4;
+            row_info->rowbytes = (size_t)row_width * 4;
          }
       }
 
@@ -2997,7 +2997,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
             *(--dp) = hi_filler;
             row_info->channels = 4;
             row_info->pixel_depth = 64;
-            row_info->rowbytes = row_width * 8;
+            row_info->rowbytes = (size_t)row_width * 8;
          }
 
          else
@@ -3019,7 +3019,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,
 
             row_info->channels = 4;
             row_info->pixel_depth = 64;
-            row_info->rowbytes = row_width * 8;
+            row_info->rowbytes = (size_t)row_width * 8;
          }
       }
 #endif
@@ -4513,15 +4513,15 @@ png_do_expand_palette(png_structrp png_ptr, png_row_infop row_info,
                }
                row_info->bit_depth = 8;
                row_info->pixel_depth = 32;
-               row_info->rowbytes = row_width * 4;
+               row_info->rowbytes = (size_t)row_width * 4;
                row_info->color_type = 6;
                row_info->channels = 4;
             }
 
             else
             {
                sp = row + (size_t)row_width - 1;
-               dp = row + (size_t)(row_width * 3) - 1;
+               dp = row + (size_t)row_width * 3 - 1;
                i = 0;
 #ifdef PNG_ARM_NEON_INTRINSICS_AVAILABLE
                i = png_do_expand_palette_rgb8_neon(png_ptr, row_info, row,
@@ -4540,7 +4540,7 @@ png_do_expand_palette(png_structrp png_ptr, png_row_infop row_info,
 
                row_info->bit_depth = 8;
                row_info->pixel_depth = 24;
-               row_info->rowbytes = row_width * 3;
+               row_info->rowbytes = (size_t)row_width * 3;
                row_info->color_type = 2;
                row_info->channels = 3;
             }
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/pngset.c b/src/java.desktop/share/native/libsplashscreen/libpng/pngset.c

