diff mbox series

libpng: upgrade 1.6.42 -> 1.6.58

Message ID 20260716075137.18584-1-lianux.wang@processmission.com
State New
Headers show
Series libpng: upgrade 1.6.42 -> 1.6.58 | expand

Commit Message

Lian Wang July 16, 2026, 7:51 a.m. UTC
- Drop 17 CVE patches fixed upstream in 1.6.54 through 1.6.58
- Update LICENSE checksum (copyright year updated)
- All CVE-2025-64505, CVE-2025-64506, CVE-2025-64720,
  CVE-2025-65018, CVE-2025-66293, CVE-2026-22695,
  CVE-2026-22801, CVE-2026-25646, CVE-2026-33416,
  CVE-2026-33636 resolved in this release

Signed-off-by: Lian Wang <lianux.wang@processmission.com>
---
 .../libpng/files/CVE-2025-64505-01.patch      | 111 -----------
 .../libpng/files/CVE-2025-64505-02.patch      | 163 -----------------
 .../libpng/files/CVE-2025-64505-03.patch      |  52 ------
 .../libpng/files/CVE-2025-64506.patch         |  57 ------
 .../libpng/files/CVE-2025-64720.patch         | 103 -----------
 .../libpng/files/CVE-2025-65018-01.patch      |  60 ------
 .../libpng/files/CVE-2025-65018-02.patch      | 163 -----------------
 .../libpng/files/CVE-2025-66293-01.patch      |  60 ------
 .../libpng/files/CVE-2025-66293-02.patch      | 125 -------------
 .../libpng/files/CVE-2026-22695.patch         |  77 --------
 .../libpng/files/CVE-2026-22801.patch         | 173 ------------------
 .../libpng/files/CVE-2026-25646.patch         |  61 ------
 .../libpng/files/CVE-2026-33416-01.patch      | 143 ---------------
 .../libpng/files/CVE-2026-33416-02.patch      |  53 ------
 .../libpng/files/CVE-2026-33416-03.patch      | 163 -----------------
 .../libpng/files/CVE-2026-33416-04.patch      |  53 ------
 .../libpng/files/CVE-2026-33636.patch         |  99 ----------
 .../{libpng_1.6.42.bb => libpng_1.6.58.bb}    |  21 +--
 18 files changed, 2 insertions(+), 1735 deletions(-)
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch
 delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch
 rename meta/recipes-multimedia/libpng/{libpng_1.6.42.bb => libpng_1.6.58.bb} (77%)

Comments

Marko, Peter July 16, 2026, 7:58 a.m. UTC | #1
This is missing [scarthgap] tag.
But it will not be accepted as this upgrade does not contain only bugfixes.
Please send patch backports instead.

Peter

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of wang lian via
> lists.openembedded.org
> Sent: Thursday, July 16, 2026 9:52 AM
> To: openembedded-core@lists.openembedded.org
> Cc: Lian Wang <lianux.wang@processmission.com>
> Subject: [OE-core] [PATCH] libpng: upgrade 1.6.42 -> 1.6.58
> 
> - Drop 17 CVE patches fixed upstream in 1.6.54 through 1.6.58
> - Update LICENSE checksum (copyright year updated)
> - All CVE-2025-64505, CVE-2025-64506, CVE-2025-64720,
>   CVE-2025-65018, CVE-2025-66293, CVE-2026-22695,
>   CVE-2026-22801, CVE-2026-25646, CVE-2026-33416,
>   CVE-2026-33636 resolved in this release
> 
> Signed-off-by: Lian Wang <lianux.wang@processmission.com>
> ---
>  .../libpng/files/CVE-2025-64505-01.patch      | 111 -----------
>  .../libpng/files/CVE-2025-64505-02.patch      | 163 -----------------
>  .../libpng/files/CVE-2025-64505-03.patch      |  52 ------
>  .../libpng/files/CVE-2025-64506.patch         |  57 ------
>  .../libpng/files/CVE-2025-64720.patch         | 103 -----------
>  .../libpng/files/CVE-2025-65018-01.patch      |  60 ------
>  .../libpng/files/CVE-2025-65018-02.patch      | 163 -----------------
>  .../libpng/files/CVE-2025-66293-01.patch      |  60 ------
>  .../libpng/files/CVE-2025-66293-02.patch      | 125 -------------
>  .../libpng/files/CVE-2026-22695.patch         |  77 --------
>  .../libpng/files/CVE-2026-22801.patch         | 173 ------------------
>  .../libpng/files/CVE-2026-25646.patch         |  61 ------
>  .../libpng/files/CVE-2026-33416-01.patch      | 143 ---------------
>  .../libpng/files/CVE-2026-33416-02.patch      |  53 ------
>  .../libpng/files/CVE-2026-33416-03.patch      | 163 -----------------
>  .../libpng/files/CVE-2026-33416-04.patch      |  53 ------
>  .../libpng/files/CVE-2026-33636.patch         |  99 ----------
>  .../{libpng_1.6.42.bb => libpng_1.6.58.bb}    |  21 +--
>  18 files changed, 2 insertions(+), 1735 deletions(-)
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-
> 01.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-
> 02.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-
> 03.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-
> 64506.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-
> 64720.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-
> 01.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-
> 02.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-
> 01.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-
> 02.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-
> 22695.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-
> 22801.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-
> 25646.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-
> 01.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-
> 02.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-
> 03.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-
> 04.patch
>  delete mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-
> 33636.patch
>  rename meta/recipes-multimedia/libpng/{libpng_1.6.42.bb => libpng_1.6.58.bb}
> (77%)
> 
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
> deleted file mode 100644
> index 1e7d122..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
> +++ /dev/null
> @@ -1,111 +0,0 @@
> -From 0fa3c0f698c2ca618a0fa44e10a822678df85373 Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Thu, 15 Feb 2024 21:53:24 +0200
> -Subject: [PATCH] chore: Clean up the spurious uses of `sizeof(png_byte)`; fix
> - the manual
> -
> -By definition, `sizeof(png_byte)` is 1.
> -
> -Remove all the occurences of `sizeof(png_byte)` from the code, and fix
> -a related typo in the libpng manual.
> -
> -Also update the main .editorconfig file to reflect the fixing expected
> -by a FIXME note.
> -
> -CVE: CVE-2025-64505
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/0fa3c0f698c2ca618a0fa44e10a8226
> 78df85373]
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - libpng-manual.txt |  4 ++--
> - libpng.3          |  4 ++--
> - pngrtran.c        | 17 +++++++----------
> - 3 files changed, 11 insertions(+), 14 deletions(-)
> -
> -diff --git a/libpng-manual.txt b/libpng-manual.txt
> -index eb24ef483..d2918ce31 100644
> ---- a/libpng-manual.txt
> -+++ b/libpng-manual.txt
> -@@ -1178,11 +1178,11 @@ where row_pointers is an array of pointers to the
> pixel data for each row:
> - If you know your image size and pixel size ahead of time, you can allocate
> - row_pointers prior to calling png_read_png() with
> -
> --   if (height > PNG_UINT_32_MAX/(sizeof (png_byte)))
> -+   if (height > PNG_UINT_32_MAX / (sizeof (png_bytep)))
> -       png_error(png_ptr,
> -           "Image is too tall to process in memory");
> -
> --   if (width > PNG_UINT_32_MAX/pixel_size)
> -+   if (width > PNG_UINT_32_MAX / pixel_size)
> -       png_error(png_ptr,
> -           "Image is too wide to process in memory");
> -
> -diff --git a/libpng.3 b/libpng.3
> -index 57d06f2db..8875b219a 100644
> ---- a/libpng.3
> -+++ b/libpng.3
> -@@ -1697,11 +1697,11 @@ where row_pointers is an array of pointers to the
> pixel data for each row:
> - If you know your image size and pixel size ahead of time, you can allocate
> - row_pointers prior to calling png_read_png() with
> -
> --   if (height > PNG_UINT_32_MAX/(sizeof (png_byte)))
> -+   if (height > PNG_UINT_32_MAX / (sizeof (png_bytep)))
> -       png_error(png_ptr,
> -           "Image is too tall to process in memory");
> -
> --   if (width > PNG_UINT_32_MAX/pixel_size)
> -+   if (width > PNG_UINT_32_MAX / pixel_size)
> -       png_error(png_ptr,
> -           "Image is too wide to process in memory");
> -
> -diff --git a/pngrtran.c b/pngrtran.c
> -index 74cca476b..041f9306c 100644
> ---- a/pngrtran.c
> -+++ b/pngrtran.c
> -@@ -441,7 +441,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp
> palette,
> -       int i;
> -
> -       png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
> --          (png_alloc_size_t)((png_uint_32)num_palette * (sizeof (png_byte))));
> -+          (png_alloc_size_t)num_palette);
> -       for (i = 0; i < num_palette; i++)
> -          png_ptr->quantize_index[i] = (png_byte)i;
> -    }
> -@@ -458,7 +458,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp
> palette,
> -
> -          /* Initialize an array to sort colors */
> -          png_ptr->quantize_sort = (png_bytep)png_malloc(png_ptr,
> --             (png_alloc_size_t)((png_uint_32)num_palette * (sizeof (png_byte))));
> -+             (png_alloc_size_t)num_palette);
> -
> -          /* Initialize the quantize_sort array */
> -          for (i = 0; i < num_palette; i++)
> -@@ -592,11 +592,9 @@ png_set_quantize(png_structrp png_ptr, png_colorp
> palette,
> -
> -          /* Initialize palette index arrays */
> -          png_ptr->index_to_palette = (png_bytep)png_malloc(png_ptr,
> --             (png_alloc_size_t)((png_uint_32)num_palette *
> --             (sizeof (png_byte))));
> -+             (png_alloc_size_t)num_palette);
> -          png_ptr->palette_to_index = (png_bytep)png_malloc(png_ptr,
> --             (png_alloc_size_t)((png_uint_32)num_palette *
> --             (sizeof (png_byte))));
> -+             (png_alloc_size_t)num_palette);
> -
> -          /* Initialize the sort array */
> -          for (i = 0; i < num_palette; i++)
> -@@ -761,12 +759,11 @@ png_set_quantize(png_structrp png_ptr, png_colorp
> palette,
> -       size_t num_entries = ((size_t)1 << total_bits);
> -
> -       png_ptr->palette_lookup = (png_bytep)png_calloc(png_ptr,
> --          (png_alloc_size_t)(num_entries * (sizeof (png_byte))));
> -+          (png_alloc_size_t)(num_entries));
> -
> --      distance = (png_bytep)png_malloc(png_ptr, (png_alloc_size_t)(num_entries
> *
> --          (sizeof (png_byte))));
> -+      distance = (png_bytep)png_malloc(png_ptr,
> (png_alloc_size_t)num_entries);
> -
> --      memset(distance, 0xff, num_entries * (sizeof (png_byte)));
> -+      memset(distance, 0xff, num_entries);
> -
> -       for (i = 0; i < num_palette; i++)
> -       {
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
> deleted file mode 100644
> index 5a3e50b..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
> +++ /dev/null
> @@ -1,163 +0,0 @@
> -From ea094764f3436e3c6524622724c2d342a3eff235 Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Sat, 8 Nov 2025 17:16:59 +0200
> -Subject: [PATCH] Fix a memory leak in function `png_set_quantize`; refactor
> -
> -Release the previously-allocated array `quantize_index` before
> -reallocating it. This avoids leaking memory when the function
> -`png_set_quantize` is called multiple times on the same `png_struct`.
