Bug 669863. Update libpng to version 1.4.8. r=joe
authorGlenn Randers-Pehrson <glennrp+bmo@gmail.com>
Fri, 29 Jul 2011 14:30:00 -0400
changeset 73571 e11c69bb7f5f3827e0034f5707fa7d0a57834ec0
parent 73570 88329c72d50c0efb428bc8ea8b73451e71fd6599
child 73572 37dcfd002ab043d7bfd4e266db9e88809ce059fc
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersjoe
bugs669863
milestone8.0a1
Bug 669863. Update libpng to version 1.4.8. r=joe
modules/libimg/png/CHANGES
modules/libimg/png/LICENSE
modules/libimg/png/MOZCHANGES
modules/libimg/png/README
modules/libimg/png/libpng.txt
modules/libimg/png/png.c
modules/libimg/png/png.h
modules/libimg/png/pngconf.h
modules/libimg/png/pngerror.c
modules/libimg/png/pngget.c
modules/libimg/png/pngmem.c
modules/libimg/png/pngpriv.h
modules/libimg/png/pngrtran.c
modules/libimg/png/pngrutil.c
modules/libimg/png/pngtrans.c
modules/libimg/png/pngwrite.c
modules/libimg/png/pngwutil.c
--- a/modules/libimg/png/CHANGES
+++ b/modules/libimg/png/CHANGES
@@ -2786,19 +2786,50 @@ version 1.4.6rc02 [April 6, 2011]
   Improved the optimization of the zlib CMF byte (see libpng-1.2.6beta03).
 
 version 1.4.6 [April 8, 2011]
   No changes.
 
 version 1.4.7rc01 [April 9, 2011]
   Relocated misplaced new declarations in pngwutil.c.
 
-version 1.4.7 [April 10, 2011]
+version 1.4.7 [April 9, 2011]
   Disabled PNG_PEDANTIC_WARNINGS for all MSC versions as in libpng-1.4.5.
 
+version 1.4.8beta01 [June 4, 2011]
+  Undef "_ALL_SOURCE" for AIX, to prevent "jmpbuf" from being redefined.
+  Copied png_debug macros from pngpriv.h into pngtest.c and removed
+    "#include pngpriv.h" from pngtest.c, to avoid setting a bad example.
+  Pass "" instead of '\0' to png_default_error() in png_err().  This mistake
+    was introduced in libpng-1.2.20beta01.
+  Check for up->location !PNG_AFTER_IDAT when writing unknown chunks
+    before IDAT.
+  Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image,
+    always expand to RGBA if transparency is present.
+
+version 1.4.8beta02 [June 5, 2011]
+  Ported bugfix in pngrtran.c from 1.5.3: Ensure coefficients are OK for
+    png_rgb_to_gray_fixed().
+
+version 1.4.8beta03 [June 6, 2011]
+  Check for integer overflow in png_set_rgb_to_gray().
+
+version 1.4.8beta04 [June 7, 2011]
+  Fixed uninitialized memory read in png_format_buffer() (Bug report by
+    Frank Busse, related to CVE-2004-0421).
+
+version 1.4.8beta05 [June 19, 2011]
+  Fixed error in "ACCURATE" 16-to-8 scaling (John Bowler).
+  Check for sCAL chunk too short.
+
+version 1.4.8rc01 [June 30, 2011]
+  No changes.
+
+version 1.4.8 [July 7, 2011]
+  No changes.
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement).
 
 Glenn R-P
 */ }
 #endif
--- a/modules/libimg/png/LICENSE
+++ b/modules/libimg/png/LICENSE
@@ -5,17 +5,17 @@ included in the libpng distribution, the
 
 COPYRIGHT NOTICE, DISCLAIMER, and LICENSE:
 
 If you modify libpng you may insert additional notices immediately following
 this sentence.
 
 This code is released under the libpng license.
 
-libpng versions 1.2.6, August 15, 2004, through 1.4.7, April 10, 2011, are
+libpng versions 1.2.6, August 15, 2004, through 1.4.8, July 7, 2011, are
 Copyright (c) 2004, 2006-2010 Glenn Randers-Pehrson, and are
 distributed according to the same disclaimer and license as libpng-1.2.5
 with the following individual added to the list of Contributing Authors
 
    Cosmin Truta
 
 libpng versions 1.0.7, July 1, 2000, through 1.2.5 - October 3, 2002, are
 Copyright (c) 2000-2002 Glenn Randers-Pehrson, and are
@@ -103,9 +103,9 @@ boxes and the like:
 Also, the PNG logo (in PNG format, of course) is supplied in the
 files "pngbar.png" and "pngbar.jpg (88x31) and "pngnow.png" (98x31).
 
 Libpng is OSI Certified Open Source Software.  OSI Certified Open Source is a
 certification mark of the Open Source Initiative.
 
 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-April 10, 2011
+July 7, 2011
--- a/modules/libimg/png/MOZCHANGES
+++ b/modules/libimg/png/MOZCHANGES
@@ -1,11 +1,13 @@
 
 Changes made to pristine png source by mozilla.org developers.
 
+2011/07/20  -- Synced with libpng-1.4.8 (bug #669863).
+
 2011/04/08  -- Synced with libpng-1.4.7 (bug #624133).
 
 2010/06/30  -- Synced with libpng-1.4.3 (bug #564792).
 
 2010/02/26  -- Synced with libpng-1.4.1 (bug #544747).
 
 2010/01/04  -- Synced with libpng-1.4.0 (bug #532645).
 
--- a/modules/libimg/png/README
+++ b/modules/libimg/png/README
@@ -1,9 +1,9 @@
-README for libpng version 1.4.7 - April 10, 2011 (shared library 14.0)
+README for libpng version 1.4.8 - July 7, 2011 (shared library 14.0)
 See the note about version numbers near the top of png.h
 
 See INSTALL for instructions on how to install libpng.
 
 Libpng comes in several distribution formats.  Get libpng-*.tar.gz,
 libpng-*.tar.xz or libpng-*.tar.bz2 if you want UNIX-style line endings
 in the text files, or lpng*.zip if you want DOS-style line endings.
 
@@ -109,29 +109,26 @@ lists.sourceforge.net (subscription requ
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
 to subscribe) or to glennrp at users.sourceforge.net
 
 You can't reach Guy, the original libpng author, at the addresses
 given in previous versions of this document.  He and Andreas will
 read mail addressed to the png-implement list, however.
 