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-README for libpng version 1.6.56`
	`1`	`+README for libpng version 1.6.57`
`2`	`2`	`================================`
`3`	`3`
`4`	`4`	See the note about version numbers near the top of `png.h`.
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@`
`29`	`29`	`* However, the following notice accompanied the original version of this`
`30`	`30`	`* file and, per its terms, should not be removed:`
`31`	`31`	`*`
`32`		`- * libpng version 1.6.56`
	`32`	`+ * libpng version 1.6.57`
`33`	`33`	`*`
`34`	`34`	`* Copyright (c) 2018-2026 Cosmin Truta`
`35`	`35`	`* Copyright (c) 1998-2002,2004,2006-2016,2018 Glenn Randers-Pehrson`
Original file line number	Diff line number	Diff line change
`@@ -2408,7 +2408,7 @@ png_do_unpack(png_row_infop row_info, png_bytep row)`
`2408`	`2408`	`}`
`2409`	`2409`	`row_info->bit_depth = 8;`
`2410`	`2410`	`row_info->pixel_depth = (png_byte)(8 * row_info->channels);`
`2411`		`- row_info->rowbytes = row_width * row_info->channels;`
	`2411`	`+ row_info->rowbytes = (size_t)row_width * row_info->channels;`
`2412`	`2412`	`}`
`2413`	`2413`	`}`
`2414`	`2414`	`#endif`
`@@ -2610,7 +2610,7 @@ png_do_scale_16_to_8(png_row_infop row_info, png_bytep row)`
`2610`	`2610`
`2611`	`2611`	`row_info->bit_depth = 8;`
`2612`	`2612`	`row_info->pixel_depth = (png_byte)(8 * row_info->channels);`
`2613`		`- row_info->rowbytes = row_info->width * row_info->channels;`
	`2613`	`+ row_info->rowbytes = (size_t)row_info->width * row_info->channels;`
`2614`	`2614`	`}`
`2615`	`2615`	`}`
`2616`	`2616`	`#endif`
`@@ -2638,7 +2638,7 @@ png_do_chop(png_row_infop row_info, png_bytep row)`
`2638`	`2638`
`2639`	`2639`	`row_info->bit_depth = 8;`
`2640`	`2640`	`row_info->pixel_depth = (png_byte)(8 * row_info->channels);`
`2641`		`- row_info->rowbytes = row_info->width * row_info->channels;`
	`2641`	`+ row_info->rowbytes = (size_t)row_info->width * row_info->channels;`
`2642`	`2642`	`}`
`2643`	`2643`	`}`
`2644`	`2644`	`#endif`
`@@ -2874,7 +2874,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,`
`2874`	`2874`	`*(--dp) = lo_filler;`
`2875`	`2875`	`row_info->channels = 2;`
`2876`	`2876`	`row_info->pixel_depth = 16;`
`2877`		`- row_info->rowbytes = row_width * 2;`
	`2877`	`+ row_info->rowbytes = (size_t)row_width * 2;`
`2878`	`2878`	`}`
`2879`	`2879`
`2880`	`2880`	`else`
`@@ -2889,7 +2889,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,`
`2889`	`2889`	`}`
`2890`	`2890`	`row_info->channels = 2;`
`2891`	`2891`	`row_info->pixel_depth = 16;`
`2892`		`- row_info->rowbytes = row_width * 2;`
	`2892`	`+ row_info->rowbytes = (size_t)row_width * 2;`
`2893`	`2893`	`}`
`2894`	`2894`	`}`
`2895`	`2895`
`@@ -2912,7 +2912,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,`
`2912`	`2912`	`*(--dp) = hi_filler;`
`2913`	`2913`	`row_info->channels = 2;`
`2914`	`2914`	`row_info->pixel_depth = 32;`
`2915`		`- row_info->rowbytes = row_width * 4;`
	`2915`	`+ row_info->rowbytes = (size_t)row_width * 4;`
`2916`	`2916`	`}`
`2917`	`2917`
`2918`	`2918`	`else`
`@@ -2929,7 +2929,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,`
`2929`	`2929`	`}`
`2930`	`2930`	`row_info->channels = 2;`
`2931`	`2931`	`row_info->pixel_depth = 32;`
`2932`		`- row_info->rowbytes = row_width * 4;`
	`2932`	`+ row_info->rowbytes = (size_t)row_width * 4;`
`2933`	`2933`	`}`
`2934`	`2934`	`}`
`2935`	`2935`	`#endif`
`@@ -2953,7 +2953,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,`
`2953`	`2953`	`*(--dp) = lo_filler;`
`2954`	`2954`	`row_info->channels = 4;`
`2955`	`2955`	`row_info->pixel_depth = 32;`
`2956`		`- row_info->rowbytes = row_width * 4;`
	`2956`	`+ row_info->rowbytes = (size_t)row_width * 4;`
`2957`	`2957`	`}`
`2958`	`2958`
`2959`	`2959`	`else`
`@@ -2970,7 +2970,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,`
`2970`	`2970`	`}`
`2971`	`2971`	`row_info->channels = 4;`
`2972`	`2972`	`row_info->pixel_depth = 32;`
`2973`		`- row_info->rowbytes = row_width * 4;`
	`2973`	`+ row_info->rowbytes = (size_t)row_width * 4;`
`2974`	`2974`	`}`
`2975`	`2975`	`}`
`2976`	`2976`
`@@ -2997,7 +2997,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,`
`2997`	`2997`	`*(--dp) = hi_filler;`
`2998`	`2998`	`row_info->channels = 4;`
`2999`	`2999`	`row_info->pixel_depth = 64;`
`3000`		`- row_info->rowbytes = row_width * 8;`
	`3000`	`+ row_info->rowbytes = (size_t)row_width * 8;`
`3001`	`3001`	`}`
`3002`	`3002`
`3003`	`3003`	`else`
`@@ -3019,7 +3019,7 @@ png_do_read_filler(png_row_infop row_info, png_bytep row,`
`3019`	`3019`
`3020`	`3020`	`row_info->channels = 4;`
`3021`	`3021`	`row_info->pixel_depth = 64;`
`3022`		`- row_info->rowbytes = row_width * 8;`
	`3022`	`+ row_info->rowbytes = (size_t)row_width * 8;`
`3023`	`3023`	`}`
`3024`	`3024`	`}`
`3025`	`3025`	`#endif`
`@@ -4513,15 +4513,15 @@ png_do_expand_palette(png_structrp png_ptr, png_row_infop row_info,`
`4513`	`4513`	`}`
`4514`	`4514`	`row_info->bit_depth = 8;`
`4515`	`4515`	`row_info->pixel_depth = 32;`
`4516`		`- row_info->rowbytes = row_width * 4;`
	`4516`	`+ row_info->rowbytes = (size_t)row_width * 4;`
`4517`	`4517`	`row_info->color_type = 6;`
`4518`	`4518`	`row_info->channels = 4;`
`4519`	`4519`	`}`
`4520`	`4520`
`4521`	`4521`	`else`
`4522`	`4522`	`{`
`4523`	`4523`	`sp = row + (size_t)row_width - 1;`
`4524`		`- dp = row + (size_t)(row_width * 3) - 1;`
	`4524`	`+ dp = row + (size_t)row_width * 3 - 1;`
`4525`	`4525`	`i = 0;`
`4526`	`4526`	`#ifdef PNG_ARM_NEON_INTRINSICS_AVAILABLE`
`4527`	`4527`	`i = png_do_expand_palette_rgb8_neon(png_ptr, row_info, row,`
`@@ -4540,7 +4540,7 @@ png_do_expand_palette(png_structrp png_ptr, png_row_infop row_info,`
`4540`	`4540`
`4541`	`4541`	`row_info->bit_depth = 8;`
`4542`	`4542`	`row_info->pixel_depth = 24;`
`4543`		`- row_info->rowbytes = row_width * 3;`
	`4543`	`+ row_info->rowbytes = (size_t)row_width * 3;`
`4544`	`4544`	`row_info->color_type = 2;`
`4545`	`4545`	`row_info->channels = 3;`
`4546`	`4546`	`}`