bug 478901 update to libpng 1.2.35, patch by Glenn Randers-Pehrson, r=Joe Drew, sr=dveditz, blocking=vlad
authorDaniel Veditz <dveditz@cruzio.com>
Sun, 01 Mar 2009 01:15:25 -0800
changeset 25642 ad8d75516c5eba9c0d7c7f2c9b392e87b2b1dba3
parent 25641 98de82962026eaff0c1f557ec0bbfacc941ee222
child 25643 a57fef12385f25bec86522d8f3eb7bdc6c29aac9
push idunknown
push userunknown
push dateunknown
reviewersJoe, dveditz
bugs478901
milestone1.9.2a1pre
bug 478901 update to libpng 1.2.35, patch by Glenn Randers-Pehrson, r=Joe Drew, sr=dveditz, blocking=vlad
modules/libimg/png/CHANGES
modules/libimg/png/LICENSE
modules/libimg/png/MOZCHANGES
modules/libimg/png/README
modules/libimg/png/libpng.txt
modules/libimg/png/png.c
modules/libimg/png/png.h
modules/libimg/png/pngconf.h
modules/libimg/png/pngget.c
modules/libimg/png/pngread.c
modules/libimg/png/pngrtran.c
modules/libimg/png/pngrutil.c
modules/libimg/png/pngset.c
modules/libimg/png/pngwio.c
modules/libimg/png/pngwrite.c
--- a/modules/libimg/png/CHANGES
+++ b/modules/libimg/png/CHANGES
@@ -2181,17 +2181,17 @@ version 1.2.30beta03 [July 6, 2008]
   Changed PNGMAJ from 0 to 12 in makefile.darwin, which does not like 0.
   Added new private function png_read_chunk_header() from 1.4.0beta19.
   Merge reading of chunk length and chunk type into a single 8-byte read.
   Merge writing of chunk length and chunk type into a single 8-byte write.
 
 version 1.2.30beta04 [July 10, 2008]
   Merged more cosmetic whitespace changes from libpng-1.4.0beta19.
 
-version 1.0.38rc01, 1.2.30rc01 [December 18, 2008]
+version 1.0.38rc01, 1.2.30rc01 [July 18, 2008]
   No changes.
 
 version 1.0.38rc02, 1.2.30rc02 [July 21, 2008]
   Moved local array "chunkdata" from pngrutil.c to the png_struct, so
     it will be freed by png_read_destroy() in case of a read error (Kurt
     Christensen).
 
 version 1.0.38rc03, 1.2.30rc03 [July 21, 2008]
@@ -2304,15 +2304,34 @@ version 1.2.34beta07 [December 9, 2008]
     PNG_TRANSFORM_STRIP_FILLER (Jim Barry).
 
 version 1.0.42rc01, 1.2.34rc01 [December 11, 2008]
   No changes.
 
 version 1.0.42, 1.2.34 [December 18, 2008]
   No changes.
 
+version 1.2.35beta01 [February 4, 2009]
+  Zero out some arrays of pointers after png_malloc(). (Tavis Ormandy)
+
+version 1.2.35beta02 [Feburary 4, 2009]
+  Zero out more arrays of pointers after png_malloc().
+
+version 1.2.35beta03 [February 5, 2009]
+  Use png_memset() instead of a loop to intialize pointers.  We realize
+    this will not work on platforms where the NULL pointer is not all zeroes.
+
+version 1.2.35rc01 [February 11, 2009]
+  No changes.
+
+version 1.2.35rc02 [February 12, 2009]
+  Fix typo in new png_memset call in pngset.c (png_color should be png_charp)
+
+version 1.0.43 and 1.2.35 [February 14, 2009]
+  No changes.
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
 to subscribe)
 or to glennrp at users.sourceforge.net
 
 Glenn R-P
--- a/modules/libimg/png/LICENSE
+++ b/modules/libimg/png/LICENSE
@@ -3,17 +3,17 @@ This copy of the libpng notices is provi
 any discrepancy between this copy and the notices in the file png.h that is
 included in the libpng distribution, the latter shall prevail.
 
 COPYRIGHT NOTICE, DISCLAIMER, and LICENSE:
 
 If you modify libpng you may insert additional notices immediately following
 this sentence.
 
-libpng versions 1.2.6, August 15, 2004, through 1.2.34, December 18, 2008, are
+libpng versions 1.2.6, August 15, 2004, through 1.2.35, February 14, 2009, are
 Copyright (c) 2004, 2006-2008 Glenn Randers-Pehrson, and are
 distributed according to the same disclaimer and license as libpng-1.2.5
 with the following individual added to the list of Contributing Authors
 
    Cosmin Truta
 
 libpng versions 1.0.7, July 1, 2000, through 1.2.5 - October 3, 2002, are
 Copyright (c) 2000-2002 Glenn Randers-Pehrson, and are
@@ -101,9 +101,9 @@ boxes and the like:
 Also, the PNG logo (in PNG format, of course) is supplied in the
 files "pngbar.png" and "pngbar.jpg (88x31) and "pngnow.png" (98x31).
 
 Libpng is OSI Certified Open Source Software.  OSI Certified Open Source is a
 certification mark of the Open Source Initiative.
 
 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-December 18, 2008
+February 14, 2009
--- a/modules/libimg/png/MOZCHANGES
+++ b/modules/libimg/png/MOZCHANGES
@@ -1,11 +1,13 @@
 
 Changes made to pristine png source by mozilla.org developers.
 
+2009/02/19  -- Synced with libpng-1.2.35 (bug #478901).
+
 2008/08/21  -- Synced with libpng-1.2.31 (bug #418900).
 