 Please do not send general questions about PNG.  Send them to
-the (png-list at ccrc.wustl.edu, subscription required, write to
-majordomo at ccrc.wustl.edu with "subscribe png-list" in your message).
-On the other hand,
-please do not send libpng questions to that address, send them to me
-or to the png-implement list.  I'll
-get them in the end anyway.  If you have a question about something
+png-mng-misc at lists.sf.net (subscription required; visit
+https://lists.sourceforge.net/lists/listinfo/png-mng-misc to
+subscribe).  If you have a question about something
 in the PNG specification that is related to using libpng, send it
 to me.  Send me any questions that start with "I was using libpng,
 and ...".  If in doubt, send questions to me.  I'll bounce them
 to others, if necessary.
 
 Please do not send suggestions on how to change PNG.  We have
-been discussing PNG for nine years now, and it is official and
+been discussing PNG for sixteen years now, and it is official and
 finished.  If you have suggestions for libpng, however, I'll
 gladly listen.  Even if your suggestion is not used immediately,
 it may be used later.
 
 Files in this distribution:
 
       ANNOUNCE      =>  Announcement of this version, with recent changes
       CHANGES       =>  Description of changes between libpng versions
@@ -180,19 +177,19 @@ Files in this distribution:
                             libpng and zlib
        visualc6         =>  Contains a Microsoft Visual C++ (MSVC)
                             workspace for building libpng and zlib
       scripts       =>  Directory containing scripts for building libpng:
        descrip.mms      =>  VMS makefile for MMS or MMK
        makefile.std     =>  Generic UNIX makefile (cc, creates static
                             libpng.a)
        makefile.elf     =>  Linux/ELF makefile symbol versioning,
-                            (gcc, creates libpng14.so.14.1.4.7)
+                            (gcc, creates libpng14.so.14.1.4.8)
        makefile.linux   =>  Linux/ELF makefile
-                            (gcc, creates libpng14.so.14.1.4.7)
+                            (gcc, creates libpng14.so.14.1.4.8)
        makefile.gcc     =>  Generic makefile (gcc, creates static libpng.a)
        makefile.knr     =>  Archaic UNIX Makefile that converts files with
                             ansi2knr (Requires ansi2knr.c from
                             ftp://ftp.cs.wisc.edu/ghost)
        makefile.aix     =>  AIX makefile
        makefile.cygwin  =>  Cygwin/gcc makefile
        makefile.darwin  =>  Darwin makefile
        makefile.dec     =>  DEC Alpha UNIX makefile
@@ -204,22 +201,22 @@ Files in this distribution:
        makefile.intel   =>  Intel C/C++ version 4.0 and later
        makefile.mingw   =>  Mingw/gcc makefile
        makefile.netbsd  =>  NetBSD/cc makefile, makes libpng.so.
        makefile.ne14bsd  =>  NetBSD/cc makefile, makes
                             libpng14.so
        makefile.openbsd =>  OpenBSD makefile
        makefile.sgi     =>  Silicon Graphics IRIX (cc, creates static lib)
        makefile.sggcc   =>  Silicon Graphics
-                            (gcc, creates libpng14.so.14.1.4.7)
+                            (gcc, creates libpng14.so.14.1.4.8)
        makefile.sunos   =>  Sun makefile
        makefile.solaris =>  Solaris 2.X makefile
-                            (gcc, creates libpng14.so.14.1.4.7)
+                            (gcc, creates libpng14.so.14.1.4.8)
        makefile.so9     =>  Solaris 9 makefile
-                            (gcc, creates libpng14.so.14.1.4.7)
+                            (gcc, creates libpng14.so.14.1.4.8)
        makefile.32sunu  =>  Sun Ultra 32-bit makefile
        makefile.64sunu  =>  Sun Ultra 64-bit makefile
        makefile.sco     =>  For SCO OSr5  ELF and Unixware 7 with Native cc
        makefile.mips    =>  MIPS makefile
        makefile.acorn   =>  Acorn makefile
        makefile.amiga   =>  Amiga makefile
        smakefile.ppc    =>  AMIGA smakefile for SAS C V6.58/7.00 PPC
                             compiler (Requires SCOPTIONS, copied from
--- a/modules/libimg/png/libpng.txt
+++ b/modules/libimg/png/libpng.txt
@@ -1,24 +1,24 @@
 libpng.txt - A description on how to use and modify libpng
 
- libpng version 1.4.3 - June 26, 2010
+ libpng version 1.4.8 - July 7, 2011
  Updated and distributed by Glenn Randers-Pehrson
  <glennrp at users.sourceforge.net>
- Copyright (c) 1998-2009 Glenn Randers-Pehrson
+ Copyright (c) 1998-2010 Glenn Randers-Pehrson
 
  This document is released under the libpng license.
  For conditions of distribution and use, see the disclaimer
  and license in png.h
 
  Based on:
 
- libpng versions 0.97, January 1998, through 1.4.3 - June 26, 2010
+ libpng versions 0.97, January 1998, through 1.4.8 - July 7, 2011
  Updated and distributed by Glenn Randers-Pehrson
- Copyright (c) 1998-2009 Glenn Randers-Pehrson
+ Copyright (c) 1998-2010 Glenn Randers-Pehrson
 
  libpng 1.0 beta 6  version 0.96 May 28, 1997
  Updated and distributed by Andreas Dilger
  Copyright (c) 1996, 1997 Andreas Dilger
 
  libpng 1.0 beta 2 - version 0.88  January 26, 1996
  For conditions of distribution and use, see copyright
  notice in png.h. Copyright (c) 1995, 1996 Guy Eric
@@ -273,17 +273,17 @@ where the default size is 8192 bytes.  N
 is changed immediately and the buffer is reallocated immediately,
 instead of setting a flag to be acted upon later.
 
 Setting up callback code
 
 You can set up a callback function to handle any unknown chunks in the
 input stream. You must supply the function
 
-    read_chunk_callback(png_ptr ptr,
+    read_chunk_callback(png_structp png_ptr,
          png_unknown_chunkp chunk);
     {
        /* The unknown chunk structure contains your
           chunk data, along with similar data for any other
           unknown chunks: */
 
            png_byte name[5];
            png_byte *data;
@@ -319,18 +319,18 @@ chunks will be saved when read, in case 
 one or more of them.  This behavior can be changed with the
 png_set_keep_unknown_chunks() function, described below.
 
