Description of the patch:
This update for libpng15 fixes the following issues
Security issues:
- CVE-2025-64720: buffer overflow in
png_image_read_composite via incorrect palette premultiplication (bsc#1254159).
Non security issue:
- version update to 1.5.30 (jsc#PED-16191).
Changes for libpng15:
- Replaced 'unexpected' with an integer in pngset.c where a long was
expected, to avoid a compiler warning when PNG_DEBUG > 1.
- Fix typecast in a png_debug2() statement in png_set_text_2() to
avoid a compiler warning in PNG_DEBUG builds.
- Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c PNG_DEBUG builds.
- Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug
report from Christopher Ferris).
- Removed WRITE_WEIGHTED_FILTERED code, to save a few kbytes of the
compiled library size. It never worked properly and as far as we can
tell, no one uses it. The png_set_filter_heuristics() and
png_set_filter_heuristics_fixed() APIs are retained but deprecated
and do nothing.
- Avoid potentially dereferencing NULL info_ptr in png_info_init_3().
Eliminated unused PNG_COST_SHIFT, PNG_WEIGHT_SHIFT, PNG_COST_FACTOR, and
PNG_WEIGHT_FACTOR macros.
- Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
- Fixed uninitialized variable in contrib/gregbook/rpng2-x.c
- Fixed some bad links in the man page.
- Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert
Seacord).
- Fixed the recently reported 1's complement security issue by replacing
the value that is illegal in the PNG spec, in both signed and unsigned
values, with 0. Illegal unsigned values (anything greater than or equal
to 0x80000000) can still pass through, but since these are not illegal
in ANSI-C (unlike 0x80000000 in the signed case) the checking that
occurs later can catch them (John Bowler).
- Fixed png_save_int_32 when int is not 2's complement (John Bowler).
- Fixed byte order in png_do_read_filler() with 16-bit input (previously
fixed in...