

LodePNG: All-in-one PNG image decoder and encoder for C and C++ - evandrix
http://lodev.org/lodepng

======
f-
Please be _very_ careful when using less popular C/C++ image parsing libraries
on anything that is user-controlled or that comes from the Internet.

Image, multimedia, and archive parsing are notoriously prone to security bugs.
In fact, so are most other types of complex parsing. There are months of
researcher work and decades of CPU time that went into auditing and fuzzing
libraries such as libpng or libjpeg-turbo, identifying and fixing lots of
vulnerabilities. The same isn't true for libraries with much smaller
following, especially if their documentation doesn't contain any discussion of
security risks and countermeasures taken.

~~~
clarry
And a quick glance shows that the code isn't written in a terribly obvious and
defensive manner. For example, just by skimming you can spot loads and loads
of unchecked arithmetic. How can you know none of that can be exploited? The
code doesn't do a lot to assure you of that.

------
akx
I'm reminded of stb_image...
[https://github.com/nothings/stb/blob/master/stb_image.h](https://github.com/nothings/stb/blob/master/stb_image.h)

~~~
jheriko
+1 for stb_image

its a very good cross platform bit of code. even though it has some annoying
compiler warnings, i've managed to get this to work just fine on Windows, Mac,
Linux (ubuntu, CentOS, RHEL at least...), Android (even the obscure mips
configs), iOS, Windows Phone 8, Windows 8 Store and other platforms that must
remain nameless.

------
rblstr
Well this is a little strange to link. I've been using this small library for
years, last update was 2005. Hardly 'news'

~~~
ajitk
The linked homepage states that the latest update was in 2012: "Revamped
interface with more consistent names, rewrote some parts, bugfixes.".

~~~
ToastyMallows
Now it says "2014: Moved the code to GitHub"

------
mmozeiko
Small image libraries are fun!

jpeg writing & loading: [https://code.google.com/p/jpeg-
compressor/](https://code.google.com/p/jpeg-compressor/)

jpeg loading:
[https://code.google.com/p/picojpeg/](https://code.google.com/p/picojpeg/)

jpeg loading:
[https://code.google.com/p/jpgd/](https://code.google.com/p/jpgd/)

OpenEXR writing:
[https://github.com/aras-p/miniexr/blob/master/miniexr.cpp](https://github.com/aras-p/miniexr/blob/master/miniexr.cpp)

PNG writing (and zlib + ZIP file handling):
[https://code.google.com/p/miniz/](https://code.google.com/p/miniz/)

Newest version of miniz reads and writes zip64 archives and is part of vogl
project:
[https://github.com/ValveSoftware/vogl/tree/master/src/voglco...](https://github.com/ValveSoftware/vogl/tree/master/src/voglcore)

And of course already mentioned stb_image:
[https://github.com/nothings/stb/blob/master/stb_image.h](https://github.com/nothings/stb/blob/master/stb_image.h)

------
geocar
I wrote a png writer[1] a few years ago with no dependencies that adds about
3k to the resulting binary.

It doesn't deflate, but it's useful if you need to take a screenshot where
space is at a premium.

[1]: [http://geocar.sdf1.org/pngw.tgz](http://geocar.sdf1.org/pngw.tgz)

------
olavgg
Funny that this shows up today, as what I've spent time on today is to create
an image reader for sending images over the NFC protocol.

I've been so frustrated today by trying to get libpng to work, but landed on
this library one hour ago and now everything just works sweet! :-)

~~~
TheLoneWolfling
Umm...

As is mentioned elsewhere in the thread: this does not seem to be secure
software. As such, think twice about using this: do you really want anyone
within NFC range to be able to exploit your app?

~~~
olavgg
Thanks for the warning.

Of course using a secure library is preferred. Though it's really hard to use
something that isn't very well documented and I just have a few months of
experience working with C. Which is also a potential dangerous combination.

I found another library that wraps libpng
[https://github.com/nilx/io_png](https://github.com/nilx/io_png) Maybe I could
be more successful with that library.

------
willvarfar
Just had fun clicking on the other projects link and finding LodePaint and the
esoteric languages and ... you go take a look yourself! :D

------
zeroDivisible
I don't want to sound rude, but based on the title, I understand that this has
something to do with PNG files.

It might be worth putting a bit more details there.

~~~
kaoD
I don't know if the URL has changed or something, but:

> LodePNG is a PNG image decoder and encoder, all in one, no dependency or
> linkage to zlib or libpng required. It's made for C (ISO C90), and has a C++
> wrapper with a more convenient interface on top.

Or you mean the title here in HN? That's an unfortunate consequence of the
"keep titles verbatim" rule.

~~~
dang
> That's an unfortunate consequence of the "keep titles verbatim" rule

I fear that you're misunderstanding the rule a little. There's nothing wrong
with including an explanatory phrase from a subtitle, or from the introductory
sentence of the page, which is often a de facto subtitle. (We added that when
we saw this title earlier today). What we're strict about avoiding is
submitters rewriting titles to make their own point about the content, rather
than preserving what the author wrote.