 At this point, you can set up a callback function that will be
 called after each row has been read, which you can use to control
 a progress meter or the like.  It's demonstrated in pngtest.c.
 You must supply a function
 
-    void read_row_callback(png_ptr ptr, png_uint_32 row,
-       int pass);
+    void read_row_callback(png_structp png_ptr,
+       png_uint_32 row, int pass);
     {
       /* put your code here */
     }
 
 (You can give it another name that you like instead of "read_row_callback")
 
 To inform libpng about your function, use
 
@@ -571,25 +571,27 @@ in until png_read_end() has read the chu
                         (bit_depths 8, 16)
                      PNG_COLOR_TYPE_RGB_ALPHA
                         (bit_depths 8, 16)
 
                      PNG_COLOR_MASK_PALETTE
                      PNG_COLOR_MASK_COLOR
                      PNG_COLOR_MASK_ALPHA
 
+    interlace_type - (PNG_INTERLACE_NONE or
+                     PNG_INTERLACE_ADAM7)
+
+    compression_type - (must be PNG_COMPRESSION_TYPE_BASE
+                     for PNG 1.0)
+
     filter_method  - (must be PNG_FILTER_TYPE_BASE
                      for PNG 1.0, and can also be
                      PNG_INTRAPIXEL_DIFFERENCING if
                      the PNG datastream is embedded in
                      a MNG-1.0 datastream)
-    compression_type - (must be PNG_COMPRESSION_TYPE_BASE
-                     for PNG 1.0)
-    interlace_type - (PNG_INTERLACE_NONE or
-                     PNG_INTERLACE_ADAM7)
 
     Any or all of interlace_type, compression_type, or
     filter_method can be NULL if you are
     not interested in their values.
 
     Note that png_get_IHDR() returns 32-bit data into
     the application's width and height variables.
     This is an unsafe situation if these are 16-bit
@@ -600,21 +602,21 @@ in until png_read_end() has read the chu
     width            = png_get_image_width(png_ptr,
                          info_ptr);
     height           = png_get_image_height(png_ptr,
                          info_ptr);
     bit_depth        = png_get_bit_depth(png_ptr,
                          info_ptr);
     color_type       = png_get_color_type(png_ptr,
                          info_ptr);
-    filter_method    = png_get_filter_type(png_ptr,
+    interlace_type   = png_get_interlace_type(png_ptr,
                          info_ptr);
     compression_type = png_get_compression_type(png_ptr,
                          info_ptr);
-    interlace_type   = png_get_interlace_type(png_ptr,
+    filter_method    = png_get_filter_type(png_ptr,
                          info_ptr);
 
     channels = png_get_channels(png_ptr, info_ptr);
     channels       - number of channels of info for the
                      color type (valid values are 1 (GRAY,
                      PALETTE), 2 (GRAY_ALPHA), 3 (RGB),
                      4 (RGB_ALPHA or RGB + filler byte))
     rowbytes = png_get_rowbytes(png_ptr, info_ptr);
@@ -653,41 +655,41 @@ pointer into the info_ptr is returned fo
                      The presence of the sRGB chunk
                      means that the pixel data is in the
                      sRGB color space.  This chunk also
                      implies specific values of gAMA and
                      cHRM.
 
     png_get_iCCP(png_ptr, info_ptr, &name,
        &compression_type, &profile, &proflen);
-    name            - The profile name.
-    compression     - The compression type; always
-                      PNG_COMPRESSION_TYPE_BASE for PNG 1.0.
-                      You may give NULL to this argument to
-                      ignore it.
-    profile         - International Color Consortium color
-                      profile data. May contain NULs.
-    proflen         - length of profile data in bytes.
+    name             - The profile name.
+    compression_type - The compression type; always
+                       PNG_COMPRESSION_TYPE_BASE for PNG 1.0.
+                       You may give NULL to this argument to
+                       ignore it.
+    profile          - International Color Consortium color
+                       profile data. May contain NULs.
+    proflen          - length of profile data in bytes.
 
     png_get_sBIT(png_ptr, info_ptr, &sig_bit);
     sig_bit        - the number of significant bits for
                      (PNG_INFO_sBIT) each of the gray,
                      red, green, and blue channels,
                      whichever are appropriate for the
                      given color type (png_color_16)
 
     png_get_tRNS(png_ptr, info_ptr, &trans_alpha,
                      &num_trans, &trans_color);
     trans_alpha    - array of alpha (transparency)
                      entries for palette (PNG_INFO_tRNS)
+    num_trans      - number of transparent entries
+                     (PNG_INFO_tRNS)
     trans_color    - graylevel or color sample values of
                      the single transparent color for
                      non-paletted images (PNG_INFO_tRNS)
-    num_trans      - number of transparent entries
-                     (PNG_INFO_tRNS)
 
     png_get_hIST(png_ptr, info_ptr, &hist);
                      (PNG_INFO_hIST)
     hist           - histogram of palette (array of
                      png_uint_16)
 
     png_get_tIME(png_ptr, info_ptr, &mod_time);
     mod_time       - time image was last modified
@@ -898,17 +900,17 @@ viewing application that wishes to treat
 These three functions are actually aliases for png_set_expand(), added
 in libpng version 1.0.4, with the function names expanded to improve code
 readability.  In some future version they may actually do different
 things.
 
 As of libpng version 1.2.9, png_set_expand_gray_1_2_4_to_8() was
 added.  It expands the sample depth without changing tRNS to alpha.
 
-As of libpng version 1.4.3, not all possible expansions are supported.
+As of libpng version 1.4.8, not all possible expansions are supported.
 
 In the following table, the 01 means grayscale with depth<8, 31 means
 indexed with depth<8, other numerals represent the color type, "T" means
 the tRNS chunk is present, A means an alpha channel is present, and O
 means tRNS or alpha is present but all pixels in the image are opaque.
 
   FROM  01  31   0  0T  0O   2  2T  2O   3  3T  3O  4A  4O  6A  6O 
    TO
@@ -1228,18 +1230,18 @@ Finally, you can write your own transfor
 the existing ones meets your needs.  This is done by setting a callback
 with
 
     png_set_read_user_transform_fn(png_ptr,
        read_transform_fn);
 
 You must supply the function
 
-    void read_transform_fn(png_ptr ptr, row_info_ptr
-       row_info, png_bytep data)
+    void read_transform_fn(png_structp png_ptr, png_row_infop
+        row_info, png_bytep data)
 
 See pngtest.c for a working example.  Your function will be called
 after all of the other transformations have been processed.
 