 2008/03/29  -- Initialize prev_row for each APNG frame, only when
                the frame size increases (bug #420416)
 
 2008/01/18  -- Synced with libpng-1.2.24 (bug #408429).
 
 2007/11/13  -- Synced with libpng-1.2.23; Removed pnggccrd.c and pngvcrd.c;
--- a/modules/libimg/png/README
+++ b/modules/libimg/png/README
@@ -1,9 +1,9 @@
-README for libpng version 1.2.34 - December 18, 2008 (shared library 12.0)
+README for libpng version 1.2.35 - February 14, 2009 (shared library 12.0)
 See the note about version numbers near the top of png.h
 
 See INSTALL for instructions on how to install libpng.
 
 Libpng comes in several distribution formats.  Get libpng-*.tar.gz,
 libpng-*.tar.lzma, or libpng-*.tar.bz2 if you want UNIX-style line
 endings in the text files, or lpng*.7z or lpng*.zip if you want DOS-style
 line endings.  You can get UNIX-style line endings from the *.zip file
@@ -189,21 +189,21 @@ Files in this distribution:
                             Netware.
        wince.txt        =>  Contains instructions for downloading a Microsoft
                             Visual C++ (Windows CD Toolkit) workspace for
                             building libpng and zlib on WindowsCE
       scripts       =>  Directory containing scripts for building libpng:
        descrip.mms      =>  VMS makefile for MMS or MMK
        makefile.std     =>  Generic UNIX makefile (cc, creates static libpng.a)
        makefile.elf     =>  Linux/ELF makefile symbol versioning,
-                            gcc, creates libpng12.so.0.1.2.34)
+                            gcc, creates libpng12.so.0.1.2.35)
        makefile.linux   =>  Linux/ELF makefile
-                            (gcc, creates libpng12.so.0.1.2.34)
+                            (gcc, creates libpng12.so.0.1.2.35)
        makefile.gcmmx   =>  Linux/ELF makefile
-                            (gcc, creates libpng12.so.0.1.2.34,
+                            (gcc, creates libpng12.so.0.1.2.35,
                             uses assembler code tuned for Intel MMX platform)
        makefile.gcc     =>  Generic makefile (gcc, creates static libpng.a)
        makefile.knr     =>  Archaic UNIX Makefile that converts files with
                             ansi2knr (Requires ansi2knr.c from
                             ftp://ftp.cs.wisc.edu/ghost)
        makefile.aix     =>  AIX makefile
        makefile.cygwin  =>  Cygwin/gcc makefile
        makefile.darwin  =>  Darwin makefile
@@ -215,22 +215,22 @@ Files in this distribution:
        makefile.ibmc    =>  IBM C/C++ version 3.x for Win32 and OS/2 (static)
        makefile.intel   =>  Intel C/C++ version 4.0 and later
        libpng.icc       =>  Project file, IBM VisualAge/C++ 4.0 or later
        makefile.netbsd  =>  NetBSD/cc makefile, PNGGCCRD, makes libpng.so.
        makefile.ne12bsd  =>  NetBSD/cc makefile, PNGGCCRD, makes libpng12.so
        makefile.openbsd =>  OpenBSD makefile
        makefile.sgi     =>  Silicon Graphics IRIX (cc, creates static lib)
        makefile.sggcc   =>  Silicon Graphics
-                            (gcc, creates libpng12.so.0.1.2.34)
+                            (gcc, creates libpng12.so.0.1.2.35)
        makefile.sunos   =>  Sun makefile
        makefile.solaris =>  Solaris 2.X makefile
-                            (gcc, creates libpng12.so.0.1.2.34)
+                            (gcc, creates libpng12.so.0.1.2.35)
        makefile.so9     =>  Solaris 9 makefile
-                            (gcc, creates libpng12.so.0.1.2.34)
+                            (gcc, creates libpng12.so.0.1.2.35)
        makefile.32sunu  =>  Sun Ultra 32-bit makefile
        makefile.64sunu  =>  Sun Ultra 64-bit makefile
        makefile.sco     =>  For SCO OSr5  ELF and Unixware 7 with Native cc
        makefile.mips    =>  MIPS makefile
        makefile.acorn   =>  Acorn makefile
        makefile.amiga   =>  Amiga makefile
        smakefile.ppc    =>  AMIGA smakefile for SAS C V6.58/7.00 PPC
                             compiler (Requires SCOPTIONS, copied from
--- a/modules/libimg/png/libpng.txt
+++ b/modules/libimg/png/libpng.txt
@@ -1,20 +1,20 @@
   libpng.txt - A description on how to use and modify libpng
   
- libpng version 1.2.34 - December 18, 2008
+ libpng version 1.2.35 - February 14, 2009
  Updated and distributed by Glenn Randers-Pehrson
  <glennrp at users.sourceforge.net>
- Copyright (c) 1998-2008 Glenn Randers-Pehrson
+ Copyright (c) 1998-2009 Glenn Randers-Pehrson
  For conditions of distribution and use, see copyright
  notice in png.h.
   
  Based on:
   
- libpng versions 0.97, January 1998, through 1.2.34 - December 18, 2008
+ libpng versions 0.97, January 1998, through 1.2.35 - February 14, 2009
  Updated and distributed by Glenn Randers-Pehrson
  Copyright (c) 1998-2008 Glenn Randers-Pehrson
 
  libpng 1.0 beta 6  version 0.96 May 28, 1997
  Updated and distributed by Andreas Dilger
  Copyright (c) 1996, 1997 Andreas Dilger
 
  libpng 1.0 beta 2 - version 0.88  January 26, 1996
@@ -467,16 +467,18 @@ row_pointers prior to calling png_read_p
       png_error (png_ptr,
          "Image is too tall to process in memory");
    if (width > PNG_UINT_32_MAX/pixel_size)
       png_error (png_ptr,
          "Image is too wide to process in memory");
    row_pointers = png_malloc(png_ptr,
       height*png_sizeof(png_bytep));
    for (int i=0; i<height, i++)
+      row_pointers[i]=NULL;  /* security precaution */
+   for (int i=0; i<height, i++)
       row_pointers[i]=png_malloc(png_ptr,
          width*pixel_size);
    png_set_rows(png_ptr, info_ptr, &row_pointers);
 
 Alternatively you could allocate your image in one big block and define
 row_pointers[i] to point into the proper places in your block.
 
