ANNOUNCE - third_party/libpng - Git at Google

 libpng 1.6.52.git
 =================

 This is a development version, not intended to be a public release.
 It will be replaced by a public release, or by another development
 version, at a later time.


 libpng 1.6.51 - November 21, 2025
 =================================

 This is a public release of libpng, intended for use in production code.


 Files available for download
 ----------------------------

 Source files with LF line endings (for Unix/Linux):

  * libpng-1.6.51.tar.xz (LZMA-compressed, recommended)
  * libpng-1.6.51.tar.gz (deflate-compressed)

 Source files with CRLF line endings (for Windows):

  * lpng1651.7z (LZMA-compressed, recommended)
  * lpng1651.zip (deflate-compressed)

 Other information:

  * README.md
  * LICENSE.md
  * AUTHORS.md
  * TRADEMARK.md


 Changes from version 1.6.50 to version 1.6.51
 ---------------------------------------------

  * Fixed CVE-2025-64505 (moderate severity):
    Heap buffer overflow in `png_do_quantize` via malformed palette index.
    (Reported by Samsung; analyzed by Fabio Gritti.)
  * Fixed CVE-2025-64506 (moderate severity):
    Heap buffer over-read in `png_write_image_8bit` with 8-bit input and
    `convert_to_8bit` enabled.
    (Reported by Samsung and <weijinjinnihao@users.noreply.github.com>;
    analyzed by Fabio Gritti.)
  * Fixed CVE-2025-64720 (high severity):
    Buffer overflow in `png_image_read_composite` via incorrect palette
    premultiplication.
    (Reported by Samsung; analyzed by John Bowler.)
  * Fixed CVE-2025-65018 (high severity):
    Heap buffer overflow in `png_combine_row` triggered via
    `png_image_finish_read`.
    (Reported by <yosiimich@users.noreply.github.com>.)
  * Fixed a memory leak in `png_set_quantize`.
    (Reported by Samsung; analyzed by Fabio Gritti.)
  * Removed the experimental and incomplete ERROR_NUMBERS code.
    (Contributed by Tobias Stoeckmann.)
  * Improved the RISC-V vector extension support; required RVV 1.0 or newer.
    (Contributed by Filip Wasil.)
  * Added GitHub Actions workflows for automated testing.
  * Performed various refactorings and cleanups.


 Send comments/corrections/commendations to png-mng-implement at lists.sf.net.
 Subscription is required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
 to subscribe.
	libpng 1.6.52.git
	=================

	This is a development version, not intended to be a public release.
	It will be replaced by a public release, or by another development
	version, at a later time.


	libpng 1.6.51 - November 21, 2025
	=================================

	This is a public release of libpng, intended for use in production code.


	Files available for download
	----------------------------

	Source files with LF line endings (for Unix/Linux):

	* libpng-1.6.51.tar.xz (LZMA-compressed, recommended)
	* libpng-1.6.51.tar.gz (deflate-compressed)

	Source files with CRLF line endings (for Windows):

	* lpng1651.7z (LZMA-compressed, recommended)
	* lpng1651.zip (deflate-compressed)

	Other information:

	* README.md
	* LICENSE.md
	* AUTHORS.md
	* TRADEMARK.md


	Changes from version 1.6.50 to version 1.6.51
	---------------------------------------------

	* Fixed CVE-2025-64505 (moderate severity):
	Heap buffer overflow in `png_do_quantize` via malformed palette index.
	(Reported by Samsung; analyzed by Fabio Gritti.)
	* Fixed CVE-2025-64506 (moderate severity):
	Heap buffer over-read in `png_write_image_8bit` with 8-bit input and
	`convert_to_8bit` enabled.
	(Reported by Samsung and <weijinjinnihao@users.noreply.github.com>;
	analyzed by Fabio Gritti.)
	* Fixed CVE-2025-64720 (high severity):
	Buffer overflow in `png_image_read_composite` via incorrect palette
	premultiplication.
	(Reported by Samsung; analyzed by John Bowler.)
	* Fixed CVE-2025-65018 (high severity):
	Heap buffer overflow in `png_combine_row` triggered via
	`png_image_finish_read`.
	(Reported by <yosiimich@users.noreply.github.com>.)
	* Fixed a memory leak in `png_set_quantize`.
	(Reported by Samsung; analyzed by Fabio Gritti.)
	* Removed the experimental and incomplete ERROR_NUMBERS code.
	(Contributed by Tobias Stoeckmann.)
	* Improved the RISC-V vector extension support; required RVV 1.0 or newer.
	(Contributed by Filip Wasil.)
	* Added GitHub Actions workflows for automated testing.
	* Performed various refactorings and cleanups.


	Send comments/corrections/commendations to png-mng-implement at lists.sf.net.
	Subscription is required; visit
	https://lists.sourceforge.net/lists/listinfo/png-mng-implement
	to subscribe.