 You can also set up a pointer to a user structure for use by your
 callback function, and you can inform libpng that your transform
 function will change the number of channels or bit depth with the
 function
@@ -1752,17 +1754,17 @@ to inform libpng that it should not writ
 
 Write callbacks
 
 At this point, you can set up a callback function that will be
 called after each row has been written, which you can use to control
 a progress meter or the like.  It's demonstrated in pngtest.c.
 You must supply a function
 
-    void write_row_callback(png_ptr, png_uint_32 row,
+    void write_row_callback(png_structp png_ptr, png_uint_32 row,
        int pass);
     {
       /* put your code here */
     }
 
 (You can give it another name that you like instead of "write_row_callback")
 
 To inform libpng about your function, use
@@ -1927,24 +1929,24 @@ width, height, bit_depth, and color_type
                      data is in the sRGB color space.
                      This function also causes gAMA and
                      cHRM chunks with the specific values
                      that are consistent with sRGB to be
                      written.
 
     png_set_iCCP(png_ptr, info_ptr, name, compression_type,
                       profile, proflen);
-    name            - The profile name.
-    compression     - The compression type; always
-                      PNG_COMPRESSION_TYPE_BASE for PNG 1.0.
-                      You may give NULL to this argument to
-                      ignore it.
-    profile         - International Color Consortium color
-                      profile data. May contain NULs.
-    proflen         - length of profile data in bytes.
+    name             - The profile name.
+    compression_type - The compression type; always
+                       PNG_COMPRESSION_TYPE_BASE for PNG 1.0.
+                       You may give NULL to this argument to
+                       ignore it.
+    profile          - International Color Consortium color
+                       profile data. May contain NULs.
+    proflen          - length of profile data in bytes.
 
     png_set_sBIT(png_ptr, info_ptr, sig_bit);
     sig_bit        - the number of significant bits for
                      (PNG_INFO_sBIT) each of the gray, red,
                      green, and blue channels, whichever are
                      appropriate for the given color type
                      (png_color_16)
 
@@ -2309,17 +2311,17 @@ Finally, you can write your own transfor
 the existing ones meets your needs.  This is done by setting a callback
 with
 
     png_set_write_user_transform_fn(png_ptr,
        write_transform_fn);
 
 You must supply the function
 
-    void write_transform_fn(png_ptr ptr, row_info_ptr
+    void write_transform_fn(png_structp png_ptr, png_row_infop
        row_info, png_bytep data)
 
 See pngtest.c for a working example.  Your function will be called
 before any of the other transformations are processed.
 
 You can also set up a pointer to a user structure for use by your
 callback function.
 
@@ -3117,16 +3119,22 @@ We removed the obsolete png_check_sig(),
 png_memset_check() functions.  Instead use !png_sig_cmp(), png_memcpy(),
 and png_memset(), respectively.
 
 The function png_set_gray_1_2_4_to_8() was removed. It has been
 deprecated since libpng-1.0.18 and 1.2.9, when it was replaced with
 png_set_expand_gray_1_2_4_to_8() because the former function also
 expanded palette images.
 
+Macros for png_get_uint_16, png_get_uint_32, and png_get_int_32
+were added and are used by default instead of the corresponding
+functions. Unfortunately,
+from libpng-1.4.0 until 1.4.4, the png_get_uint_16 macro (but not the  
+function) incorrectly returned a value of type png_uint_32.
+
 We changed the prototype for png_malloc() from
     png_malloc(png_structp png_ptr, png_uint_32 size)
 to
     png_malloc(png_structp png_ptr, png_alloc_size_t size)
 
 This also applies to the prototype for the user replacement malloc_fn().
 
 The png_calloc() function was added and is used in place of
@@ -3144,17 +3152,18 @@ Support for numbered error messages was 
 never got around to actually numbering the error messages. The function
 png_set_strip_error_numbers() was removed from the library by default.
 
 The png_zalloc() and png_zfree() functions are no longer exported.
 The png_zalloc() function no longer zeroes out the memory that it
 allocates.
 
 Support for dithering was disabled by default in libpng-1.4.0, because
-been well tested and doesn't actually "dither".  The code was not
+it has not been well tested and doesn't actually "dither".
+The code was not
 removed, however, and could be enabled by building libpng with
 PNG_READ_DITHER_SUPPORTED defined.  In libpng-1.4.2, this support
 was reenabled, but the function was renamed png_set_quantize() to
 reflect more accurately what it actually does.  At the same time,
 the PNG_DITHER_[RED,GREEN_BLUE]_BITS macros were also renamed to
 PNG_QUANTIZE_[RED,GREEN,BLUE]_BITS.
 
 We removed the trailing '.' from the warning and error messages.
@@ -3267,19 +3276,20 @@ We mark all non-exported functions with 
 
 The prototypes for non-exported functions (except for those in
 pngtest) appear in
 pngpriv.h
 above the comment that says
 
   /* Maintainer: Put new private prototypes here ^ and in libpngpf.3 */
 
-The names of all exported functions and variables begin
-with  "png_", and all publicly visible C preprocessor
-macros begin with "PNG_".
+To avoid polluting the global namespace, the names of all exported
+functions and variables begin with  "png_", and all publicly visible C
+preprocessor macros begin with "PNG_".  We request that applications that
+use libpng *not* begin any of their own symbols with either of these strings.
 
 We put a space after each comma and after each semicolon
 in "for" statments, and we put spaces before and after each
 C binary operator and after "for" or "while", and before
 "?".  We don't put a space between a typecast and the expression
 being cast, nor do we put one between a function name and the
 left parenthesis that follows it:
 
@@ -3292,23 +3302,23 @@ when there is only one macro being teste
 We do not use the TAB character for indentation in the C sources.
 
 Lines do not exceed 80 characters.
 
 Other rules can be inferred by inspecting the libpng source.
 
 XIII. Y2K Compliance in libpng
 
-June 26, 2010
+July 7, 2011
 
 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
 
 This is your unofficial assurance that libpng from version 0.71 and
-upward through 1.4.3 are Y2K compliant.  It is my belief that earlier
+upward through 1.4.8 are Y2K compliant.  It is my belief that earlier
 versions were also Y2K compliant.
 
 Libpng only has three year fields.  One is a 2-byte unsigned integer that
 will hold years up to 65535.  The other two hold the date in text
 format, and will hold years up to 9999.
 