> -
> -This function assumed single-call usage, but fuzzing revealed that
> -repeated calls would overwrite the pointers without freeing the
> -original allocations, leaking 256 bytes per call for `quantize_index`
> -and additional memory for `quantize_sort` when histogram-based
> -quantization is used.
> -
> -Also remove the array `quantize_sort` from the list of `png_struct`
> -members and make it a local variable. This array is initialized,
> -used and released exclusively inside the function `png_set_quantize`.
> -
> -Reported-by: Samsung-PENTEST <Samsung-
> PENTEST@users.noreply.github.com>
> -Analyzed-by: degrigis <degrigis@users.noreply.github.com>
> -Reviewed-by: John Bowler <jbowler@acm.org>
> -
> -CVE: CVE-2025-64505
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/ea094764f3436e3c6524622724c2d3
> 42a3eff235]
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - pngrtran.c  | 43 +++++++++++++++++++++++--------------------
> - pngstruct.h |  1 -
> - 2 files changed, 23 insertions(+), 21 deletions(-)
> -
> -diff --git a/pngrtran.c b/pngrtran.c
> -index 1809db704..4632dd521 100644
> ---- a/pngrtran.c
> -+++ b/pngrtran.c
> -@@ -440,6 +440,12 @@ png_set_quantize(png_structrp png_ptr, png_colorp
> palette,
> -    {
> -       int i;
> -
> -+      /* Initialize the array to index colors.
> -+       *
> -+       * Be careful to avoid leaking memory. Applications are allowed to call
> -+       * this function more than once per png_struct.
> -+       */
> -+      png_free(png_ptr, png_ptr->quantize_index);
> -       png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
> -           (png_alloc_size_t)num_palette);
> -       for (i = 0; i < num_palette; i++)
> -@@ -454,15 +460,14 @@ png_set_quantize(png_structrp png_ptr, png_colorp
> palette,
> -           * Perhaps not the best solution, but good enough.
> -           */
> -
> --         int i;
> -+         png_bytep quantize_sort;
> -+         int i, j;
> -
> --         /* Initialize an array to sort colors */
> --         png_ptr->quantize_sort = (png_bytep)png_malloc(png_ptr,
> -+         /* Initialize the local array to sort colors. */
> -+         quantize_sort = (png_bytep)png_malloc(png_ptr,
> -              (png_alloc_size_t)num_palette);
> --
> --         /* Initialize the quantize_sort array */
> -          for (i = 0; i < num_palette; i++)
> --            png_ptr->quantize_sort[i] = (png_byte)i;
> -+            quantize_sort[i] = (png_byte)i;
> -
> -          /* Find the least used palette entries by starting a
> -           * bubble sort, and running it until we have sorted
> -@@ -474,19 +479,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp
> palette,
> -          for (i = num_palette - 1; i >= maximum_colors; i--)
> -          {
> -             int done; /* To stop early if the list is pre-sorted */
> --            int j;
> -
> -             done = 1;
> -             for (j = 0; j < i; j++)
> -             {
> --               if (histogram[png_ptr->quantize_sort[j]]
> --                   < histogram[png_ptr->quantize_sort[j + 1]])
> -+               if (histogram[quantize_sort[j]]
> -+                   < histogram[quantize_sort[j + 1]])
> -                {
> -                   png_byte t;
> -
> --                  t = png_ptr->quantize_sort[j];
> --                  png_ptr->quantize_sort[j] = png_ptr->quantize_sort[j + 1];
> --                  png_ptr->quantize_sort[j + 1] = t;
> -+                  t = quantize_sort[j];
> -+                  quantize_sort[j] = quantize_sort[j + 1];
> -+                  quantize_sort[j + 1] = t;
> -                   done = 0;
> -                }
> -             }
> -@@ -498,18 +502,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp
> palette,
> -          /* Swap the palette around, and set up a table, if necessary */
> -          if (full_quantize != 0)
> -          {
> --            int j = num_palette;
> -+            j = num_palette;
> -
> -             /* Put all the useful colors within the max, but don't
> -              * move the others.
> -              */
> -             for (i = 0; i < maximum_colors; i++)
> -             {
> --               if ((int)png_ptr->quantize_sort[i] >= maximum_colors)
> -+               if ((int)quantize_sort[i] >= maximum_colors)
> -                {
> -                   do
> -                      j--;
> --                  while ((int)png_ptr->quantize_sort[j] >= maximum_colors);
> -+                  while ((int)quantize_sort[j] >= maximum_colors);
> -
> -                   palette[i] = palette[j];
> -                }
> -@@ -517,7 +521,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp
> palette,
> -          }
> -          else
> -          {
> --            int j = num_palette;
> -+            j = num_palette;
> -
> -             /* Move all the used colors inside the max limit, and
> -              * develop a translation table.
> -@@ -525,13 +529,13 @@ png_set_quantize(png_structrp png_ptr, png_colorp
> palette,
> -             for (i = 0; i < maximum_colors; i++)
> -             {
> -                /* Only move the colors we need to */
> --               if ((int)png_ptr->quantize_sort[i] >= maximum_colors)
> -+               if ((int)quantize_sort[i] >= maximum_colors)
> -                {
> -                   png_color tmp_color;
> -
> -                   do
> -                      j--;
> --                  while ((int)png_ptr->quantize_sort[j] >= maximum_colors);
> -+                  while ((int)quantize_sort[j] >= maximum_colors);
> -
> -                   tmp_color = palette[j];
> -                   palette[j] = palette[i];
> -@@ -569,8 +573,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp
> palette,
> -                }
> -             }
> -          }
> --         png_free(png_ptr, png_ptr->quantize_sort);
> --         png_ptr->quantize_sort = NULL;
> -+         png_free(png_ptr, quantize_sort);
> -       }
> -       else
> -       {
> -diff --git a/pngstruct.h b/pngstruct.h
> -index 084422bc1..fe5fa0415 100644
> ---- a/pngstruct.h
> -+++ b/pngstruct.h
> -@@ -413,7 +413,6 @@ struct png_struct_def
> -
> - #ifdef PNG_READ_QUANTIZE_SUPPORTED
> - /* The following three members were added at version 1.0.14 and 1.2.4 */
> --   png_bytep quantize_sort;          /* working sort array */
> -    png_bytep index_to_palette;       /* where the original index currently is
> -                                         in the palette */
> -    png_bytep palette_to_index;       /* which original index points to this
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
> deleted file mode 100644
> index ddda867..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
> +++ /dev/null
> @@ -1,52 +0,0 @@
> -From 6a528eb5fd0dd7f6de1c39d30de0e41473431c37 Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Sat, 8 Nov 2025 23:58:26 +0200
> -Subject: [PATCH] Fix a buffer overflow in `png_do_quantize`
> -
> -Allocate the quantize_index array to PNG_MAX_PALETTE_LENGTH (256 bytes)
> -instead of num_palette bytes. This approach matches the allocation
> -pattern for `palette[]`, `trans_alpha[]` and `riffled_palette[]` which
> -were similarly oversized in libpng 1.2.1 to prevent buffer overflows
> -from malformed PNG files with out-of-range palette indices.
