[OpenJDK 2D-Dev] Use of obsolete png_check_sig function in splashscreen_png.c

Andrew John Hughes ahughes at redhat.com
Mon May 24 18:07:07 UTC 2010

On 09:42 Thu 20 May     , Phil Race wrote:
>  From http://www.libpng.org/pub/png/libpng.html
>  >The current public release, *libpng 1.4.2*, restores the 1.2.x 
> png_check_sig() macro ...
> I suppose removing it caused too many problems.

Ah, that explains why I couldn't replicate the failure recently and
it was still in the local header file I checked.
It's not exactly prominent on that page and the differences document
still lists it as obsolete.

I'd be interested to know why they reverted the decision.

> So whilst I see nothing wrong with this change, I wonder if its worth 
> the trouble ?

Well, it's no great trouble for me to push it given I've already made
the (very minor) change.  And if it isn't changed in OpenJDK upstream,
I imagine the change will still have to stay around for a while in
IcedTea to cover the 1.4.0 and 1.4.1 releases that do remove the
macro (given we build against the system library, rather than the
in-tree one).

> If you still want to push I'll supply a bug id.

Thanks, that'd be good.

> 2 other things
> 1) Not that it  matters (just FYI) but splashscreen is considered to be 
> AWT not 2D,
> even though libpng itself is 2D. Relevant only because the bug would be 
> classes_awt,
> not classes_2d.

I always seem to get this wrong; the last two patches I sent to the
awt list and was told to send here.  Is there a guide to who has
responsibility for what?  It's certainly not clear from the
openjdk.java.net pages, which indeed still list OpenJDK as having
encumberances in the area of 2D; that hasn't been the case for a
couple of years.

> 2) Maybe we are due to upgrade the libpng in JDK ? We upgraded it
> last in May  2007 right before launching openjdk, then to 1.2.18
> Was there ever a 1.3.X ?? Looks like that got skipped for some reason.
> Doesn't seem urgent but it might be a good thing to add to the to-do list.

I've never seen a 1.3.  Maybe they use the odd numbers as a development branch
as is the case with Gtk+ and used to be the case with Linux prior to 2.6.

In 1.4, the main changes are apparently 'support for the iTXt chunk
and a function for limiting the amount of memory that a possibly
malicious compressed chunk can consume.'  The former is only really
needed if files with iTXt chunks become prominent in the wild (which
seems unlikely until 1.4 is widespread).  The other change sounds like
it could be more important.

>From our side, I think it would be more useful to see in-tree support
for building against the system libpng as we never use the in-tree
version anyway.  Using the system version means we are better covered
for security updates and new versions of libpng don't first need to be
imported into the OpenJDK tree.

> -phil.
> Andrew John Hughes wrote:
> > With libpng 1.4, the png_check_sig function has been removed, having
> > been deprecated in previous releases:
> >
> > http://www.libpng.org/pub/png/src/libpng-1.2.x-to-1.4.x-summary.txt
> >
> > This function is used in splashscreen_png.c and can be easily be
> > replaced with png_sig_cmp, as in this webrev:
> >
> > http://cr.openjdk.java.net/~andrew/libpng/webrev.01/
> >
> > This actually makes the line clearer as the not operator is no longer needed.
> > I know OpenJDK still uses an in-tree libpng 1.2 by default, but this
> > fix still works with that version and also means that the code will
> > still build, should the internal libpng be upgraded to 1.4.
> >
> > Ok to push this?  If so, can I have a bug ID for it?
> >
> > Thanks,
> >   

Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint = F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the 2d-dev mailing list