 The integer is
     "png_uint_16 year" in png_time_struct.
--- a/modules/libimg/png/png.c
+++ b/modules/libimg/png/png.c
@@ -12,17 +12,17 @@
  */
 
 #define PNG_NO_EXTERN
 #define PNG_NO_PEDANTIC_WARNINGS
 #include "png.h"
 #include "pngpriv.h"
 
 /* Generate a compiler error if there is an old png.h in the search path. */
-typedef version_1_4_7 Your_png_h_is_not_version_1_4_7;
+typedef version_1_4_8 Your_png_h_is_not_version_1_4_8;
 
 /* Tells libpng that we have already handled the first "num_bytes" bytes
  * of the PNG file signature.  If the PNG data is embedded into another
  * stream we can set num_bytes = 8 so that libpng will not attempt to read
  * or write any of the magic bytes before it starts on the IHDR.
  */
 
 #ifdef PNG_READ_SUPPORTED
@@ -542,23 +542,23 @@ png_charp PNGAPI
 png_get_copyright(png_const_structp png_ptr)
 {
    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 #ifdef PNG_STRING_COPYRIGHT
       return PNG_STRING_COPYRIGHT
 #else
 #ifdef __STDC__
    return ((png_charp) PNG_STRING_NEWLINE \
-     "libpng version 1.4.7 - April 10, 2011" PNG_STRING_NEWLINE \
+     "libpng version 1.4.8 - July 7, 2011" PNG_STRING_NEWLINE \
      "Copyright (c) 1998-2010 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
      "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
      "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
      PNG_STRING_NEWLINE);
 #else
-      return ((png_charp) "libpng version 1.4.7 - April 10, 2011\
+      return ((png_charp) "libpng version 1.4.8 - July 7, 2011\
       Copyright (c) 1998-2010 Glenn Randers-Pehrson\
       Copyright (c) 1996-1997 Andreas Dilger\
       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.");
 #endif
 #endif
 }
 
 /* The following return the library version as a short string in the
--- a/modules/libimg/png/png.h
+++ b/modules/libimg/png/png.h
@@ -1,22 +1,22 @@
 
 /* png.h - header file for PNG reference library
  *
- * libpng version 1.4.7 - April 10, 2011
+ * libpng version 1.4.8 - July 7, 2011
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This code is released under the libpng license (See LICENSE, below)
  *
  * Authors and maintainers:
  *  libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
  *  libpng versions 0.89c, June 1996, through 0.96, May 1997: Andreas Dilger
- *  libpng versions 0.97, January 1998, through 1.4.7 - April 10, 2011: Glenn
+ *  libpng versions 0.97, January 1998, through 1.4.8 - July 7, 2011: Glenn
  *  See also "Contributing Authors", below.
  *
  * Note about libpng version numbers:
  *
  *    Due to various miscommunications, unforeseen code incompatibilities
  *    and occasional factors outside the authors' control, version numbering
  *    on the library has not always been consistent and straightforward.
  *    The following table summarizes matters since version 0.89c, which was
@@ -153,16 +153,19 @@
  *    1.4.5beta05-07          14    10405  14.so.14.5[.0]
  *    1.4.5rc02-03            14    10405  14.so.14.5[.0]
  *    1.4.5                   14    10405  14.so.14.5[.0]
  *    1.4.6beta01-07          14    10406  14.so.14.6[.0]
  *    1.4.6rc01               14    10406  14.so.14.6[.0]
  *    1.4.6                   14    10406  14.so.14.6[.0]
  *    1.4.7rc01               14    10407  14.so.14.7[.0]
  *    1.4.7                   14    10407  14.so.14.7[.0]
+ *    1.4.8beta01-05          14    10408  14.so.14.8[.0]
+ *    1.4.8rc01               14    10408  14.so.14.8[.0]
+ *    1.4.8                   14    10408  14.so.14.8[.0]
  *
  *    Henceforth the source version will match the shared-library major
  *    and minor numbers; the shared-library major version number will be
  *    used for changes in backward compatibility, as it is intended.  The
  *    PNG_LIBPNG_VER macro, which is not used within libpng but is available
  *    for applications, is an unsigned integer of the form xyyzz corresponding
  *    to the source version x.y.z (leading zeros in y and z).  Beta versions
  *    were given the previous public release number plus a letter, until
@@ -184,17 +187,17 @@
 /*
  * COPYRIGHT NOTICE, DISCLAIMER, and LICENSE:
  *
  * If you modify libpng you may insert additional notices immediately following
  * this sentence.
  *
  * This code is released under the libpng license.
  *
- * libpng versions 1.2.6, August 15, 2004, through 1.4.7, April 10, 2011, are
+ * libpng versions 1.2.6, August 15, 2004, through 1.4.8, July 7, 2011, are
  * Copyright (c) 2004, 2006-2010 Glenn Randers-Pehrson, and are
  * distributed according to the same disclaimer and license as libpng-1.2.5
  * with the following individual added to the list of Contributing Authors:
  *
  *    Cosmin Truta
  *
  * libpng versions 1.0.7, July 1, 2000, through 1.2.5, October 3, 2002, are
  * Copyright (c) 2000-2002 Glenn Randers-Pehrson, and are
@@ -296,23 +299,23 @@
  *
  * Thanks to Frank J. T. Wojcik for helping with the documentation.
  */
 
 /*
  * Y2K compliance in libpng:
  * =========================
  *
- *    April 10, 2011
+ *    July 7, 2011
  *
  *    Since the PNG Development group is an ad-hoc body, we can't make
  *    an official declaration.
  *
  *    This is your unofficial assurance that libpng from version 0.71 and
- *    upward through 1.4.7 are Y2K compliant.  It is my belief that earlier
+ *    upward through 1.4.8 are Y2K compliant.  It is my belief that earlier
  *    versions were also Y2K compliant.
  *
  *    Libpng only has three year fields.  One is a 2-byte unsigned integer
  *    that will hold years up to 65535.  The other two hold the date in text
  *    format, and will hold years up to 9999.
  *
  *    The integer is
  *        "png_uint_16 year" in png_time_struct.
@@ -358,27 +361,27 @@
 
 /* This is not the place to learn how to use libpng.  The file libpng.txt
  * describes how to use libpng, and the file example.c summarizes it
  * with some code on which to build.  This file is useful for looking
  * at the actual function definitions and structure components.
  */
 
 /* Version information for png.h - this should match the version in png.c */
-#define PNG_LIBPNG_VER_STRING "1.4.7"
+#define PNG_LIBPNG_VER_STRING "1.4.8"
 #define PNG_HEADER_VERSION_STRING \
-   " libpng version 1.4.7 - April 10, 2011\n"
+   " libpng version 1.4.8 - July 7, 2011\n"
 
 #define PNG_LIBPNG_VER_SONUM   14
 #define PNG_LIBPNG_VER_DLLNUM  14
 
 /* These should match the first 3 components of PNG_LIBPNG_VER_STRING: */
 #define PNG_LIBPNG_VER_MAJOR   1
 #define PNG_LIBPNG_VER_MINOR   4
-#define PNG_LIBPNG_VER_RELEASE 7
+#define PNG_LIBPNG_VER_RELEASE 8
 /* This should match the numeric part of the final component of
  * PNG_LIBPNG_VER_STRING, omitting any leading zero:
  */
 