> -
> -Out-of-range palette indices `index >= num_palette` will now read
> -identity-mapped values from the `quantize_index` array (where index N
> -maps to palette entry N). This prevents undefined behavior while
> -avoiding runtime bounds checking overhead in the performance-critical
> -pixel processing loop.
> -
> -Reported-by: Samsung-PENTEST <Samsung-
> PENTEST@users.noreply.github.com>
> -Analyzed-by: degrigis <degrigis@users.noreply.github.com>
> -
> -CVE: CVE-2025-64505
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e4
> 1473431c37]
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - pngrtran.c | 8 ++++++--
> - 1 file changed, 6 insertions(+), 2 deletions(-)
> -
> -diff --git a/pngrtran.c b/pngrtran.c
> -index 4632dd521..9c2475fde 100644
> ---- a/pngrtran.c
> -+++ b/pngrtran.c
> -@@ -441,14 +441,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp
> palette,
> -       int i;
> -
> -       /* Initialize the array to index colors.
> -+       *
> -+       * Ensure quantize_index can fit 256 elements
> (PNG_MAX_PALETTE_LENGTH)
> -+       * rather than num_palette elements. This is to prevent buffer overflows
> -+       * caused by malformed PNG files with out-of-range palette indices.
> -        *
> -        * Be careful to avoid leaking memory. Applications are allowed to call
> -        * this function more than once per png_struct.
> -        */
> -       png_free(png_ptr, png_ptr->quantize_index);
> -       png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
> --          (png_alloc_size_t)num_palette);
> --      for (i = 0; i < num_palette; i++)
> -+          PNG_MAX_PALETTE_LENGTH);
> -+      for (i = 0; i < PNG_MAX_PALETTE_LENGTH; i++)
> -          png_ptr->quantize_index[i] = (png_byte)i;
> -    }
> -
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
> deleted file mode 100644
> index dc7fe00..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
> +++ /dev/null
> @@ -1,57 +0,0 @@
> -From 2bd84c019c300b78e811743fbcddb67c9d9bf821 Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Fri, 7 Nov 2025 22:40:05 +0200
> -Subject: [PATCH] Fix a heap buffer overflow in `png_write_image_8bit`
> -
> -The condition guarding the pre-transform path incorrectly allowed 8-bit
> -input data to enter `png_write_image_8bit` which expects 16-bit input.
> -This caused out-of-bounds reads when processing 8-bit grayscale+alpha
> -images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746),
> -with the `convert_to_8bit` flag set (an invalid combination that should
> -bypass the pre-transform path).
> -
> -The second part of the condition, i.e.
> -
> -    colormap == 0 && convert_to_8bit != 0
> -
> -failed to verify that input was 16-bit, i.e.
> -
> -    linear != 0
> -
> -contradicting the comment "This only applies when the input is 16-bit".
> -
> -The fix consists in restructuring the condition to ensure both the
> -`alpha` path and the `convert_to_8bit` path require linear (16-bit)
> -input. The corrected condition, i.e.
> -
> -    linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)
> -
> -matches the expectation of the `png_write_image_8bit` function and
> -prevents treating 8-bit buffers as 16-bit data.
> -
> -Reported-by: Samsung-PENTEST <Samsung-
> PENTEST@users.noreply.github.com>
> -Reported-by: weijinjinnihao <weijinjinnihao@users.noreply.github.com>
> -Analyzed-by: degrigis <degrigis@users.noreply.github.com>
> -Reviewed-by: John Bowler <jbowler@acm.org>
> -
> -CVE: CVE-2025-64506
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb6
> 7c9d9bf821]
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - pngwrite.c | 3 +--
> - 1 file changed, 1 insertion(+), 2 deletions(-)
> -
> -diff --git a/pngwrite.c b/pngwrite.c
> -index 35a5d17b6..83148960e 100644
> ---- a/pngwrite.c
> -+++ b/pngwrite.c
> -@@ -2142,8 +2142,7 @@ png_image_write_main(png_voidp argument)
> -     * before it is written.  This only applies when the input is 16-bit and
> -     * either there is an alpha channel or it is converted to 8-bit.
> -     */
> --   if ((linear != 0 && alpha != 0 ) ||
> --       (colormap == 0 && display->convert_to_8bit != 0))
> -+   if (linear != 0 && (alpha != 0 || display->convert_to_8bit != 0))
> -    {
> -       png_bytep row = png_voidcast(png_bytep, png_malloc(png_ptr,
> -           png_get_rowbytes(png_ptr, info_ptr)));
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
> deleted file mode 100644
> index 08df7c3..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
> +++ /dev/null
> @@ -1,103 +0,0 @@
> -From 08da33b4c88cfcd36e5a706558a8d7e0e4773643 Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Wed, 12 Nov 2025 13:46:23 +0200
> -Subject: [PATCH] Fix a buffer overflow in `png_init_read_transformations`
> -
> -The palette compositing code in `png_init_read_transformations` was
> -incorrectly applying background compositing when
> PNG_FLAG_OPTIMIZE_ALPHA
> -was set. This violated the premultiplied alpha invariant
> -`component <= alpha` expected by `png_image_read_composite`, causing
> -values that exceeded the valid range for the PNG_sRGB_FROM_LINEAR lookup
> -tables.
> -
> -When PNG_ALPHA_OPTIMIZED is active, palette entries should contain pure
> -premultiplied RGB values without background compositing. The background
> -compositing must happen later in `png_image_read_composite` where the
> -actual background color from the PNG file is available.
> -
> -The fix consists in introducing conditional behavior based on
> -PNG_FLAG_OPTIMIZE_ALPHA: when set, the code performs only
> -premultiplication using the formula `component * alpha + 127) / 255`
> -with proper gamma correction. When not set, the original background
> -compositing calculation based on the `png_composite` macro is preserved.
> -
> -This prevents buffer overflows in `png_image_read_composite` where
> -out-of-range premultiplied values would cause out-of-bounds array access
> -in `png_sRGB_base[]` and `png_sRGB_delta[]`.
> -
> -Reported-by: Samsung-PENTEST <Samsung-
> PENTEST@users.noreply.github.com>
> -Analyzed-by: John Bowler <jbowler@acm.org>
> -
> -CVE: CVE-2025-64720
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7
> e0e4773643]
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - pngrtran.c | 52 ++++++++++++++++++++++++++++++++++++++++++----------
> - 1 file changed, 42 insertions(+), 10 deletions(-)
> -
> -diff --git a/pngrtran.c b/pngrtran.c
> -index 548780030..2f5202255 100644
> ---- a/pngrtran.c
> -+++ b/pngrtran.c
> -@@ -1698,19 +1698,51 @@ png_init_read_transformations(png_structrp
> png_ptr)
> -                   }
> -                   else /* if (png_ptr->trans_alpha[i] != 0xff) */
> -                   {
> --                     png_byte v, w;
> -+                     if ((png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0)
> -+                     {
> -+                        /* Premultiply only:
> -+                         * component = round((component * alpha) / 255)
> -+                         */
> -+                        png_uint_32 component;
> -
> --                     v = png_ptr->gamma_to_1[palette[i].red];
> --                     png_composite(w, v, png_ptr->trans_alpha[i], back_1.red);
> --                     palette[i].red = png_ptr->gamma_from_1[w];
> -+                        component = png_ptr->gamma_to_1[palette[i].red];
> -+                        component =
> -+                            (component * png_ptr->trans_alpha[i] + 128) / 255;
> -+                        palette[i].red = png_ptr->gamma_from_1[component];
> -
> --                     v = png_ptr->gamma_to_1[palette[i].green];
> --                     png_composite(w, v, png_ptr->trans_alpha[i], back_1.green);
> --                     palette[i].green = png_ptr->gamma_from_1[w];
> -+                        component = png_ptr->gamma_to_1[palette[i].green];
> -+                        component =
> -+                            (component * png_ptr->trans_alpha[i] + 128) / 255;
> -+                        palette[i].green = png_ptr->gamma_from_1[component];
> -
> --                     v = png_ptr->gamma_to_1[palette[i].blue];
> --                     png_composite(w, v, png_ptr->trans_alpha[i], back_1.blue);
> --                     palette[i].blue = png_ptr->gamma_from_1[w];
> -+                        component = png_ptr->gamma_to_1[palette[i].blue];
> -+                        component =
> -+                            (component * png_ptr->trans_alpha[i] + 128) / 255;
> -+                        palette[i].blue = png_ptr->gamma_from_1[component];
> -+                     }
> -+                     else
> -+                     {
> -+                        /* Composite with background color:
> -+                         * component =
> -+                         *    alpha * component + (1 - alpha) * background
> -+                         */
> -+                        png_byte v, w;
> -+
> -+                        v = png_ptr->gamma_to_1[palette[i].red];
> -+                        png_composite(w, v,
> -+                            png_ptr->trans_alpha[i], back_1.red);
> -+                        palette[i].red = png_ptr->gamma_from_1[w];
> -+
> -+                        v = png_ptr->gamma_to_1[palette[i].green];
> -+                        png_composite(w, v,
> -+                            png_ptr->trans_alpha[i], back_1.green);
> -+                        palette[i].green = png_ptr->gamma_from_1[w];
> -+
> -+                        v = png_ptr->gamma_to_1[palette[i].blue];
> -+                        png_composite(w, v,
> -+                            png_ptr->trans_alpha[i], back_1.blue);
> -+                        palette[i].blue = png_ptr->gamma_from_1[w];
> -+                     }
> -                   }
> -                }
> -                else
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
> deleted file mode 100644
> index cdee6c7..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
> +++ /dev/null
> @@ -1,60 +0,0 @@
> -From 16b5e3823918840aae65c0a6da57c78a5a496a4d Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Mon, 17 Nov 2025 20:38:47 +0200
> -Subject: [PATCH] Fix a buffer overflow in `png_image_finish_read`
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Reject bit-depth mismatches between IHDR and the requested output
> -format. When a 16-bit PNG is processed with an 8-bit output format
> -request, `png_combine_row` writes using the IHDR depth before
> -transformation, causing writes beyond the buffer allocated via
> -`PNG_IMAGE_SIZE(image)`.
