[libpng] Update: v1.6.53 -> v1.6.54

Includes the APNG patch.

Author: GerbilSoft

extlib/libpng/ANNOUNCE

@@ -1,4 +1,4 @@
-libpng 1.6.53 - December 5, 2025
+libpng 1.6.54 - January 12, 2026
 ================================
 
 This is a public release of libpng, intended for use in production code.
@@ -9,10 +9,10 @@ Files available for download
 
 Source files:
 
- * libpng-1.6.53.tar.xz (LZMA-compressed, recommended)
- * libpng-1.6.53.tar.gz (deflate-compressed)
- * lpng1653.7z (LZMA-compressed)
- * lpng1653.zip (deflate-compressed)
+ * libpng-1.6.54.tar.xz (LZMA-compressed, recommended)
+ * libpng-1.6.54.tar.gz (deflate-compressed)
+ * lpng1654.7z (LZMA-compressed)
+ * lpng1654.zip (deflate-compressed)
 
 Other information:
 
@@ -22,15 +22,16 @@ Other information:
  * TRADEMARK.md
 
 
-Changes from version 1.6.52 to version 1.6.53
+Changes from version 1.6.53 to version 1.6.54
 ---------------------------------------------
 
- * Fixed a build failure on RISC-V RVV caused by a misspelled intrinsic.
-   (Contributed by Alexander Smorkalov.)
- * Fixed a build failure with CMake 4.1 or newer, on Windows, when using
-   Visual C++ without MASM installed.
-   (Reported by Andrew Tribick; fixed by Luis Caro Campos.)
-
+ * Fixed CVE-2026-22695 (medium severity):
+   Heap buffer over-read in `png_image_read_direct_scaled.
+   (Reported and fixed by Petr Simecek.)
+ * Fixed CVE-2026-22801 (medium severity):
+   Integer truncation causing heap buffer over-read in `png_image_write_*`.
+ * Implemented various improvements in oss-fuzz.
+   (Contributed by Philippe Antoine.)
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net.
 Subscription is required; visit

extlib/libpng/AUTHORS

@@ -27,6 +27,7 @@ Authors, for copyright and licensing purposes.
  * Mike Klein
  * Pascal Massimino
  * Paul Schmidt
+ * Petr Simecek
  * Philippe Antoine
  * Qiang Zhou
  * Sam Bushell

extlib/libpng/CHANGES

@@ -6321,6 +6321,16 @@ Version 1.6.53 [December 5, 2025]
   Fixed a build failure with CMake 4.1 or newer, on Windows, when using
     Visual C++ without MASM installed.
 
+Version 1.6.54 [January 12, 2026]
+  Fixed CVE-2026-22695 (medium severity):
+    Heap buffer over-read in `png_image_read_direct_scaled.
+    (Reported and fixed by Petr Simecek.)
+  Fixed CVE-2026-22801 (medium severity):
+    Integer truncation causing heap buffer over-read in `png_image_write_*`.
+  Implemented various improvements in oss-fuzz.
+    (Contributed by Philippe Antoine.)
+
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net.
 Subscription is required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement

extlib/libpng/CMakeLists.txt

@@ -1,6 +1,6 @@
 # CMakeLists.txt - CMake lists for libpng
 #
-# Copyright (c) 2018-2025 Cosmin Truta
+# Copyright (c) 2018-2026 Cosmin Truta
 # Copyright (c) 2007-2018 Glenn Randers-Pehrson
 # Originally written by Christian Ehrlicher, 2007
 #
@@ -19,7 +19,7 @@
 
 set(PNGLIB_MAJOR 1)
 set(PNGLIB_MINOR 6)
-set(PNGLIB_REVISION 53)
+set(PNGLIB_REVISION 54)
 set(PNGLIB_SUBREVISION 0)
 #set(PNGLIB_SUBREVISION "git")
 set(PNGLIB_VERSION ${PNGLIB_MAJOR}.${PNGLIB_MINOR}.${PNGLIB_REVISION})
@@ -984,6 +984,13 @@ if(PNG_TESTS AND PNG_SHARED)
     endforeach()
   endforeach()
 
+  # Regression test:
+  # Use stride_extra > 32767 to trigger row_bytes > 65535 for linear images.
+  png_add_test(NAME pngstest-large-stride
+               COMMAND pngstest
+               OPTIONS --stride-extra 33000 --tmpfile "large-stride-" --log
+               FILES "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-16-linear.png")
+
   add_executable(pngunknown ${pngunknown_sources})
   target_link_libraries(pngunknown
                         PRIVATE png_shared)

extlib/libpng/LICENSE

@@ -4,8 +4,8 @@ COPYRIGHT NOTICE, DISCLAIMER, and LICENSE
 PNG Reference Library License version 2
 ---------------------------------------
 
- * Copyright (c) 1995-2025 The PNG Reference Library Authors.
- * Copyright (c) 2018-2025 Cosmin Truta.
+ * Copyright (c) 1995-2026 The PNG Reference Library Authors.
+ * Copyright (c) 2018-2026 Cosmin Truta.
  * Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson.
  * Copyright (c) 1996-1997 Andreas Dilger.
  * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.

extlib/libpng/README

@@ -1,4 +1,4 @@
-README for libpng version 1.6.53
+README for libpng version 1.6.54
 ================================
 
 See the note about version numbers near the top of `png.h`.

extlib/libpng/_MODIFIED_LIBPNG.txt

@@ -1,9 +1,9 @@
-This copy of libpng-1.6.53 is a modified version of the original.
+This copy of libpng-1.6.54 is a modified version of the original.
 