 #define PNG_LIBPNG_VER_BUILD  0
 
 /* Release Status */
 #define PNG_LIBPNG_BUILD_ALPHA    1
@@ -398,17 +401,17 @@
 #define PNG_LIBPNG_BUILD_BASE_TYPE PNG_LIBPNG_BUILD_BETA
 
 /* Careful here.  At one time, Guy wanted to use 082, but that would be octal.
  * We must not include leading zeros.
  * Versions 0.7 through 1.0.0 were in the range 0 to 100 here (only
  * version 1.0.0 was mis-numbered 100 instead of 10000).  From
  * version 1.0.1 it's    xxyyzz, where x=major, y=minor, z=release
  */
-#define PNG_LIBPNG_VER 10407 /* 1.4.7 */
+#define PNG_LIBPNG_VER 10408 /* 1.4.8 */
 
 #ifndef PNG_VERSION_INFO_ONLY
 /* Include the compression library's header */
 #include "zlib.h"
 #endif
 
 /* Include all user configurable info, including optional assembler routines */
 #include "pngconf.h"
@@ -1540,17 +1543,17 @@ struct png_struct_def
 /* blend_op flags from inside fcTL */
 #define PNG_BLEND_OP_SOURCE        0x00
 #define PNG_BLEND_OP_OVER          0x01
 #endif /* PNG_APNG_SUPPORTED */
 
 /* This triggers a compiler error in png.c, if png.c and png.h
  * do not agree upon the version number.
  */
-typedef png_structp version_1_4_7;
+typedef png_structp version_1_4_8;
 
 typedef png_struct FAR * FAR * png_structpp;
 
 /* Here are the function definitions most commonly used.  This is not
  * the place to find out how to use libpng.  See libpng.txt for the
  * full explanation, see example.c for the summary.  This just provides
  * a simple one line description of the use of each function.
  */
--- a/modules/libimg/png/pngconf.h
+++ b/modules/libimg/png/pngconf.h
@@ -1,12 +1,12 @@
 
 /* pngconf.h - machine configurable file for libpng
  *
- * libpng version 1.4.7 - April 10, 2011
+ * libpng version 1.4.8 - July 7, 2011
  * For conditions of distribution and use, see copyright notice in png.h
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h
--- a/modules/libimg/png/pngerror.c
+++ b/modules/libimg/png/pngerror.c
@@ -1,12 +1,12 @@
 
 /* pngerror.c - stub functions for i/o and memory allocation
  *
- * Last changed in libpng 1.4.6 [March 8, 2011]
+ * Last changed in libpng 1.4.8 [July 7, 2011]
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h
  *
@@ -82,22 +82,27 @@ png_error(png_structp png_ptr, png_const
    /* If the custom handler doesn't exist, or if it returns,
       use the default handler, which will not return. */
    png_default_error(png_ptr, error_message);
 }
 #else
 void PNGAPI
 png_err(png_structp png_ptr)
 {
+   /* Prior to 1.4.8 the error_fn received a NULL pointer, expressed
+    * erroneously as '\0', instead of the empty string "".  This was
+    * apparently an error, introduced in libpng-1.2.20, and png_default_error
+    * will crash in this case.
+    */
    if (png_ptr != NULL && png_ptr->error_fn != NULL)
-      (*(png_ptr->error_fn))(png_ptr, '\0');
+      (*(png_ptr->error_fn))(png_ptr, "");
 
    /* If the custom handler doesn't exist, or if it returns,
       use the default handler, which will not return. */
-   png_default_error(png_ptr, '\0');
+   png_default_error(png_ptr, "");
 }
 #endif /* PNG_ERROR_TEXT_SUPPORTED */
 
 #ifdef PNG_WARNINGS_SUPPORTED
 /* This function is called whenever there is a non-fatal error.  This function
  * should not be changed.  If there is a need to handle warnings differently,
  * you should supply a replacement warning function and use
  * png_set_error_fn() to replace the warning function at run-time.
@@ -176,18 +181,23 @@ png_format_buffer(png_structp png_ptr, p
    }
 
    if (error_message == NULL)
       buffer[iout] = '\0';
    else
    {
       buffer[iout++] = ':';
       buffer[iout++] = ' ';
-      png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
-      buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
+
+      iin = 0;
+      while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
+         buffer[iout++] = error_message[iin++];
+
+      /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
+      buffer[iout] = '\0';
    }
 }
 
 #ifdef PNG_READ_SUPPORTED
 void PNGAPI
 png_chunk_error(png_structp png_ptr, png_const_charp error_message)
 {
    char msg[18+PNG_MAX_ERROR_TEXT];
--- a/modules/libimg/png/pngget.c
+++ b/modules/libimg/png/pngget.c
@@ -1,12 +1,12 @@
 
 /* pngget.c - retrieval of values from info struct
  *
- * Last changed in libpng 1.4.6 [April 10, 2011]
+ * Last changed in libpng 1.4.6 [April 8, 2010]
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h
  *
--- a/modules/libimg/png/pngmem.c
+++ b/modules/libimg/png/pngmem.c
@@ -1,12 +1,12 @@
 
 /* pngmem.c - stub functions for memory allocation
  *
- * Last changed in libpng 1.4.6 [April 10, 2011]
+ * Last changed in libpng 1.4.6 [April 8, 2010]
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h
  *
--- a/modules/libimg/png/pngpriv.h
+++ b/modules/libimg/png/pngpriv.h
@@ -1,12 +1,12 @@
 
 /* pngpriv.h - private declarations for use inside libpng
  *
- * libpng version 1.4.7 - April 10, 2011
+ * libpng version 1.4.8 - July 7, 2011
  * For conditions of distribution and use, see copyright notice in png.h
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h
@@ -21,16 +21,25 @@
  * they should be well aware of the issues that may arise from doing so.
  */
 
 #ifndef PNGPRIV_H
 #define PNGPRIV_H
 
 #ifndef PNG_VERSION_INFO_ONLY
 
+#if defined(_AIX) && defined(_ALL_SOURCE)
+   /* On AIX if _ALL_SOURCE is defined standard header files (including
+    * stdlib.h) define identifiers that are not permitted by the ANSI and
+    * POSIX standards.  In particular 'jmpbuf' is #defined and this will
+    * prevent compilation of libpng.  The following prevents this:
+    */
+#  undef _ALL_SOURCE
+#endif
+
 #include <stdlib.h>
 