> -
> -The validation establishes a safe API contract where
> -`PNG_IMAGE_SIZE(image)` is guaranteed to be sufficient across the
> -transformation pipeline.
> -
> -Example overflow (32×32 pixels, 16-bit RGB to 8-bit RGBA):
> -- Input format: 16 bits/channel × 3 channels = 6144 bytes
> -- Output buffer: 8 bits/channel × 4 channels = 4096 bytes
> -- Overflow: 6144 bytes - 4096 bytes = 2048 bytes
> -
> -Larger images produce proportionally larger overflows. For example,
> -for 256×256 pixels, the overflow is 131072 bytes.
> -
> -Reported-by: yosiimich <yosiimich@users.noreply.github.com>
> -
> -CVE: CVE-2025-65018
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c
> 78a5a496a4d]
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - pngread.c | 14 ++++++++++++++
> - 1 file changed, 14 insertions(+)
> -
> -diff --git a/pngread.c b/pngread.c
> -index 212afb7d2..92571ec33 100644
> ---- a/pngread.c
> -+++ b/pngread.c
> -@@ -4166,6 +4166,20 @@ png_image_finish_read(png_imagep image,
> png_const_colorp background,
> -                   int result;
> -                   png_image_read_control display;
> -
> -+                  /* Reject bit depth mismatches to avoid buffer overflows. */
> -+                  png_uint_32 ihdr_bit_depth =
> -+                      image->opaque->png_ptr->bit_depth;
> -+                  int requested_linear =
> -+                      (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
> -+                  if (ihdr_bit_depth == 16 && !requested_linear)
> -+                     return png_image_error(image,
> -+                         "png_image_finish_read: "
> -+                         "16-bit PNG must use 16-bit output format");
> -+                  if (ihdr_bit_depth < 16 && requested_linear)
> -+                     return png_image_error(image,
> -+                         "png_image_finish_read: "
> -+                         "8-bit PNG must not use 16-bit output format");
> -+
> -                   memset(&display, 0, (sizeof display));
> -                   display.image = image;
> -                   display.buffer = buffer;
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
> deleted file mode 100644
> index 891cd20..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
> +++ /dev/null
> @@ -1,163 +0,0 @@
> -From 218612ddd6b17944e21eda56caf8b4bf7779d1ea Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Wed, 19 Nov 2025 21:45:13 +0200
> -Subject: [PATCH] Rearchitect the fix to the buffer overflow in
> - `png_image_finish_read`
> -
> -Undo the fix from commit 16b5e3823918840aae65c0a6da57c78a5a496a4d.
> -That fix turned out to be unnecessarily limiting. It rejected all
> -16-to-8 bit transformations, although the vulnerability only affects
> -interlaced PNGs where `png_combine_row` writes using IHDR bit-depth
> -before the transformation completes.
> -
> -The proper solution is to add an intermediate `local_row` buffer,
> -specifically for the slow but necessary step of 16-to-8 bit conversion
> -of interlaced images. (The processing of non-interlaced images remains
> -intact, using the fast path.) We added the flag `do_local_scale` and
> -the function `png_image_read_direct_scaled`, following the pattern that
> -involves `do_local_compose`.
> -
> -In conclusion:
> -- The 16-to-8 bit transformations of interlaced images are now safe,
> -  as they use an intermediate buffer.
> -- The 16-to-8 bit transformations of non-interlaced images remain safe,
> -  as the fast path remains unchanged.
> -- All our regression tests are now passing.
> -
> -CVE: CVE-2025-65018
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4
> bf7779d1ea]
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - pngread.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++--------
> -
> - 1 file changed, 75 insertions(+), 14 deletions(-)
> -
> -diff --git a/pngread.c b/pngread.c
> -index 92571ec33..79917daaa 100644
> ---- a/pngread.c
> -+++ b/pngread.c
> -@@ -3262,6 +3262,54 @@ png_image_read_colormapped(png_voidp
> argument)
> -    }
> - }
> -
> -+/* Row reading for interlaced 16-to-8 bit depth conversion with local buffer. */
> -+static int
> -+png_image_read_direct_scaled(png_voidp argument)
> -+{
> -+   png_image_read_control *display = png_voidcast(png_image_read_control*,
> -+       argument);
> -+   png_imagep image = display->image;
> -+   png_structrp png_ptr = image->opaque->png_ptr;
> -+   png_bytep local_row = png_voidcast(png_bytep, display->local_row);
> -+   png_bytep first_row = png_voidcast(png_bytep, display->first_row);
> -+   ptrdiff_t row_bytes = display->row_bytes;
> -+   int passes;
> -+
> -+   /* Handle interlacing. */
> -+   switch (png_ptr->interlaced)
> -+   {
> -+      case PNG_INTERLACE_NONE:
> -+         passes = 1;
> -+         break;
> -+
> -+      case PNG_INTERLACE_ADAM7:
> -+         passes = PNG_INTERLACE_ADAM7_PASSES;
> -+         break;
> -+
> -+      default:
> -+         png_error(png_ptr, "unknown interlace type");
> -+   }
> -+
> -+   /* Read each pass using local_row as intermediate buffer. */
> -+   while (--passes >= 0)
> -+   {
> -+      png_uint_32 y = image->height;
> -+      png_bytep output_row = first_row;
> -+
> -+      for (; y > 0; --y)
> -+      {
> -+         /* Read into local_row (gets transformed 8-bit data). */
> -+         png_read_row(png_ptr, local_row, NULL);
> -+
> -+         /* Copy from local_row to user buffer. */
> -+         memcpy(output_row, local_row, (size_t)row_bytes);
> -+         output_row += row_bytes;
> -+      }
> -+   }
> -+
> -+   return 1;
> -+}
> -+
> - /* Just the row reading part of png_image_read. */
> - static int
> - png_image_read_composite(png_voidp argument)
> -@@ -3680,6 +3728,7 @@ png_image_read_direct(png_voidp argument)
> -    int linear = (format & PNG_FORMAT_FLAG_LINEAR) != 0;
> -    int do_local_compose = 0;
> -    int do_local_background = 0; /* to avoid double gamma correction bug */
> -+   int do_local_scale = 0; /* for interlaced 16-to-8 bit conversion */
> -    int passes = 0;
> -
> -    /* Add transforms to ensure the correct output format is produced then check
> -@@ -3806,8 +3855,16 @@ png_image_read_direct(png_voidp argument)
> -             png_set_expand_16(png_ptr);
> -
> -          else /* 8-bit output */
> -+         {
> -             png_set_scale_16(png_ptr);
> -
> -+            /* For interlaced images, use local_row buffer to avoid overflow
> -+             * in png_combine_row() which writes using IHDR bit-depth.
> -+             */
> -+            if (png_ptr->interlaced != 0)
> -+               do_local_scale = 1;
> -+         }
> -+
> -          change &= ~PNG_FORMAT_FLAG_LINEAR;
> -       }
> -
> -@@ -4083,6 +4140,24 @@ png_image_read_direct(png_voidp argument)
> -       return result;
> -    }
> -
> -+   else if (do_local_scale != 0)
> -+   {
> -+      /* For interlaced 16-to-8 conversion, use an intermediate row buffer
> -+       * to avoid buffer overflows in png_combine_row. The local_row is sized
> -+       * for the transformed (8-bit) output, preventing the overflow that would
> -+       * occur if png_combine_row wrote 16-bit data directly to the user buffer.