 If you use png_set_rows(), the application is responsible for freeing
@@ -2846,23 +2848,23 @@ version with leading zero, and release n
 
 You can also check which version of png.h you used when compiling your
 application:
 
    png_uint_32 application_vn = PNG_LIBPNG_VER;
 
 IX. Y2K Compliance in libpng
 
-August 21, 2008
+February 14, 2009
 
 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
 
 This is your unofficial assurance that libpng from version 0.71 and
-upward through 1.2.31 are Y2K compliant.  It is my belief that earlier
+upward through 1.2.35 are Y2K compliant.  It is my belief that earlier
 versions were also Y2K compliant.
 
 Libpng only has three year fields.  One is a 2-byte unsigned integer that
 will hold years up to 65535.  The other two hold the date in text
 format, and will hold years up to 9999.
 
 The integer is
     "png_uint_16 year" in png_time_struct.
--- a/modules/libimg/png/png.c
+++ b/modules/libimg/png/png.c
@@ -8,17 +8,17 @@
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  */
 
 #define PNG_INTERNAL
 #define PNG_NO_EXTERN
 #include "png.h"
 
 /* Generate a compiler error if there is an old png.h in the search path. */
-typedef version_1_2_34 Your_png_h_is_not_version_1_2_34;
+typedef version_1_2_35 Your_png_h_is_not_version_1_2_35;
 
 /* Version information for C files.  This had better match the version
  * string defined in png.h.  */
 
 #ifdef PNG_USE_GLOBAL_ARRAYS
 /* png_libpng_ver was changed to a function in version 1.0.5c */
 PNG_CONST char png_libpng_ver[18] = PNG_LIBPNG_VER_STRING;
 
@@ -692,17 +692,17 @@ png_convert_to_rfc1123(png_structp png_p
 #endif /* PNG_TIME_RFC1123_SUPPORTED */
 
 #endif /* defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) */
 
 png_charp PNGAPI
 png_get_copyright(png_structp png_ptr)
 {
    png_ptr = png_ptr;  /* silence compiler warning about unused png_ptr */
-   return ((png_charp) "\n libpng version 1.2.34 - December 18, 2008\n\
+   return ((png_charp) "\n libpng version 1.2.35 - February 14, 2009\n\
    Copyright (c) 1998-2008 Glenn Randers-Pehrson\n\
    Copyright (c) 1996-1997 Andreas Dilger\n\
    Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.\n");
 }
 
 /* The following return the library version as a short string in the
  * format 1.0.0 through 99.99.99zz.  To get the version of *.h files
  * used with your application, print out PNG_LIBPNG_VER_STRING, which
--- a/modules/libimg/png/png.h
+++ b/modules/libimg/png/png.h
@@ -1,19 +1,19 @@
 /* png.h - header file for PNG reference library
  *
- * libpng version 1.2.34 - December 18, 2008
- * Copyright (c) 1998-2008 Glenn Randers-Pehrson
+ * libpng version 1.2.35 - February 14, 2009
+ * Copyright (c) 1998-2009 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * Authors and maintainers:
  *  libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
  *  libpng versions 0.89c, June 1996, through 0.96, May 1997: Andreas Dilger
- *  libpng versions 0.97, January 1998, through 1.2.34 - December 18, 2008: Glenn
+ *  libpng versions 0.97, January 1998, through 1.2.35 - February 14, 2009: Glenn
  *  See also "Contributing Authors", below.
  *
  * Note about libpng version numbers:
  *
  *    Due to various miscommunications, unforeseen code incompatibilities
  *    and occasional factors outside the authors' control, version numbering
  *    on the library has not always been consistent and straightforward.
  *    The following table summarizes matters since version 0.89c, which was
@@ -212,16 +212,21 @@
  *    1.0.41rc01              10    10041  10.so.0.41[.0]
  *    1.2.33                  13    10233  12.so.0.33[.0]
  *    1.0.41                  10    10041  10.so.0.41[.0]
  *    1.2.34beta01-07         13    10234  12.so.0.34[.0]
  *    1.0.42rc01              10    10042  10.so.0.42[.0]
  *    1.2.34rc01              13    10234  12.so.0.34[.0]
  *    1.0.42                  10    10042  10.so.0.42[.0]
  *    1.2.34                  13    10234  12.so.0.34[.0]
+ *    1.2.35beta01-03         13    10235  12.so.0.35[.0]
+ *    1.0.43rc01-02           10    10043  10.so.0.43[.0]
+ *    1.2.35rc01-02           13    10235  12.so.0.35[.0]
+ *    1.0.43                  10    10043  10.so.0.43[.0]
+ *    1.2.35                  13    10235  12.so.0.35[.0]
  *
  *    Henceforth the source version will match the shared-library major
  *    and minor numbers; the shared-library major version number will be
  *    used for changes in backward compatibility, as it is intended.  The
  *    PNG_LIBPNG_VER macro, which is not used within libpng but is available
  *    for applications, is an unsigned integer of the form xyyzz corresponding
  *    to the source version x.y.z (leading zeros in y and z).  Beta versions
  *    were given the previous public release number plus a letter, until
@@ -241,17 +246,17 @@
  */
 