 #ifndef PNG_EXTERN
 /* The functions exported by PNG_EXTERN are internal functions, which
  * aren't usually used outside the library (as far as I know), so it is
  * debatable if they should be exported at all.  In the future, when it
  * is possible to have run-time registry of chunk-handling functions,
  * some of these will be made available again.
--- a/modules/libimg/png/pngrtran.c
+++ b/modules/libimg/png/pngrtran.c
@@ -1,12 +1,12 @@
 
 /* pngrtran.c - transforms the data in a row for PNG readers
  *
- * Last changed in libpng 1.4.6 [%RDATE%]
+ * Last changed in libpng 1.4.8 [July 7, 2011]
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h
  *
@@ -655,20 +655,31 @@ png_set_gray_to_rgb(png_structp png_ptr)
 /* Convert a RGB image to a grayscale of the same width.  This allows us,
  * for example, to convert a 24 bpp RGB image into an 8 bpp grayscale image.
  */
 
 void PNGAPI
 png_set_rgb_to_gray(png_structp png_ptr, int error_action, double red,
    double green)
 {
-   int red_fixed = (int)((float)red*100000.0 + 0.5);
-   int green_fixed = (int)((float)green*100000.0 + 0.5);
+   int red_fixed, green_fixed;
    if (png_ptr == NULL)
       return;
+   if (red > 21474.83647 || red < -21474.83648 ||
+       green > 21474.83647 || green < -21474.83648)
+   {
+      png_warning(png_ptr, "ignoring out of range rgb_to_gray coefficients");
+      red_fixed = -1;
+      green_fixed = -1;
+   }
+   else
+   {
+      red_fixed = (int)((float)red*100000.0 + 0.5);
+      green_fixed = (int)((float)green*100000.0 + 0.5);
+   }
    png_set_rgb_to_gray_fixed(png_ptr, error_action, red_fixed, green_fixed);
 }
 #endif
 
 void PNGAPI
 png_set_rgb_to_gray_fixed(png_structp png_ptr, int error_action,
    png_fixed_point red, png_fixed_point green)
 {
@@ -698,37 +709,48 @@ png_set_rgb_to_gray_fixed(png_structp pn
 #else
    {
       png_warning(png_ptr,
         "Cannot do RGB_TO_GRAY without EXPAND_SUPPORTED");
       png_ptr->transformations &= ~PNG_RGB_TO_GRAY;
    }
 #endif
    {
-      png_uint_16 red_int, green_int;
-      if (red < 0 || green < 0)
+      if (red >= 0 && green >= 0 && red + green <= 100000L)
       {
-         red_int   =  6968; /* .212671 * 32768 + .5 */
-         green_int = 23434; /* .715160 * 32768 + .5 */
-      }
-      else if (red + green < 100000L)
-      {
+         png_uint_16 red_int, green_int;
+
          red_int = (png_uint_16)(((png_uint_32)red*32768L)/100000L);
          green_int = (png_uint_16)(((png_uint_32)green*32768L)/100000L);
+
+         png_ptr->rgb_to_gray_red_coeff   = red_int;
+         png_ptr->rgb_to_gray_green_coeff = green_int;
+         png_ptr->rgb_to_gray_blue_coeff  =
+          (png_uint_16)(32768 - red_int - green_int);
       }
+
       else
       {
-         png_warning(png_ptr, "ignoring out of range rgb_to_gray coefficients");
-         red_int   =  6968;
-         green_int = 23434;
+         if (red >= 0 && green >= 0)
+            png_warning(png_ptr,
+               "ignoring out of range rgb_to_gray coefficients");
+
+         /* Use the defaults, from the cHRM chunk if set, else the built in Rec
+          * 709 values (which correspond to sRGB, so we don't have to worry
+          * about the sRGB chunk!)
+          */
+         if (png_ptr->rgb_to_gray_red_coeff == 0 &&
+            png_ptr->rgb_to_gray_green_coeff == 0 &&
+            png_ptr->rgb_to_gray_blue_coeff == 0)
+         {
+            png_ptr->rgb_to_gray_red_coeff   = 6968;  /* .212671 * 32768 + .5 */
+            png_ptr->rgb_to_gray_green_coeff = 23434; /* .715160 * 32768 + .5 */
+            png_ptr->rgb_to_gray_blue_coeff  = 2366;
+         }
       }
-      png_ptr->rgb_to_gray_red_coeff   = red_int;
-      png_ptr->rgb_to_gray_green_coeff = green_int;
-      png_ptr->rgb_to_gray_blue_coeff  =
-         (png_uint_16)(32768 - red_int - green_int);
    }
 }
 #endif
 
 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) || \
     defined(PNG_WRITE_USER_TRANSFORM_SUPPORTED)
 void PNGAPI
 png_set_read_user_transform_fn(png_structp png_ptr, png_user_transform_ptr
@@ -1176,18 +1198,17 @@ png_read_transform_info(png_structp png_
 {
    png_debug(1, "in png_read_transform_info");
 
 #ifdef PNG_READ_EXPAND_SUPPORTED
    if (png_ptr->transformations & PNG_EXPAND)
    {
       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
       {
-         if (png_ptr->num_trans &&
-              (png_ptr->transformations & PNG_EXPAND_tRNS))
+         if (png_ptr->num_trans)
             info_ptr->color_type = PNG_COLOR_TYPE_RGB_ALPHA;
          else
             info_ptr->color_type = PNG_COLOR_TYPE_RGB;
          info_ptr->bit_depth = 8;
          info_ptr->num_trans = 0;
       }
       else
       {
@@ -1773,42 +1794,28 @@ png_do_chop(png_row_infop row_info, png_
       png_bytep sp = row;
       png_bytep dp = row;
       png_uint_32 i;
       png_uint_32 istop = row_info->width * row_info->channels;
 