> -+       */
> -+      int result;
> -+      png_voidp row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr));
> -+
> -+      display->local_row = row;
> -+      result = png_safe_execute(image, png_image_read_direct_scaled,
> display);
> -+      display->local_row = NULL;
> -+      png_free(png_ptr, row);
> -+
> -+      return result;
> -+   }
> -+
> -    else
> -    {
> -       png_alloc_size_t row_bytes = (png_alloc_size_t)display->row_bytes;
> -@@ -4166,20 +4241,6 @@ png_image_finish_read(png_imagep image,
> png_const_colorp background,
> -                   int result;
> -                   png_image_read_control display;
> -
> --                  /* Reject bit depth mismatches to avoid buffer overflows. */
> --                  png_uint_32 ihdr_bit_depth =
> --                      image->opaque->png_ptr->bit_depth;
> --                  int requested_linear =
> --                      (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
> --                  if (ihdr_bit_depth == 16 && !requested_linear)
> --                     return png_image_error(image,
> --                         "png_image_finish_read: "
> --                         "16-bit PNG must use 16-bit output format");
> --                  if (ihdr_bit_depth < 16 && requested_linear)
> --                     return png_image_error(image,
> --                         "png_image_finish_read: "
> --                         "8-bit PNG must not use 16-bit output format");
> --
> -                   memset(&display, 0, (sizeof display));
> -                   display.image = image;
> -                   display.buffer = buffer;
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
> deleted file mode 100644
> index 0b958b9..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
> +++ /dev/null
> @@ -1,60 +0,0 @@
> -From 788a624d7387a758ffd5c7ab010f1870dea753a1 Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Sat, 29 Nov 2025 00:39:16 +0200
> -Subject: [PATCH] Fix an out-of-bounds read in `png_image_read_composite`
> -
> -Add a defensive bounds check before calling PNG_sRGB_FROM_LINEAR to
> -prevent reading up to 506 entries (1012 bytes) past `png_sRGB_base[]`.
> -
> -For palette images with gamma, `png_init_read_transformations`
> -clears PNG_COMPOSE after compositing on the palette, but it leaves
> -PNG_FLAG_OPTIMIZE_ALPHA set. The simplified API then calls
> -`png_image_read_composite` with sRGB data (not linear premultiplied),
> -causing the index to reach 1017. (The maximum valid index is 511.)
> -
> -NOTE:
> -This is a defensive fix that addresses the security issue (out-of-bounds
> -read) but *NOT* the correctness issue (wrong output). When the clamp
> -triggers, the affected pixels are clamped to white instead of the
> -correct composited color. Valid PNG images may render incorrectly with
> -the simplified API.
> -
> -TODO:
> -We already know the root cause is a flag synchronization error.
> -For palette images with gamma, `png_init_read_transformations`
> -clears PNG_COMPOSE but leaves PNG_FLAG_OPTIMIZE_ALPHA set, causing
> -`png_image_read_composite` to misinterpret sRGB data as linear
> -premultiplied. However, we have yet to implement an architectural fix
> -that requires coordinating the simplified API with the transformation
> -pipeline.
> -
> -Reported-by: flyfish101 <flyfish101@users.noreply.github.com>
> -
> -CVE: CVE-2025-66293
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f187
> 0dea753a1]
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - pngread.c | 9 +++++++--
> - 1 file changed, 7 insertions(+), 2 deletions(-)
> -
> -diff --git a/pngread.c b/pngread.c
> -index 79917daaa..ab62edd9d 100644
> ---- a/pngread.c
> -+++ b/pngread.c
> -@@ -3406,9 +3406,14 @@ png_image_read_composite(png_voidp argument)
> -                         component += (255-alpha)*png_sRGB_table[outrow[c]];
> -
> -                         /* So 'component' is scaled by 255*65535 and is
> --                         * therefore appropriate for the sRGB to linear
> --                         * conversion table.
> -+                         * therefore appropriate for the sRGB-to-linear
> -+                         * conversion table.  Clamp to the valid range
> -+                         * as a defensive measure against an internal
> -+                         * libpng bug where the data is sRGB rather than
> -+                         * linear premultiplied.
> -                          */
> -+                        if (component > 255*65535)
> -+                           component = 255*65535;
> -                         component = PNG_sRGB_FROM_LINEAR(component);
> -                      }
> -
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
> deleted file mode 100644
> index ba563e1..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
> +++ /dev/null
> @@ -1,125 +0,0 @@
> -From a05a48b756de63e3234ea6b3b938b8f5f862484a Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Mon, 1 Dec 2025 22:31:54 +0200
> -Subject: [PATCH] Finalize the fix for out-of-bounds read in
> - `png_image_read_composite`
> -
> -Following up on commit 788a624d7387a758ffd5c7ab010f1870dea753a1.
> -
> -The previous commit added a defensive bounds check to address the
> -security issue (out-of-bounds read), but noted that the correctness
> -issue remained: when the clamp triggered, the affected pixels were
> -clamped to white instead of the correct composited color.
> -
> -This commit addresses the correctness issue by fixing the flag
> -synchronization error identified in the previous commit's TODO:
> -
> -1. In `png_init_read_transformations`:
> -   Clear PNG_FLAG_OPTIMIZE_ALPHA when clearing PNG_COMPOSE for
> palette
> -   images. This correctly signals that the data is sRGB, not linear
> -   premultiplied.
> -
> -2. In `png_image_read_composite`:
> -   Check PNG_FLAG_OPTIMIZE_ALPHA and use the appropriate composition
> -   formula. When set, use the existing linear composition. When cleared
> -   (palette composition already done), use sRGB composition to match
> -   what was done to the palette.
> -
> -Retain the previous clamp to the valid range as belt-and-suspenders
> -protection against any other unforeseen cases.
> -
> -CVE: CVE-2025-66293
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b
> 8f5f862484a]
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - pngread.c  | 56 ++++++++++++++++++++++++++++++++++++------------------
> - pngrtran.c |  1 +
> - 2 files changed, 39 insertions(+), 18 deletions(-)
> -
> -diff --git a/pngread.c b/pngread.c
> -index ab62edd9d..f8ca2b7e3 100644
> ---- a/pngread.c
> -+++ b/pngread.c
> -@@ -3340,6 +3340,7 @@ png_image_read_composite(png_voidp argument)
> -       ptrdiff_t    step_row = display->row_bytes;
> -       unsigned int channels =
> -           (image->format & PNG_FORMAT_FLAG_COLOR) != 0 ? 3 : 1;
> -+      int optimize_alpha = (png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0;
> -       int pass;
> -
> -       for (pass = 0; pass < passes; ++pass)
> -@@ -3396,25 +3397,44 @@ png_image_read_composite(png_voidp
> argument)
> -
> -                      if (alpha < 255) /* else just use component */
> -                      {
> --                        /* This is PNG_OPTIMIZED_ALPHA, the component value
> --                         * is a linear 8-bit value.  Combine this with the
> --                         * current outrow[c] value which is sRGB encoded.
> --                         * Arithmetic here is 16-bits to preserve the output
> --                         * values correctly.
> --                         */
> --                        component *= 257*255; /* =65535 */
> --                        component += (255-alpha)*png_sRGB_table[outrow[c]];
> -+                        if (optimize_alpha != 0)
> -+                        {
> -+                           /* This is PNG_OPTIMIZED_ALPHA, the component value
> -+                            * is a linear 8-bit value.  Combine this with the
> -+                            * current outrow[c] value which is sRGB encoded.
> -+                            * Arithmetic here is 16-bits to preserve the output
> -+                            * values correctly.
> -+                            */
> -+                           component *= 257*255; /* =65535 */
> -+                           component += (255-alpha)*png_sRGB_table[outrow[c]];
> -
> --                        /* So 'component' is scaled by 255*65535 and is
> --                         * therefore appropriate for the sRGB-to-linear
> --                         * conversion table.  Clamp to the valid range
> --                         * as a defensive measure against an internal
> --                         * libpng bug where the data is sRGB rather than
> --                         * linear premultiplied.
> --                         */
> --                        if (component > 255*65535)
> --                           component = 255*65535;
> --                        component = PNG_sRGB_FROM_LINEAR(component);
> -+                           /* Clamp to the valid range to defend against
> -+                            * unforeseen cases where the data might be sRGB
> -+                            * instead of linear premultiplied.
> -+                            * (Belt-and-suspenders for GitHub Issue #764.)
> -+                            */
> -+                           if (component > 255*65535)
> -+                              component = 255*65535;
> -+
> -+                           /* So 'component' is scaled by 255*65535 and is
> -+                            * therefore appropriate for the sRGB-to-linear
> -+                            * conversion table.
> -+                            */
> -+                           component = PNG_sRGB_FROM_LINEAR(component);
> -+                        }
> -+                        else
> -+                        {
> -+                           /* Compositing was already done on the palette
> -+                            * entries.  The data is sRGB premultiplied on black.