-commit 4e3f57d50f552841550a36eabbb3fbcecacb7750
-Release libpng version 1.6.53
+commit 02f2b4f4699f0ef9111a6534f093b53732df4452
+Release libpng 1.6.54
 
-Tag: v1.6.53
+Tag: v1.6.54
 
 The following changes have been made to the original:
 
@@ -14,5 +14,5 @@ The following changes have been made to the original:
 - APNG support has been added via the APNG patch:
   http://sourceforge.net/projects/libpng-apng/
 
-To obtain the original libpng-1.6.53, visit:
+To obtain the original libpng-1.6.54, visit:
 http://www.libpng.org/pub/png/libpng.html

extlib/libpng/arm/filter_neon_intrinsics.c

@@ -49,7 +49,7 @@
 
 void
 png_read_filter_row_up_neon(png_row_infop row_info, png_bytep row,
-   png_const_bytep prev_row)
+    png_const_bytep prev_row)
 {
    png_bytep rp = row;
    png_bytep rp_stop = row + row_info->rowbytes;
@@ -70,7 +70,7 @@ png_read_filter_row_up_neon(png_row_infop row_info, png_bytep row,
 
 void
 png_read_filter_row_sub3_neon(png_row_infop row_info, png_bytep row,
-   png_const_bytep prev_row)
+    png_const_bytep prev_row)
 {
    png_bytep rp = row;
    png_bytep rp_stop = row + row_info->rowbytes;
@@ -117,7 +117,7 @@ png_read_filter_row_sub3_neon(png_row_infop row_info, png_bytep row,
 
 void
 png_read_filter_row_sub4_neon(png_row_infop row_info, png_bytep row,
-   png_const_bytep prev_row)
+    png_const_bytep prev_row)
 {
    png_bytep rp = row;
    png_bytep rp_stop = row + row_info->rowbytes;
@@ -149,7 +149,7 @@ png_read_filter_row_sub4_neon(png_row_infop row_info, png_bytep row,
 
 void
 png_read_filter_row_avg3_neon(png_row_infop row_info, png_bytep row,
-   png_const_bytep prev_row)
+    png_const_bytep prev_row)
 {
    png_bytep rp = row;
    png_const_bytep pp = prev_row;
@@ -217,7 +217,7 @@ png_read_filter_row_avg3_neon(png_row_infop row_info, png_bytep row,
 
 void
 png_read_filter_row_avg4_neon(png_row_infop row_info, png_bytep row,
-   png_const_bytep prev_row)
+    png_const_bytep prev_row)
 {
    png_bytep rp = row;
    png_bytep rp_stop = row + row_info->rowbytes;
@@ -286,7 +286,7 @@ paeth(uint8x8_t a, uint8x8_t b, uint8x8_t c)
 
 void
 png_read_filter_row_paeth3_neon(png_row_infop row_info, png_bytep row,
-   png_const_bytep prev_row)
+    png_const_bytep prev_row)
 {
    png_bytep rp = row;
    png_const_bytep pp = prev_row;
@@ -354,7 +354,7 @@ png_read_filter_row_paeth3_neon(png_row_infop row_info, png_bytep row,
 
 void
 png_read_filter_row_paeth4_neon(png_row_infop row_info, png_bytep row,
-   png_const_bytep prev_row)
+    png_const_bytep prev_row)
 {
    png_bytep rp = row;
    png_bytep rp_stop = row + row_info->rowbytes;

extlib/libpng/contrib/mips-mmi/linux.c

@@ -57,12 +57,14 @@ __asm__(".macro        parse_r var r\n\t"
 
 #define HWCAP_LOONGSON_CPUCFG (1 << 14)
 
-static int cpucfg_available(void)
+static int
+cpucfg_available(void)
 {
     return getauxval(AT_HWCAP) & HWCAP_LOONGSON_CPUCFG;
 }
 
-static int strstart(const char *str, const char *pfx, const char **ptr)
+static int
+strstart(const char *str, const char *pfx, const char **ptr)
 {
     while (*pfx && *pfx == *str) {
         pfx++;
@@ -74,7 +76,8 @@ static int strstart(const char *str, const char *pfx, const char **ptr)
 }
 
 /* Most toolchains have no CPUCFG support yet */
-static uint32_t read_cpucfg(uint32_t reg)
+static uint32_t
+read_cpucfg(uint32_t reg)
 {
         uint32_t __res;
 
@@ -94,7 +97,8 @@ static uint32_t read_cpucfg(uint32_t reg)
 
 #define LOONGSON_CFG1_MMI    (1 << 4)
 
-static int cpu_flags_cpucfg(void)
+static int
+cpu_flags_cpucfg(void)
 {
     int flags = 0;
     uint32_t cfg1 = read_cpucfg(LOONGSON_CFG1);
@@ -105,7 +109,8 @@ static int cpu_flags_cpucfg(void)
     return flags;
 }
 
-static int cpu_flags_cpuinfo(void)
+static int
+cpu_flags_cpuinfo(void)
 {
     FILE *f = fopen("/proc/cpuinfo", "r");
     char buf[200];
@@ -131,7 +136,8 @@ static int cpu_flags_cpuinfo(void)
     return flags;
 }
 
-static int png_have_mmi()
+static int
+png_have_mmi()
 {
     if (cpucfg_available())
         return cpu_flags_cpucfg();