 /*
  * COPYRIGHT NOTICE, DISCLAIMER, and LICENSE:
  *
  * If you modify libpng you may insert additional notices immediately following
  * this sentence.
  *
- * libpng versions 1.2.6, August 15, 2004, through 1.2.34, December 18, 2008, are
+ * libpng versions 1.2.6, August 15, 2004, through 1.2.35, February 14, 2009, are
  * Copyright (c) 2004, 2006-2008 Glenn Randers-Pehrson, and are
  * distributed according to the same disclaimer and license as libpng-1.2.5
  * with the following individual added to the list of Contributing Authors:
  *
  *    Cosmin Truta
  *
  * libpng versions 1.0.7, July 1, 2000, through 1.2.5, October 3, 2002, are
  * Copyright (c) 2000-2002 Glenn Randers-Pehrson, and are
@@ -353,23 +358,23 @@
  *
  * Thanks to Frank J. T. Wojcik for helping with the documentation.
  */
 
 /*
  * Y2K compliance in libpng:
  * =========================
  *
- *    December 18, 2008
+ *    February 14, 2009
  *
  *    Since the PNG Development group is an ad-hoc body, we can't make
  *    an official declaration.
  *
  *    This is your unofficial assurance that libpng from version 0.71 and
- *    upward through 1.2.34 are Y2K compliant.  It is my belief that earlier
+ *    upward through 1.2.35 are Y2K compliant.  It is my belief that earlier
  *    versions were also Y2K compliant.
  *
  *    Libpng only has three year fields.  One is a 2-byte unsigned integer
  *    that will hold years up to 65535.  The other two hold the date in text
  *    format, and will hold years up to 9999.
  *
  *    The integer is
  *        "png_uint_16 year" in png_time_struct.
@@ -415,27 +420,27 @@
 
 /* This is not the place to learn how to use libpng.  The file libpng.txt
  * describes how to use libpng, and the file example.c summarizes it
  * with some code on which to build.  This file is useful for looking
  * at the actual function definitions and structure components.
  */
 
 /* Version information for png.h - this should match the version in png.c */
-#define PNG_LIBPNG_VER_STRING "1.2.34"
+#define PNG_LIBPNG_VER_STRING "1.2.35"
 #define PNG_HEADER_VERSION_STRING \
-   " libpng version 1.2.34 - December 18, 2008\n"
+   " libpng version 1.2.35 - February 14, 2009\n"
 
 #define PNG_LIBPNG_VER_SONUM   0
 #define PNG_LIBPNG_VER_DLLNUM  13
 
 /* These should match the first 3 components of PNG_LIBPNG_VER_STRING: */
 #define PNG_LIBPNG_VER_MAJOR   1
 #define PNG_LIBPNG_VER_MINOR   2
-#define PNG_LIBPNG_VER_RELEASE 34
+#define PNG_LIBPNG_VER_RELEASE 35
 /* This should match the numeric part of the final component of
  * PNG_LIBPNG_VER_STRING, omitting any leading zero: */
 
 #define PNG_LIBPNG_VER_BUILD  0
 
 /* Release Status */
 #define PNG_LIBPNG_BUILD_ALPHA    1
 #define PNG_LIBPNG_BUILD_BETA     2
@@ -453,17 +458,17 @@
 
 #define PNG_LIBPNG_BUILD_BASE_TYPE PNG_LIBPNG_BUILD_STABLE
 
 /* Careful here.  At one time, Guy wanted to use 082, but that would be octal.
  * We must not include leading zeros.
  * Versions 0.7 through 1.0.0 were in the range 0 to 100 here (only
  * version 1.0.0 was mis-numbered 100 instead of 10000).  From
  * version 1.0.1 it's    xxyyzz, where x=major, y=minor, z=release */
-#define PNG_LIBPNG_VER 10234 /* 1.2.34 */
+#define PNG_LIBPNG_VER 10235 /* 1.2.35 */
 
 #ifndef PNG_VERSION_INFO_ONLY
 /* include the compression library's header */
 #include "zlib.h"
 #endif
 
 /* include all user configurable info, including optional assembler routines */
 #include "pngconf.h"
@@ -1529,17 +1534,17 @@ struct png_struct_def
   png_charp chunkdata;  /* buffer for reading chunk data */
 
 };
 
 
 /* This triggers a compiler error in png.c, if png.c and png.h
  * do not agree upon the version number.
  */
-typedef png_structp version_1_2_34;
+typedef png_structp version_1_2_35;
 
 typedef png_struct FAR * FAR * png_structpp;
 
 /* Here are the function definitions most commonly used.  This is not
  * the place to find out how to use libpng.  See libpng.txt for the
  * full explanation, see example.c for the summary.  This just provides
  * a simple one line description of the use of each function.
  */
--- a/modules/libimg/png/pngconf.h
+++ b/modules/libimg/png/pngconf.h
@@ -1,14 +1,14 @@
 
 /* pngconf.h - machine configurable file for libpng
  *
- * libpng version 1.2.34 - December 18, 2008
+ * libpng version 1.2.35 - February 14, 2009
  * For conditions of distribution and use, see copyright notice in png.h
- * Copyright (c) 1998-2008 Glenn Randers-Pehrson
+ * Copyright (c) 1998-2009 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  */
 
 /* Any machine specific code is near the front of this file, so if you
  * are configuring libpng for a machine, you may want to read the section
  * starting here down to where it starts to typedef png_color, png_text,
  * and png_info.
@@ -230,16 +230,18 @@
  * #define PNG_NO_CONSOLE_IO
  * #define PNG_NO_STDIO
  */
 