> -+                            * Composite with the background in sRGB space.
> -+                            * This is not gamma-correct, but matches what was
> -+                            * done to the palette.
> -+                            */
> -+                           png_uint_32 background = outrow[c];
> -+                           component += ((255-alpha) * background + 127) / 255;
> -+                           if (component > 255)
> -+                              component = 255;
> -+                        }
> -                      }
> -
> -                      outrow[c] = (png_byte)component;
> -diff --git a/pngrtran.c b/pngrtran.c
> -index 2f5202255..507d11381 100644
> ---- a/pngrtran.c
> -+++ b/pngrtran.c
> -@@ -1760,6 +1760,7 @@ png_init_read_transformations(png_structrp png_ptr)
> -              * transformations elsewhere.
> -              */
> -             png_ptr->transformations &= ~(PNG_COMPOSE | PNG_GAMMA);
> -+            png_ptr->flags &= ~PNG_FLAG_OPTIMIZE_ALPHA;
> -          } /* color_type == PNG_COLOR_TYPE_PALETTE */
> -
> -          /* if (png_ptr-
> >background_gamma_type!=PNG_BACKGROUND_GAMMA_UNKNOWN) */
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch
> deleted file mode 100644
> index 6456b6c..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch
> +++ /dev/null
> @@ -1,77 +0,0 @@
> -From e4f7ad4ea2a471776c81dda4846b7691925d9786 Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Fri, 9 Jan 2026 20:51:53 +0200
> -Subject: [PATCH] Fix a heap buffer over-read in
> `png_image_read_direct_scaled`
> -
> -Fix a regression from commit 218612ddd6b17944e21eda56caf8b4bf7779d1ea.
> -
> -The function `png_image_read_direct_scaled`, introduced by the fix for
> -CVE-2025-65018, copies transformed row data from an intermediate buffer
> -(`local_row`) to the user's output buffer. The copy incorrectly used
> -`row_bytes` (the caller's stride) as the size parameter to memcpy, even
> -though `local_row` is only `png_get_rowbytes()` bytes long.
> -
> -This causes a heap buffer over-read when:
> -
> -1. The caller provides a padded stride (e.g., for memory alignment):
> -   memcpy reads past the end of `local_row` by `stride - row_width`
> -   bytes.
> -
> -2. The caller provides a negative stride (for bottom-up layouts):
> -   casting ptrdiff_t to size_t produces ~2^64, causing memcpy to
> -   attempt reading exabytes, resulting in an immediate crash.
> -
> -The fix consists in using the size of the row buffer for the copy and
> -using the stride for pointer advancement only.
> -
> -Reported-by: Petr Simecek <simecek@users.noreply.github.com>
> -Analyzed-by: Stanislav Fort
> -Analyzed-by: Pavel Kohout
> -Co-authored-by: Petr Simecek <simecek@users.noreply.github.com>
> -Signed-off-by: Cosmin Truta <ctruta@gmail.com>
> -
> -CVE: CVE-2026-22695
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/e4f7ad4ea2a471776c81dda4846b76
> 91925d9786]
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - AUTHORS   | 1 +
> - pngread.c | 4 +++-
> - 2 files changed, 4 insertions(+), 1 deletion(-)
> -
> -diff --git a/AUTHORS b/AUTHORS
> -index 26b7bb50f..b9c0fffcf 100644
> ---- a/AUTHORS
> -+++ b/AUTHORS
> -@@ -23,6 +23,7 @@ Authors, for copyright and licensing purposes.
> -  * Mike Klein
> -  * Pascal Massimino
> -  * Paul Schmidt
> -+ * Petr Simecek
> -  * Philippe Antoine
> -  * Qiang Zhou
> -  * Sam Bushell
> -diff --git a/pngread.c b/pngread.c
> -index e3426292b..9d86b01dc 100644
> ---- a/pngread.c
> -+++ b/pngread.c
> -@@ -3270,9 +3270,11 @@ png_image_read_direct_scaled(png_voidp
> argument)
> -        argument);
> -    png_imagep image = display->image;
> -    png_structrp png_ptr = image->opaque->png_ptr;
> -+   png_inforp info_ptr = image->opaque->info_ptr;
> -    png_bytep local_row = png_voidcast(png_bytep, display->local_row);
> -    png_bytep first_row = png_voidcast(png_bytep, display->first_row);
> -    ptrdiff_t row_bytes = display->row_bytes;
> -+   size_t copy_bytes = png_get_rowbytes(png_ptr, info_ptr);
> -    int passes;
> -
> -    /* Handle interlacing. */
> -@@ -3302,7 +3304,7 @@ png_image_read_direct_scaled(png_voidp
> argument)
> -          png_read_row(png_ptr, local_row, NULL);
> -
> -          /* Copy from local_row to user buffer. */
> --         memcpy(output_row, local_row, (size_t)row_bytes);
> -+         memcpy(output_row, local_row, copy_bytes);
> -          output_row += row_bytes;
> -       }
> -    }
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch
> deleted file mode 100644
> index 8a611ac..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch
> +++ /dev/null
> @@ -1,173 +0,0 @@
> -From cf155de014fc6c5cb199dd681dd5c8fb70429072 Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Sat, 10 Jan 2026 15:20:18 +0200
> -Subject: [PATCH] fix: Remove incorrect truncation casts from
> - `png_write_image_*`
> -
> -The type of the row stride (`display->row_bytes`) is ptrdiff_t. Casting
> -to png_uint_16 before division will truncate large strides, causing
> -incorrect pointer arithmetic for images exceeding 65535 bytes per row.
> -For bottom-up images (negative stride), the truncation also corrupts
> -the sign, advancing the row pointer forward instead of backward.
> -
> -Remove the erroneous casts and let the compiler handle the pointer
> -arithmetic correctly. Also replace `sizeof (png_uint_16)` with 2.
> -
> -Add regression test via `pngstest --stride-extra N` where N > 32767
> -triggers the affected code paths.
> -
> -A NOTE ABOUT HISTORY:
> -The original code in libpng 1.5.6 (2011) had no such casts. They were
> -introduced in libpng 1.6.26 (2016), likely to silence compiler warnings
> -on 16-bit systems where the cast would be a no-op. On 32/64-bit systems
> -the cast truncates the strides above 65535 and corrupts the negative
> -strides.
> -
> -CVE: CVE-2026-22801
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8f
> b70429072]
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - CMakeLists.txt              |  9 ++++++++-
> - contrib/libtests/pngstest.c | 29 ++++++++++++++++++++++++++++-
> - pngwrite.c                  | 10 +++++-----
> - tests/pngstest-large-stride |  8 ++++++++
> - 4 files changed, 49 insertions(+), 7 deletions(-)
> - create mode 100755 tests/pngstest-large-stride
> -
> -diff --git a/CMakeLists.txt b/CMakeLists.txt
> -index a8cd82402..a595ed91d 100644
> ---- a/CMakeLists.txt
> -+++ b/CMakeLists.txt
> -@@ -1,7 +1,7 @@
> -
> - # CMakeLists.txt - CMake lists for libpng
> - #
> --# Copyright (c) 2018-2024 Cosmin Truta.
> -+# Copyright (c) 2018-2026 Cosmin Truta
> - # Copyright (c) 2007-2018 Glenn Randers-Pehrson.
> - # Originally written by Christian Ehrlicher, 2007.
> - #
> -@@ -859,6 +859,13 @@ if(PNG_TESTS AND PNG_SHARED)
> -     endforeach()
> -   endforeach()
> -
> -+  # Regression test:
> -+  # Use stride_extra > 32767 to trigger row_bytes > 65535 for linear images.
> -+  png_add_test(NAME pngstest-large-stride
> -+               COMMAND pngstest
> -+               OPTIONS --stride-extra 33000 --tmpfile "large-stride-" --log
> -+               FILES "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-
> alpha-16-linear.png")
> -+
> -   add_executable(pngunknown ${pngunknown_sources})
> -   target_link_libraries(pngunknown PRIVATE png_shared)
> -
> -diff --git a/contrib/libtests/pngstest.c b/contrib/libtests/pngstest.c
> -index ff4c2b24a..2f29afee2 100644
> ---- a/contrib/libtests/pngstest.c
> -+++ b/contrib/libtests/pngstest.c
> -@@ -1,7 +1,7 @@
> -
> - /* pngstest.c
> -  *
> -- * Copyright (c) 2021 Cosmin Truta
> -+ * Copyright (c) 2021-2026 Cosmin Truta
> -  * Copyright (c) 2013-2017 John Cunningham Bowler
> -  *
> -  * This code is released under the libpng license.
