Source code
Revision control
Copy as Markdown
Other Tools
libpng 1.6.56 - March 25, 2026
==============================
This is a public release of libpng, intended for use in production code.
Files available for download
----------------------------
Source files:
* libpng-1.6.56.tar.xz (LZMA-compressed, recommended)
* libpng-1.6.56.tar.gz (deflate-compressed)
* lpng1656.7z (LZMA-compressed)
* lpng1656.zip (deflate-compressed)
Other information:
* README.md
* LICENSE.md
* AUTHORS.md
* TRADEMARK.md
Changes from version 1.6.55 to version 1.6.56
---------------------------------------------
* Fixed CVE-2026-33416 (high severity):
Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`.
(Reported by Halil Oktay and Ryo Shimada;
fixed by Halil Oktay and Cosmin Truta.)
* Fixed CVE-2026-33636 (high severity):
Out-of-bounds read/write in the palette expansion on ARM Neon.
(Reported by Taegu Ha; fixed by Taegu Ha and Cosmin Truta.)
* Fixed uninitialized reads beyond `num_trans` in `trans_alpha` buffers.
(Contributed by Halil Oktay.)
* Fixed stale `info_ptr->palette` after in-place gamma and background
transforms.
* Fixed wrong channel indices in `png_image_read_and_map` RGB_ALPHA path.
(Contributed by Yuelin Wang.)
* Fixed wrong background color in colormap read.
(Contributed by Yuelin Wang.)
* Fixed dead loop in sPLT write.
(Contributed by Yuelin Wang.)
* Added missing null pointer checks in four public API functions.
(Contributed by Yuelin Wang.)
* Validated shift bit depths in `png_set_shift` to prevent infinite loop.
(Contributed by Yuelin Wang.)
* Avoided undefined behavior in library and tests.
* Deprecated the hardly-ever-tested POINTER_INDEXING config option.
* Added negative-stride test coverage for the simplified API.
* Fixed memory leaks and API misuse in oss-fuzz.
(Contributed by Owen Sanzas.)
* Implemented various fixes and improvements in oss-fuzz.
(Contributed by Bob Friesenhahn and Philippe Antoine.)
* Performed various refactorings and cleanups.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net.
Subscription is required; visit
to subscribe.