 #if defined(_WIN32_WCE)
 #  include <windows.h>
    /* Console I/O functions are not supported on WindowsCE */
 #  define PNG_NO_CONSOLE_IO
+   /* abort() may not be supported on some/all Windows CE platforms */
+#  define PNG_ABORT() exit(-1)
 #  ifdef PNG_DEBUG
 #    undef PNG_DEBUG
 #  endif
 #endif
 
 #ifdef PNG_BUILD_DLL
 #  ifndef PNG_CONSOLE_IO_SUPPORTED
 #    ifndef PNG_NO_CONSOLE_IO
--- a/modules/libimg/png/pngget.c
+++ b/modules/libimg/png/pngget.c
@@ -1039,17 +1039,17 @@ png_get_mmx_rowbytes_threshold (png_stru
 {
     /* obsolete, to be removed from libpng-1.4.0 */
     return (png_ptr? 0L: 0L);
 }
 #endif /* ?PNG_1_0_X */
 #endif /* ?PNG_ASSEMBLER_CODE_SUPPORTED */
 
 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
-/* these functions were added to libpng 1.2.6 */
+/* These functions were added to libpng 1.2.6 */
 png_uint_32 PNGAPI
 png_get_user_width_max (png_structp png_ptr)
 {
     return (png_ptr? png_ptr->user_width_max : 0);
 }
 png_uint_32 PNGAPI
 png_get_user_height_max (png_structp png_ptr)
 {
--- a/modules/libimg/png/pngread.c
+++ b/modules/libimg/png/pngread.c
@@ -1,14 +1,14 @@
 
 /* pngread.c - read a PNG file
  *
- * Last changed in libpng 1.2.30 [August 13, 2008]
+ * Last changed in libpng 1.2.35 [February 14, 2009]
  * For conditions of distribution and use, see copyright notice in png.h
- * Copyright (c) 1998-2008 Glenn Randers-Pehrson
+ * Copyright (c) 1998-2009 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This file contains routines that an application calls directly to
  * read a PNG file or stream.
  */
 
 #define PNG_INTERNAL
@@ -1572,21 +1572,21 @@ png_read_png(png_structp png_ptr, png_in
 #endif
    if (info_ptr->row_pointers == NULL)
    {
       info_ptr->row_pointers = (png_bytepp)png_malloc(png_ptr,
          info_ptr->height * png_sizeof(png_bytep));
 #ifdef PNG_FREE_ME_SUPPORTED
       info_ptr->free_me |= PNG_FREE_ROWS;
 #endif
+      png_memset(info_ptr->row_pointers, 0, info_ptr->height
+         * png_sizeof(png_bytep));
       for (row = 0; row < (int)info_ptr->height; row++)
-      {
          info_ptr->row_pointers[row] = (png_bytep)png_malloc(png_ptr,
             png_get_rowbytes(png_ptr, info_ptr));
-      }
    }
 
    png_read_image(png_ptr, info_ptr->row_pointers);
    info_ptr->valid |= PNG_INFO_IDAT;
 
    /* read rest of file, and get additional chunks in info_ptr - REQUIRED */
    png_read_end(png_ptr, info_ptr);
 
--- a/modules/libimg/png/pngrtran.c
+++ b/modules/libimg/png/pngrtran.c
@@ -1,14 +1,14 @@
 
 /* pngrtran.c - transforms the data in a row for PNG readers
  *
- * Last changed in libpng 1.2.30 [August 13, 2008]
+ * Last changed in libpng 1.2.35 [February 14, 2009]
  * For conditions of distribution and use, see copyright notice in png.h
- * Copyright (c) 1998-2008 Glenn Randers-Pehrson
+ * Copyright (c) 1998-2009 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This file contains functions optionally called by an application
  * in order to tell libpng how to handle data when reading a PNG.
  * Transformations that are used in both reading and writing are
  * in pngtrans.c.
  */
@@ -304,19 +304,17 @@ png_set_dither(png_structp png_ptr, png_
          for (i = 0; i < num_palette; i++)
          {
             png_ptr->index_to_palette[i] = (png_byte)i;
             png_ptr->palette_to_index[i] = (png_byte)i;
          }
 
          hash = (png_dsortpp)png_malloc(png_ptr, (png_uint_32)(769 *
             png_sizeof(png_dsortp)));
-         for (i = 0; i < 769; i++)
-            hash[i] = NULL;
-/*         png_memset(hash, 0, 769 * png_sizeof(png_dsortp)); */
+         png_memset(hash, 0, 769 * png_sizeof(png_dsortp));
 
          num_new_palette = num_palette;
 
          /* initial wild guess at how far apart the farthest pixel
             pair we will be eliminating will be.  Larger
             numbers mean more areas will be allocated, Smaller
             numbers run the risk of not saving enough data, and
             having to do this all over again.
@@ -679,17 +677,17 @@ png_set_rgb_to_gray_fixed(png_structp pn
       else
       {
          png_warning(png_ptr, "ignoring out of range rgb_to_gray coefficients");
          red_int   =  6968;
          green_int = 23434;
       }
       png_ptr->rgb_to_gray_red_coeff   = red_int;
       png_ptr->rgb_to_gray_green_coeff = green_int;
-      png_ptr->rgb_to_gray_blue_coeff  = 
+      png_ptr->rgb_to_gray_blue_coeff  =
          (png_uint_16)(32768 - red_int - green_int);
    }
 }
 #endif
 