> -@@ -3571,6 +3571,33 @@ main(int argc, char **argv)
> -          opts |= NO_RESEED;
> -       else if (strcmp(arg, "--fault-gbg-warning") == 0)
> -          opts |= GBG_ERROR;
> -+      else if (strcmp(arg, "--stride-extra") == 0)
> -+      {
> -+         if (c+1 < argc)
> -+         {
> -+            char *ep;
> -+            unsigned long val = strtoul(argv[++c], &ep, 0);
> -+
> -+            if (ep > argv[c] && *ep == 0 && val <= 65535)
> -+               stride_extra = (int)val;
> -+
> -+            else
> -+            {
> -+               fflush(stdout);
> -+               fprintf(stderr, "%s: bad argument for --stride-extra: %s\n",
> -+                  argv[0], argv[c]);
> -+               exit(99);
> -+            }
> -+         }
> -+
> -+         else
> -+         {
> -+            fflush(stdout);
> -+            fprintf(stderr, "%s: missing argument for --stride-extra\n",
> -+               argv[0]);
> -+            exit(99);
> -+         }
> -+      }
> -       else if (strcmp(arg, "--tmpfile") == 0)
> -       {
> -          if (c+1 < argc)
> -diff --git a/pngwrite.c b/pngwrite.c
> -index 08066bcc4..a95b846c8 100644
> ---- a/pngwrite.c
> -+++ b/pngwrite.c
> -@@ -1,7 +1,7 @@
> -
> - /* pngwrite.c - general routines to write a PNG file
> -  *
> -- * Copyright (c) 2018-2024 Cosmin Truta
> -+ * Copyright (c) 2018-2026 Cosmin Truta
> -  * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
> -  * Copyright (c) 1996-1997 Andreas Dilger
> -  * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
> -@@ -1645,7 +1645,7 @@ png_write_image_16bit(png_voidp argument)
> -       }
> -
> -       png_write_row(png_ptr, png_voidcast(png_const_bytep, display-
> >local_row));
> --      input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
> -+      input_row += display->row_bytes / 2;
> -    }
> -
> -    return 1;
> -@@ -1771,7 +1771,7 @@ png_write_image_8bit(png_voidp argument)
> -
> -          png_write_row(png_ptr, png_voidcast(png_const_bytep,
> -              display->local_row));
> --         input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
> -+         input_row += display->row_bytes / 2;
> -       } /* while y */
> -    }
> -
> -@@ -1796,7 +1796,7 @@ png_write_image_8bit(png_voidp argument)
> -          }
> -
> -          png_write_row(png_ptr, output_row);
> --         input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
> -+         input_row += display->row_bytes / 2;
> -       }
> -    }
> -
> -@@ -2115,7 +2115,7 @@ png_image_write_main(png_voidp argument)
> -       ptrdiff_t row_bytes = display->row_stride;
> -
> -       if (linear != 0)
> --         row_bytes *= (sizeof (png_uint_16));
> -+         row_bytes *= 2;
> -
> -       if (row_bytes < 0)
> -          row += (image->height-1) * (-row_bytes);
> -diff --git a/tests/pngstest-large-stride b/tests/pngstest-large-stride
> -new file mode 100755
> -index 000000000..7958c5b42
> ---- /dev/null
> -+++ b/tests/pngstest-large-stride
> -@@ -0,0 +1,8 @@
> -+#!/bin/sh
> -+
> -+# Regression test:
> -+# Use stride_extra > 32767 to trigger row_bytes > 65535 for linear images.
> -+exec ./pngstest \
> -+     --stride-extra 33000 \
> -+     --tmpfile "large-stride-" \
> -+     --log "${srcdir}/contrib/testpngs/rgb-alpha-16-linear.png"
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
> deleted file mode 100644
> index 5fbf5eb..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
> +++ /dev/null
> @@ -1,61 +0,0 @@
> -From 01d03b8453eb30ade759cd45c707e5a1c7277d88 Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Fri, 6 Feb 2026 19:11:54 +0200
> -Subject: [PATCH] Fix a heap buffer overflow in `png_set_quantize`
> -
> -The color distance hash table stored the current palette indices, but
> -the color-pruning loop assumed the original indices. When colors were
> -eliminated and indices changed, the stored indices became stale. This
> -caused the loop bound `max_d` to grow past the 769-element hash array.
> -
> -The fix consists in storing the original indices via `palette_to_index`
> -to match the pruning loop's expectations.
> -
> -Reported-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
> -Co-authored-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
> -Signed-off-by: Cosmin Truta <ctruta@gmail.com>
> -
> -CVE: CVE-2026-25646
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e
> 5a1c7277d88]
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - AUTHORS    | 1 +
> - pngrtran.c | 6 +++---
> - 2 files changed, 4 insertions(+), 3 deletions(-)
> -
> -diff --git a/AUTHORS b/AUTHORS
> -index b9c0fffcf..4094f4a57 100644
> ---- a/AUTHORS
> -+++ b/AUTHORS
> -@@ -15,6 +15,7 @@ Authors, for copyright and licensing purposes.
> -  * Guy Eric Schalnat
> -  * James Yu
> -  * John Bowler
> -+ * Joshua Inscoe
> -  * Kevin Bracey
> -  * Magnus Holmgren
> -  * Mandar Sahastrabuddhe
> -diff --git a/pngrtran.c b/pngrtran.c
> -index fe8f9d32c..1fce9af12 100644
> ---- a/pngrtran.c
> -+++ b/pngrtran.c
> -@@ -1,7 +1,7 @@
> -
> - /* pngrtran.c - transforms the data in a row for PNG readers
> -  *
> -- * Copyright (c) 2018-2024 Cosmin Truta
> -+ * Copyright (c) 2018-2026 Cosmin Truta
> -  * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
> -  * Copyright (c) 1996-1997 Andreas Dilger
> -  * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
> -@@ -647,8 +647,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp
> palette,
> -                          break;
> -
> -                      t->next = hash[d];
> --                     t->left = (png_byte)i;
> --                     t->right = (png_byte)j;
> -+                     t->left = png_ptr->palette_to_index[i];
> -+                     t->right = png_ptr->palette_to_index[j];
> -                      hash[d] = t;
> -                   }
> -                }
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch
> deleted file mode 100644
> index a60a8d6..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch
> +++ /dev/null
> @@ -1,143 +0,0 @@
> -From 23019269764e35ed8458e517f1897bd3c54820eb Mon Sep 17 00:00:00
> 2001
> -From: Oblivionsage <cookieandcream560@gmail.com>
> -Date: Sun, 15 Mar 2026 10:35:29 +0100
> -Subject: [PATCH] fix: Resolve use-after-free on `png_ptr->trans_alpha`
> -
> -The function `png_set_tRNS` sets `png_ptr->trans_alpha` to point at
> -`info_ptr->trans_alpha` directly, so both structs share the same heap
> -buffer. If the application calls `png_free_data(PNG_FREE_TRNS)`, or if
> -`png_set_tRNS` is called a second time, the buffer is freed through
> -`info_ptr` while `png_ptr` still holds a dangling reference. Any
> -subsequent row read that hits the function `png_do_expand_palette` will
> -dereference freed memory.
> -
> -The fix gives `png_struct` its own allocation instead of aliasing the
> -`info_ptr` pointer. This was already flagged with a TODO in
> -`png_handle_tRNS` ("horrible side effect ... Fix this.") but it was
> -never addressed.
> -
> -Verified with AddressSanitizer. All 34 existing tests pass without
> -regressions.
> -
> -CVE: CVE-2026-33416
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897b
> d3c54820eb]
> -Comment: Refreshed hunk to match latest scarthgap
> -
> -Reviewed-by: Cosmin Truta <ctruta@gmail.com>
> -Signed-off-by: Cosmin Truta <ctruta@gmail.com>
> -Signed-off-by: Sourav Kumar Pramanik
> <Souravkumar.Pramanik@bmwtechworks.in>
> -Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
> ----
> - pngread.c  | 11 +++++------
> - pngrutil.c |  4 ----
> - pngset.c   | 31 +++++++++++++++++++------------
> - pngwrite.c |  6 ++++++
> - 4 files changed, 30 insertions(+), 22 deletions(-)
> -
> -diff --git a/pngread.c b/pngread.c
> -index 01b731d8eb..0086edf6cf 100644
> ---- a/pngread.c
> -+++ b/pngread.c
> -@@ -968,12 +968,11 @@ png_read_destroy(png_structrp png_ptr)
> -
> - #if defined(PNG_tRNS_SUPPORTED) || \
> -     defined(PNG_READ_EXPAND_SUPPORTED) ||
> defined(PNG_READ_BACKGROUND_SUPPORTED)
> --   if ((png_ptr->free_me & PNG_FREE_TRNS) != 0)
> --   {
> --      png_free(png_ptr, png_ptr->trans_alpha);
> --      png_ptr->trans_alpha = NULL;
> --   }
> --   png_ptr->free_me &= ~PNG_FREE_TRNS;
> -+   /* png_ptr->trans_alpha is always independently allocated (not aliased
> -+    * with info_ptr->trans_alpha), so free it unconditionally.