       for (i = 0; i<istop; i++, sp += 2, dp++)
       {
 #ifdef PNG_READ_16_TO_8_ACCURATE_SCALE_SUPPORTED
-      /* This does a more accurate scaling of the 16-bit color
-       * value, rather than a simple low-byte truncation.
-       *
-       * What the ideal calculation should be:
-       *   *dp = (((((png_uint_32)(*sp) << 8) |
-       *          (png_uint_32)(*(sp + 1))) * 255 + 127)
-       *          / (png_uint_32)65535L;
-       *
-       * GRR: no, I think this is what it really should be:
-       *   *dp = (((((png_uint_32)(*sp) << 8) |
-       *           (png_uint_32)(*(sp + 1))) + 128L)
-       *           / (png_uint_32)257L;
-       *
-       * GRR: here's the exact calculation with shifts:
-       *   temp = (((png_uint_32)(*sp) << 8) |
-       *           (png_uint_32)(*(sp + 1))) + 128L;
-       *   *dp = (temp - (temp >> 8)) >> 8;
-       *
-       * Approximate calculation with shift/add instead of multiply/divide:
-       *   *dp = ((((png_uint_32)(*sp) << 8) |
-       *          (png_uint_32)((int)(*(sp + 1)) - *sp)) + 128) >> 8;
-       *
-       * What we actually do to avoid extra shifting and conversion:
-       */
-
-         *dp = *sp + ((((int)(*(sp + 1)) - *sp) > 128) ? 1 : 0);
+         /* This does a more accurate scaling of the 16-bit color
+          * value, rather than a simple low-byte truncation.
+          *
+          * Prior to libpng-1.4.8 and 1.5.4, the calculation here was
+          * incorrect, so if you used ACCURATE_SCALE you will now see
+          * a slightly different result.  In libpng-1.5.4 and
+          * later you will need to use the new png_set_scale_16_to_8()
+          * API to obtain accurate 16-to-8 scaling.
+          */
+         png_int_32 tmp = *sp; /* must be signed! */
+         tmp += (((int)sp[1] - tmp + 128) * 65535) >> 24;
+         *dp = (png_byte)tmp;
 #else
        /* Simply discard the low order byte */
          *dp = *sp;
 #endif
       }
       row_info->bit_depth = 8;
       row_info->pixel_depth = (png_byte)(8 * row_info->channels);
       row_info->rowbytes = row_info->width * row_info->channels;
--- a/modules/libimg/png/pngrutil.c
+++ b/modules/libimg/png/pngrutil.c
@@ -1,12 +1,12 @@
 
 /* pngrutil.c - utilities to read a PNG file
  *
- * Last changed in libpng 1.4.6 [March 8, 2011]
+ * Last changed in libpng 1.4.8 [July 7, 2011]
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h
  *
@@ -1861,16 +1861,24 @@ png_handle_sCAL(png_structp png_ptr, png
    }
    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL))
    {
       png_warning(png_ptr, "Duplicate sCAL chunk");
       png_crc_finish(png_ptr, length);
       return;
    }
 
+   /* Need unit type, width, \0, height: minimum 4 bytes */
+   else if (length < 4)
+   {
+      png_warning(png_ptr, "sCAL chunk too short");
+      png_crc_finish(png_ptr, length);
+      return;
+   }
+
    png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)",
       (unsigned long)(length + 1));
    png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
    if (png_ptr->chunkdata == NULL)
    {
       png_warning(png_ptr, "Out of memory while processing sCAL chunk");
       png_crc_finish(png_ptr, length);
       return;
--- a/modules/libimg/png/pngtrans.c
+++ b/modules/libimg/png/pngtrans.c
@@ -1,12 +1,12 @@
 
 /* pngtrans.c - transforms the data in a row (used by both readers and writers)
  *
- * Last changed in libpng 1.4.6 [April 10, 2011]
+ * Last changed in libpng 1.4.6 [ April 8, 2010]
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h
  */
--- a/modules/libimg/png/pngwrite.c
+++ b/modules/libimg/png/pngwrite.c
@@ -1,12 +1,12 @@
 
 /* pngwrite.c - general routines to write a PNG file
  *
- * Last changed in libpng 1.4.6 [March 8, 2011]
+ * Last changed in libpng 1.4.8 [July 7, 2011]
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h
  */
@@ -294,16 +294,17 @@ png_write_info(png_structp png_ptr, png_
       for (up = info_ptr->unknown_chunks;
            up < info_ptr->unknown_chunks + info_ptr->unknown_chunks_num;
            up++)
       {
          int keep = png_handle_as_unknown(png_ptr, up->name);
          if (keep != PNG_HANDLE_CHUNK_NEVER &&
             up->location && (up->location & PNG_HAVE_PLTE) &&
             !(up->location & PNG_HAVE_IDAT) &&
+            !(up->location & PNG_AFTER_IDAT) &&
             ((up->name[3] & 0x20) || keep == PNG_HANDLE_CHUNK_ALWAYS ||
             (png_ptr->flags & PNG_FLAG_KEEP_UNSAFE_CHUNKS)))
          {
             png_write_chunk(png_ptr, up->name, up->data, up->size);
          }
       }
    }
 #endif
@@ -1414,17 +1415,17 @@ png_write_png(png_structp png_ptr, png_i
 
 #ifdef PNG_WRITE_SWAP_ALPHA_SUPPORTED
    /* Swap location of alpha bytes from ARGB to RGBA */
    if (transforms & PNG_TRANSFORM_SWAP_ALPHA)
       png_set_swap_alpha(png_ptr);
 #endif
 
 #ifdef PNG_WRITE_FILLER_SUPPORTED
-   /* Pack XRGB/RGBX/ARGB/RGBA into * RGB (4 channels -> 3 channels) */
+   /* Pack XRGB/RGBX/ARGB/RGBA into RGB (4 channels -> 3 channels) */
    if (transforms & PNG_TRANSFORM_STRIP_FILLER_AFTER)
       png_set_filler(png_ptr, 0, PNG_FILLER_AFTER);
    else if (transforms & PNG_TRANSFORM_STRIP_FILLER_BEFORE)
       png_set_filler(png_ptr, 0, PNG_FILLER_BEFORE);
 #endif
 
 #ifdef PNG_WRITE_BGR_SUPPORTED
    /* Flip BGR pixels to RGB */
--- a/modules/libimg/png/pngwutil.c
+++ b/modules/libimg/png/pngwutil.c
@@ -1,13 +1,13 @@
 
 /* pngwutil.c - utilities to write a PNG file
  *
- * Last changed in libpng 1.4.1 [February 25, 2010]
- * Copyright (c) 1998-2010 Glenn Randers-Pehrson
+ * Last changed in libpng 1.4.8 [July 7, 2011]
+ * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h
  */
 
@@ -690,17 +690,17 @@ png_write_IDAT(png_structp png_ptr, png_
          if (length >= 2 &&
              png_ptr->height < 16384 && png_ptr->width < 16384)
          {
             unsigned int z_cinfo;
             unsigned int half_z_window_size;
 
             /* Compute the maximum possible length of the datastream */
 
-            /* Number of pixels, plus for each row a filter byte and possible
+            /* Number of pixels, plus for each row a filter byte
              * and possibly a padding byte, so increase the maximum
              * size to account for these.
              */
             png_uint_32 uncompressed_idat_size = png_ptr->height *
                ((png_ptr->width *
                png_ptr->channels * png_ptr->bit_depth + 15) >> 3);
 
             /* If it's interlaced, each block of 8 rows is sent as up to