 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) || \
     defined(PNG_WRITE_USER_TRANSFORM_SUPPORTED) || \
     defined(PNG_LEGACY_SUPPORTED)
@@ -1324,17 +1322,17 @@ png_do_read_transformations(png_structp 
 #if defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
    if (png_ptr->transformations & PNG_RGB_TO_GRAY)
    {
       int rgb_error =
          png_do_rgb_to_gray(png_ptr, &(png_ptr->row_info), png_ptr->row_buf + 1);
       if (rgb_error)
       {
          png_ptr->rgb_to_gray_status=1;
-         if ((png_ptr->transformations & PNG_RGB_TO_GRAY) == 
+         if ((png_ptr->transformations & PNG_RGB_TO_GRAY) ==
              PNG_RGB_TO_GRAY_WARN)
             png_warning(png_ptr, "png_do_rgb_to_gray found nongray pixel");
          if ((png_ptr->transformations & PNG_RGB_TO_GRAY) ==
              PNG_RGB_TO_GRAY_ERR)
             png_error(png_ptr, "png_do_rgb_to_gray found nongray pixel");
       }
    }
 #endif
@@ -3831,17 +3829,17 @@ png_do_expand(png_row_infop row_info, pn
             else if (row_info->bit_depth == 16)
             {
                png_byte gray_high = (gray >> 8) & 0xff;
                png_byte gray_low = gray & 0xff;
                sp = row + row_info->rowbytes - 1;
                dp = row + (row_info->rowbytes << 1) - 1;
                for (i = 0; i < row_width; i++)
                {
-                  if (*(sp - 1) == gray_high && *(sp) == gray_low) 
+                  if (*(sp - 1) == gray_high && *(sp) == gray_low)
                   {
                      *dp-- = 0;
                      *dp-- = 0;
                   }
                   else
                   {
                      *dp-- = 0xff;
                      *dp-- = 0xff;
@@ -4128,16 +4126,18 @@ png_build_gamma_table(png_structp png_pt
      png_ptr->gamma_16_table = (png_uint_16pp)png_malloc(png_ptr,
         (png_uint_32)(num * png_sizeof(png_uint_16p)));
 
      if (png_ptr->transformations & (PNG_16_TO_8 | PNG_BACKGROUND))
      {
         double fin, fout;
         png_uint_32 last, max;
 
+        png_memset(png_ptr->gamma_16_table, 0, num * png_sizeof(png_uint_16p)); 
+
         for (i = 0; i < num; i++)
         {
            png_ptr->gamma_16_table[i] = (png_uint_16p)png_malloc(png_ptr,
               (png_uint_32)(256 * png_sizeof(png_uint_16)));
         }
 
         g = 1.0 / g;
         last = 0;
@@ -4183,16 +4183,18 @@ png_build_gamma_table(png_structp png_pt
      if (png_ptr->transformations & (PNG_BACKGROUND | PNG_RGB_TO_GRAY))
      {
 
         g = 1.0 / (png_ptr->gamma);
 
         png_ptr->gamma_16_to_1 = (png_uint_16pp)png_malloc(png_ptr,
            (png_uint_32)(num * png_sizeof(png_uint_16p )));
 
+        png_memset(png_ptr->gamma_16_to_1, 0, num * png_sizeof(png_uint_16p)); 
+
         for (i = 0; i < num; i++)
         {
            png_ptr->gamma_16_to_1[i] = (png_uint_16p)png_malloc(png_ptr,
               (png_uint_32)(256 * png_sizeof(png_uint_16)));
 
            ig = (((png_uint_32)i *
               (png_uint_32)png_gamma_shift[shift]) >> 4);
            for (j = 0; j < 256; j++)
@@ -4206,16 +4208,19 @@ png_build_gamma_table(png_structp png_pt
         if (png_ptr->screen_gamma > 0.000001)
            g = 1.0 / png_ptr->screen_gamma;
         else
            g = png_ptr->gamma;   /* probably doing rgb_to_gray */
 
         png_ptr->gamma_16_from_1 = (png_uint_16pp)png_malloc(png_ptr,
            (png_uint_32)(num * png_sizeof(png_uint_16p)));
 
+        png_memset(png_ptr->gamma_16_from_1, 0,
+           num * png_sizeof(png_uint_16p)); 
+
         for (i = 0; i < num; i++)
         {
            png_ptr->gamma_16_from_1[i] = (png_uint_16p)png_malloc(png_ptr,
               (png_uint_32)(256 * png_sizeof(png_uint_16)));
 
            ig = (((png_uint_32)i *
               (png_uint_32)png_gamma_shift[shift]) >> 4);
            for (j = 0; j < 256; j++)
--- a/modules/libimg/png/pngrutil.c
+++ b/modules/libimg/png/pngrutil.c
@@ -1118,16 +1118,17 @@ png_handle_sPLT(png_structp png_ptr, png
    png_sPLT_entryp pp;
 #endif
    int data_length, entry_size, i;
    png_uint_32 skip = 0;
    png_size_t slength;
 
    png_debug(1, "in png_handle_sPLT");
 
+
    if (!(png_ptr->mode & PNG_HAVE_IHDR))
       png_error(png_ptr, "Missing IHDR before sPLT");
    else if (png_ptr->mode & PNG_HAVE_IDAT)
    {
       png_warning(png_ptr, "Invalid sPLT after IDAT");
       png_crc_finish(png_ptr, length);
       return;
    }
@@ -1904,32 +1905,34 @@ png_handle_tEXt(png_structp png_ptr, png
    png_charp key;
    png_charp text;
    png_uint_32 skip = 0;
    png_size_t slength;
    int ret;
 
    png_debug(1, "in png_handle_tEXt");
 
+
    if (!(png_ptr->mode & PNG_HAVE_IHDR))
       png_error(png_ptr, "Missing IHDR before tEXt");
 
    if (png_ptr->mode & PNG_HAVE_IDAT)
       png_ptr->mode |= PNG_AFTER_IDAT;
 
