libpng 1.6.57 - April 8, 2026
=============================

This is a public release of libpng, intended for use in production code.


Files available for download
----------------------------

Source files:

 * libpng-1.6.57.tar.xz (LZMA-compressed, recommended)
 * libpng-1.6.57.tar.gz (deflate-compressed)
 * lpng1657.7z (LZMA-compressed)
 * lpng1657.zip (deflate-compressed)

Other information:

 * README.md
 * LICENSE.md
 * AUTHORS.md
 * TRADEMARK.md


Changes from version 1.6.56 to version 1.6.57
---------------------------------------------

 * Fixed CVE-2026-34757 (medium severity):
   Use-after-free in `png_set_PLTE`, `png_set_tRNS` and `png_set_hIST`
   leading to corrupted chunk data and potential heap information disclosure.
   Also hardened the append-style setters (`png_set_text`, `png_set_sPLT`,
   `png_set_unknown_chunks`) against a theoretical variant of the same
   aliasing pattern.
   (Reported by Iv4n <Iv4n550@users.noreply.github.com>.)
 * Fixed integer overflow in rowbytes computation in read transforms.
   (Contributed by Mohammad Seet.)


Send comments/corrections/commendations to png-mng-implement at lists.sf.net.
Subscription is required; visit
<https://lists.sourceforge.net/lists/listinfo/png-mng-implement>
to subscribe.
