[OpenJDK 2D-Dev] Use of obsolete png_check_sig function in splashscreen_png.c

Andrew John Hughes ahughes at redhat.com
Mon Jun 7 18:05:18 UTC 2010 

On 24 May 2010 19:07, Andrew John Hughes <ahughes at redhat.com> wrote:
> On 09:42 Thu 20 May     , Phil Race wrote:
>>  From http://www.libpng.org/pub/png/libpng.html
>>
>>  >The current public release, *libpng 1.4.2*, restores the 1.2.x
>> png_check_sig() macro ...
>>
>> I suppose removing it caused too many problems.
>>
>
> Ah, that explains why I couldn't replicate the failure recently and
> it was still in the local header file I checked.
> It's not exactly prominent on that page and the differences document
> still lists it as obsolete.
>
> I'd be interested to know why they reverted the decision.
>
>> So whilst I see nothing wrong with this change, I wonder if its worth
>> the trouble ?
>
> Well, it's no great trouble for me to push it given I've already made
> the (very minor) change.  And if it isn't changed in OpenJDK upstream,
> I imagine the change will still have to stay around for a while in
> IcedTea to cover the 1.4.0 and 1.4.1 releases that do remove the
> macro (given we build against the system library, rather than the
> in-tree one).
>
>>
>> If you still want to push I'll supply a bug id.
>>
>
> Thanks, that'd be good.
>
>> 2 other things
>> 1) Not that it  matters (just FYI) but splashscreen is considered to be
>> AWT not 2D,
>> even though libpng itself is 2D. Relevant only because the bug would be
>> classes_awt,
>> not classes_2d.
>
> I always seem to get this wrong; the last two patches I sent to the
> awt list and was told to send here.  Is there a guide to who has
> responsibility for what?  It's certainly not clear from the
> openjdk.java.net pages, which indeed still list OpenJDK as having
> encumberances in the area of 2D; that hasn't been the case for a
> couple of years.
>
>> 2) Maybe we are due to upgrade the libpng in JDK ? We upgraded it
>> last in May  2007 right before launching openjdk, then to 1.2.18
>> Was there ever a 1.3.X ?? Looks like that got skipped for some reason.
>> Doesn't seem urgent but it might be a good thing to add to the to-do list.
>>
>
> I've never seen a 1.3.  Maybe they use the odd numbers as a development branch
> as is the case with Gtk+ and used to be the case with Linux prior to 2.6.
>
> In 1.4, the main changes are apparently 'support for the iTXt chunk
> and a function for limiting the amount of memory that a possibly
> malicious compressed chunk can consume.'  The former is only really
> needed if files with iTXt chunks become prominent in the wild (which
> seems unlikely until 1.4 is widespread).  The other change sounds like
> it could be more important.
>
> >From our side, I think it would be more useful to see in-tree support
> for building against the system libpng as we never use the in-tree
> version anyway.  Using the system version means we are better covered
> for security updates and new versions of libpng don't first need to be
> imported into the OpenJDK tree.
>
>> -phil.
>>
>> Andrew John Hughes wrote:
>> > With libpng 1.4, the png_check_sig function has been removed, having
>> > been deprecated in previous releases:
>> >
>> > http://www.libpng.org/pub/png/src/libpng-1.2.x-to-1.4.x-summary.txt
>> >
>> > This function is used in splashscreen_png.c and can be easily be
>> > replaced with png_sig_cmp, as in this webrev:
>> >
>> > http://cr.openjdk.java.net/~andrew/libpng/webrev.01/
>> >
>> > This actually makes the line clearer as the not operator is no longer needed.
>> > I know OpenJDK still uses an in-tree libpng 1.2 by default, but this
>> > fix still works with that version and also means that the code will
>> > still build, should the internal libpng be upgraded to 1.4.
>> >
>> > Ok to push this?  If so, can I have a bug ID for it?
>> >
>> > Thanks,
>> >
>>
>
> --
> Andrew :)
>
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> Support Free Java!
> Contribute to GNU Classpath and the OpenJDK
> http://www.gnu.org/software/classpath
> http://openjdk.java.net
> PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
> Fingerprint = F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8
>

So can I have a bug ID for this?

Thanks,
-- 
Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the 2d-dev mailing list