 #ifdef PNG_MAX_MALLOC_64K
    if (length > (png_uint_32)65535L)
    {
       png_warning(png_ptr, "tEXt chunk too large to fit in memory");
       skip = length - (png_uint_32)65535L;
       length = (png_uint_32)65535L;
    }
 #endif
 
    png_free(png_ptr, png_ptr->chunkdata);
+
    png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
    if (png_ptr->chunkdata == NULL)
    {
      png_warning(png_ptr, "No memory to process text chunk.");
      return;
    }
    slength = (png_size_t)length;
    png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength);
@@ -1937,16 +1940,17 @@ png_handle_tEXt(png_structp png_ptr, png
    if (png_crc_finish(png_ptr, skip))
    {
       png_free(png_ptr, png_ptr->chunkdata);
       png_ptr->chunkdata = NULL;
       return;
    }
 
    key = png_ptr->chunkdata;
+
    key[slength] = 0x00;
 
    for (text = key; *text; text++)
       /* empty loop to find end of key */ ;
 
    if (text != key + slength)
       text++;
 
@@ -1986,16 +1990,18 @@ png_handle_zTXt(png_structp png_ptr, png
 {
    png_textp text_ptr;
    png_charp text;
    int comp_type;
    int ret;
    png_size_t slength, prefix_len, data_len;
 
    png_debug(1, "in png_handle_zTXt");
+
+
    if (!(png_ptr->mode & PNG_HAVE_IHDR))
       png_error(png_ptr, "Missing IHDR before zTXt");
 
    if (png_ptr->mode & PNG_HAVE_IDAT)
       png_ptr->mode |= PNG_AFTER_IDAT;
 
 #ifdef PNG_MAX_MALLOC_64K
    /* We will no doubt have problems with chunks even half this size, but
@@ -2090,16 +2096,17 @@ png_handle_iTXt(png_structp png_ptr, png
    png_charp key, lang, text, lang_key;
    int comp_flag;
    int comp_type = 0;
    int ret;
    png_size_t slength, prefix_len, data_len;
 
    png_debug(1, "in png_handle_iTXt");
 
+
    if (!(png_ptr->mode & PNG_HAVE_IHDR))
       png_error(png_ptr, "Missing IHDR before iTXt");
 
    if (png_ptr->mode & PNG_HAVE_IDAT)
       png_ptr->mode |= PNG_AFTER_IDAT;
 
 #ifdef PNG_MAX_MALLOC_64K
    /* We will no doubt have problems with chunks even half this size, but
@@ -2378,16 +2385,17 @@ png_ensure_sequence_number(png_structp p
    case it will be saved away to be written out later. */
 void /* PRIVATE */
 png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
 {
    png_uint_32 skip = 0;
 
    png_debug(1, "in png_handle_unknown");
 
+
    if (png_ptr->mode & PNG_HAVE_IDAT)
    {
 #ifdef PNG_USE_LOCAL_ARRAYS
       PNG_CONST PNG_IDAT;
 #endif
       if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4))  /* not an IDAT */
          png_ptr->mode |= PNG_AFTER_IDAT;
    }
@@ -3366,19 +3374,19 @@ defined(PNG_USER_TRANSFORM_PTR_SUPPORTED
      png_ptr->old_prev_row_size = png_ptr->rowbytes+1;
    }
 
    png_memset_check(png_ptr, png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
 
    png_debug1(3, "width = %lu,", png_ptr->width);
    png_debug1(3, "height = %lu,", png_ptr->height);
    png_debug1(3, "iwidth = %lu,", png_ptr->iwidth);
-   png_debug1(3, "num_rows = %lu", png_ptr->num_rows);
+   png_debug1(3, "num_rows = %lu,", png_ptr->num_rows);
    png_debug1(3, "rowbytes = %lu,", png_ptr->rowbytes);
-   png_debug1(3, "irowbytes = %lu,", png_ptr->irowbytes);
+   png_debug1(3, "irowbytes = %lu", png_ptr->irowbytes);
 
    png_ptr->flags |= PNG_FLAG_ROW_INIT;
 }
 
 #if defined(PNG_READ_APNG_SUPPORTED)
 /* This function is to be called after the main IDAT set has been read and
  * before a new IDAT is read. It resets some parts of png_ptr
  * to make them usable by the read functions again */
--- a/modules/libimg/png/pngset.c
+++ b/modules/libimg/png/pngset.c
@@ -1,14 +1,14 @@
 
 /* pngset.c - storage of image information into info struct
  *
- * Last changed in libpng 1.2.34 [December 18, 2008]
+ * Last changed in libpng 1.2.35 [February 14, 2009]
  * For conditions of distribution and use, see copyright notice in png.h
- * Copyright (c) 1998-2008 Glenn Randers-Pehrson
+ * Copyright (c) 1998-2009 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * The functions here are used during reads to store data from the file
  * into the info struct, and during writes to store application data
  * into the info struct for writing into the file.  This abstracts the
  * info struct and allows us to change the structure in the future.
  */
@@ -56,17 +56,18 @@ png_set_cHRM(png_structp png_ptr, png_in
    info_ptr->int_y_red   = (png_fixed_point)(  red_y*100000.+0.5);
    info_ptr->int_x_green = (png_fixed_point)(green_x*100000.+0.5);
    info_ptr->int_y_green = (png_fixed_point)(green_y*100000.+0.5);
    info_ptr->int_x_blue  = (png_fixed_point)( blue_x*100000.+0.5);
    info_ptr->int_y_blue  = (png_fixed_point)( blue_y*100000.+0.5);
 #endif
    info_ptr->valid |= PNG_INFO_cHRM;
 }
-#endif
+#endif /* PNG_FLOATING_POINT_SUPPORTED */
+
 #ifdef PNG_FIXED_POINT_SUPPORTED
 void PNGAPI
 png_set_cHRM_fixed(png_structp png_ptr, png_infop info_ptr,
    png_fixed_point white_x, png_fixed_point white_y, png_fixed_point red_x,
    png_fixed_point red_y, png_fixed_point green_x, png_fixed_point green_y,
    png_fixed_point blue_x, png_fixed_point blue_y)
 {
    png_debug1(1, "in %s storage function", "cHRM fixed");
@@ -382,36 +383,37 @@ png_set_pCAL(png_structp png_ptr, png_in
    info_ptr->pcal_params = (png_charpp)png_malloc_warn(png_ptr,
       (png_uint_32)((nparams + 1) * png_sizeof(png_charp)));
    if (info_ptr->pcal_params == NULL)
    {
        png_warning(png_ptr, "Insufficient memory for pCAL params.");
       return;
    }
 
-   info_ptr->pcal_params[nparams] = NULL;
+#ifdef PNG_FREE_ME_SUPPORTED
+   info_ptr->free_me |= PNG_FREE_PCAL;
+#endif
+
+   png_memset(info_ptr->pcal_params, 0, (nparams + 1) * png_sizeof(png_charp));
 
    for (i = 0; i < nparams; i++)
    {
       length = png_strlen(params[i]) + 1;
       png_debug2(3, "allocating parameter %d for info (%lu bytes)", i,
         (unsigned long)length);
       info_ptr->pcal_params[i] = (png_charp)png_malloc_warn(png_ptr, length);
       if (info_ptr->pcal_params[i] == NULL)
       {
           png_warning(png_ptr, "Insufficient memory for pCAL parameter.");
           return;
       }
       png_memcpy(info_ptr->pcal_params[i], params[i], (png_size_t)length);
    }
 
    info_ptr->valid |= PNG_INFO_pCAL;
-#ifdef PNG_FREE_ME_SUPPORTED
-   info_ptr->free_me |= PNG_FREE_PCAL;
-#endif
 }
 #endif
 
 #if defined(PNG_READ_sCAL_SUPPORTED) || defined(PNG_WRITE_sCAL_SUPPORTED)
 #ifdef PNG_FLOATING_POINT_SUPPORTED
 void PNGAPI
 png_set_sCAL(png_structp png_ptr, png_infop info_ptr,
              int unit, double width, double height)
@@ -635,17 +637,17 @@ png_set_sRGB_gAMA_and_cHRM(png_structp p
 #endif
 #ifdef PNG_FLOATING_POINT_SUPPORTED
       png_set_cHRM(png_ptr, info_ptr,
          white_x, white_y, red_x, red_y, green_x, green_y, blue_x, blue_y);
 #endif
    }
 #endif /* cHRM */
 }
-#endif
+#endif /* sRGB */
 
 
 #if defined(PNG_iCCP_SUPPORTED)
 void PNGAPI
 png_set_iCCP(png_structp png_ptr, png_infop info_ptr,
              png_charp name, int compression_type,
              png_charp profile, png_uint_32 proflen)
 {
@@ -959,16 +961,17 @@ png_set_sPLT(png_structp png_ptr,
     if (np == NULL)
     {
       png_warning(png_ptr, "No memory for sPLT palettes.");
       return;
     }
 
     png_memcpy(np, info_ptr->splt_palettes,
            info_ptr->splt_palettes_num * png_sizeof(png_sPLT_t));
+
     png_free(png_ptr, info_ptr->splt_palettes);
     info_ptr->splt_palettes=NULL;
 
     for (i = 0; i < nentries; i++)
     {
         png_sPLT_tp to = np + info_ptr->splt_palettes_num + i;
         png_sPLT_tp from = entries + i;
         png_uint_32 length;
--- a/modules/libimg/png/pngwio.c
+++ b/modules/libimg/png/pngwio.c
@@ -1,14 +1,14 @@
 
 /* pngwio.c - functions for data output
  *
- * Last changed in libpng 1.2.30 [August 13, 2008]
+ * Last changed in libpng 1.2.35 [February 14, 2009]
  * For conditions of distribution and use, see copyright notice in png.h
- * Copyright (c) 1998-2008 Glenn Randers-Pehrson
+ * Copyright (c) 1998-2009 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
  * This file provides a location for all output.  Users who need
  * special handling are expected to write functions that have the same
  * arguments as these and perform similar functions, but that possibly
  * use different output methods.  Note that you shouldn't change these
  * functions, but rather write replacement functions and then change
@@ -132,17 +132,17 @@ void PNGAPI
 png_default_flush(png_structp png_ptr)
 {
 #if !defined(_WIN32_WCE)
    png_FILE_p io_ptr;
 #endif
    if (png_ptr == NULL) return;
 #if !defined(_WIN32_WCE)
    io_ptr = (png_FILE_p)CVT_PTR((png_ptr->io_ptr));
-   if (io_ptr != NULL)
+   if (io_ptr != NULL && fileno(io_ptr) != -1)
       fflush(io_ptr);
 #endif
 }
 #endif
 #endif
 
 /* This function allows the application to supply new output functions for
    libpng if standard C streams aren't being used.
--- a/modules/libimg/png/pngwrite.c
+++ b/modules/libimg/png/pngwrite.c
@@ -1,12 +1,12 @@
 
 /* pngwrite.c - general routines to write a PNG file
  *
- * Last changed in libpng 1.2.31 [August 19, 2008]
+ * Last changed in libpng 1.2.34 [December 18, 2008]
  * For conditions of distribution and use, see copyright notice in png.h
  * Copyright (c) 1998-2008 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  */
 
 /* get internal access to png.h */
 #define PNG_INTERNAL