> -+    */
> -+   png_free(png_ptr, png_ptr->trans_alpha);
> -+   png_ptr->trans_alpha = NULL;
> - #endif
> -
> -    inflateEnd(&png_ptr->zstream);
> -diff --git a/pngrutil.c b/pngrutil.c
> -index 366379b991..a19507bf1b 100644
> ---- a/pngrutil.c
> -+++ b/pngrutil.c
> -@@ -1905,10 +1905,6 @@ png_handle_tRNS(png_structrp png_ptr, pn
> -       return;
> -    }
> -
> --   /* TODO: this is a horrible side effect in the palette case because the
> --    * png_struct ends up with a pointer to the tRNS buffer owned by the
> --    * png_info.  Fix this.
> --    */
> -    png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
> -        &(png_ptr->trans_color));
> - }
> -diff --git a/pngset.c b/pngset.c
> -index 4b78b8960c..47883684e4 100644
> ---- a/pngset.c
> -+++ b/pngset.c
> -@@ -990,28 +990,36 @@ png_set_tRNS(png_structrp png_ptr, png_i
> -
> -    if (trans_alpha != NULL)
> -    {
> --       /* It may not actually be necessary to set png_ptr->trans_alpha here;
> --        * we do it for backward compatibility with the way the png_handle_tRNS
> --        * function used to do the allocation.
> --        *
> --        * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively
> --        * relies on png_set_tRNS storing the information in png_struct
> --        * (otherwise it won't be there for the code in pngrtran.c).
> --        */
> --
> -        png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
> -
> -        if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
> -        {
> --         /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version
> 1.2.1 */
> -+          /* Allocate info_ptr's copy of the transparency data. */
> -           info_ptr->trans_alpha = png_voidcast(png_bytep,
> -               png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
> -           memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
> --
> -           info_ptr->free_me |= PNG_FREE_TRNS;
> -           info_ptr->valid |= PNG_INFO_tRNS;
> -+
> -+
> -+          /* Allocate an independent copy for png_struct, so that the
> -+           * lifetime of png_ptr->trans_alpha is decoupled from the
> -+           * lifetime of info_ptr->trans_alpha.  Previously these two
> -+           * pointers were aliased, which caused a use-after-free if
> -+           * png_free_data freed info_ptr->trans_alpha while
> -+           * png_ptr->trans_alpha was still in use by the row transform
> -+           * functions (e.g. png_do_expand_palette).
> -+           */
> -+          png_free(png_ptr, png_ptr->trans_alpha);
> -+          png_ptr->trans_alpha = png_voidcast(png_bytep,
> -+              png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
> -+          memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
> -+       }
> -+       else
> -+       {
> -+          png_free(png_ptr, png_ptr->trans_alpha);
> -+          png_ptr->trans_alpha = NULL;
> -        }
> --       png_ptr->trans_alpha = info_ptr->trans_alpha;
> -    }
> -
> -    if (trans_color != NULL)
> -diff --git a/pngwrite.c b/pngwrite.c
> -index 5fc77d91f7..84af1e73fb 100644
> ---- a/pngwrite.c
> -+++ b/pngwrite.c
> -@@ -977,6 +977,12 @@ png_write_destroy(png_structrp png_ptr)
> -    png_ptr->chunk_list = NULL;
> - #endif
> -
> -+#if defined(PNG_tRNS_SUPPORTED)
> -+   /* Free the independent copy of trans_alpha owned by png_struct. */
> -+   png_free(png_ptr, png_ptr->trans_alpha);
> -+   png_ptr->trans_alpha = NULL;
> -+#endif
> -+
> -    /* The error handling and memory handling information is left intact at this
> -     * point: the jmp_buf may still have to be freed.  See png_destroy_png_struct
> -     * for how this happens.
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch
> deleted file mode 100644
> index e746293..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch
> +++ /dev/null
> @@ -1,53 +0,0 @@
> -From a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25 Mon Sep 17 00:00:00
> 2001
> -From: Oblivionsage <cookieandcream560@gmail.com>
> -Date: Tue, 17 Mar 2026 08:55:18 +0100
> -Subject: [PATCH] fix: Initialize tail bytes in `trans_alpha` buffers
> -
> -Although the arrays `info_ptr->trans_alpha` and `png_ptr->trans_alpha`
> -are allocated 256 bytes, only `num_trans` bytes are copied.
> -The remaining entries were left uninitialized. Set them to 0xff (fully
> -opaque) before copying, which matches the conventional treatment of
> -entries beyond `num_trans`.
> -
> -This is a follow-up to the previous use-after-free fix.
> -
> -CVE: CVE-2026-33416
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74
> a0fa34a25]
> -Comment: Refreshed hunk to match latest scarthgap
> -
> -Reported-by: Cosmin Truta <ctruta@gmail.com>
> -Reviewed-by: Cosmin Truta <ctruta@gmail.com>
> -Signed-off-by: Cosmin Truta <ctruta@gmail.com>
> -Signed-off-by: Sourav Kumar Pramanik
> <Souravkumar.Pramanik@bmwtechworks.in>
> -Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
> ----
> - pngset.c | 7 ++++++-
> - 1 file changed, 6 insertions(+), 1 deletion(-)
> -
> -diff --git a/pngset.c b/pngset.c
> -index 47883684e4..dccc6498d7 100644
> ---- a/pngset.c
> -+++ b/pngset.c
> -@@ -994,9 +994,13 @@ png_set_tRNS(png_structrp png_ptr, png_i
> -
> -        if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
> -        {
> --          /* Allocate info_ptr's copy of the transparency data. */
> -+	       /* Allocate info_ptr's copy of the transparency data.
> -+           * Initialize all entries to fully opaque (0xff), then overwrite
> -+           * the first num_trans entries with the actual values.
> -+           */
> -           info_ptr->trans_alpha = png_voidcast(png_bytep,
> -               png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
> -+	       memset(info_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
> -           memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
> -           info_ptr->free_me |= PNG_FREE_TRNS;
> -           info_ptr->valid |= PNG_INFO_tRNS;
> -@@ -1013,6 +1017,7 @@ png_set_tRNS(png_structrp png_ptr, png_i
> -           png_free(png_ptr, png_ptr->trans_alpha);
> -           png_ptr->trans_alpha = png_voidcast(png_bytep,
> -               png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
> -+	       memset(png_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
> -           memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
> -        }
> -        else
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch
> deleted file mode 100644
> index 21ce35d..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch
> +++ /dev/null
> @@ -1,163 +0,0 @@
> -From 7ea9eea884a2328cc7fdcb3c0c00246a50d90667 Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Fri, 20 Mar 2026 17:37:22 +0200
> -Subject: [PATCH] fix: Resolve use-after-free on `png_ptr->palette`
> -
> -Give `png_struct` its own independently-allocated copy of the palette
> -buffer, decoupling it from `info_struct`'s palette. Allocate both
> -copies with `png_calloc` to zero-fill, because the ARM NEON palette
> -riffle reads all 256 entries unconditionally.
> -
> -In function `png_set_PLTE`, `png_ptr->palette` was aliased directly to
> -`info_ptr->palette`: a single heap buffer shared across two structs
> -with independent lifetimes. If the buffer was freed through `info_ptr`
> -(via `png_free_data(PNG_FREE_PLTE)` or a second call to `png_set_PLTE`),
> -`png_ptr->palette` became a dangling pointer. Subsequent row reads,
> -performed in `png_do_expand_palette` and in other transform functions,
> -dereferenced (and in the bit-shift path, wrote to) freed memory.
> -
> -Also fix `png_set_quantize` to allocate an owned copy of the caller's
> -palette rather than aliasing the user pointer, so that the unconditional
> -free in `png_read_destroy` does not free unmanaged memory.
> -
> -CVE: CVE-2026-33416
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c0024
> 6a50d90667]
> -Comment: Refreshed hunk to match latest scarthgap
> -
> -Signed-off-by: Sourav Kumar Pramanik
> <Souravkumar.Pramanik@bmwtechworks.in>
> -Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
> ----
> - pngread.c  | 11 +++++------
> - pngrtran.c |  8 +++++++-
> - pngrutil.c | 13 -------------
> - pngset.c   | 28 +++++++++++++++++++---------
> - pngwrite.c |  4 ++++
> - 5 files changed, 35 insertions(+), 29 deletions(-)
> -
> -diff --git a/pngread.c b/pngread.c
> -index 0086edf6cf..e1d38d578a 100644
> ---- a/pngread.c
> -+++ b/pngread.c
> -@@ -959,12 +959,11 @@ png_read_destroy(png_structrp png_ptr)
> -    png_ptr->quantize_index = NULL;
> - #endif
> -
> --   if ((png_ptr->free_me & PNG_FREE_PLTE) != 0)
> --   {
> --      png_zfree(png_ptr, png_ptr->palette);
> --      png_ptr->palette = NULL;
> --   }
> --   png_ptr->free_me &= ~PNG_FREE_PLTE;
> -+   /* png_ptr->palette is always independently allocated (not aliased
> -+    * with info_ptr->palette), so free it unconditionally.
> -+    */
> -+   png_free(png_ptr, png_ptr->palette);
> -+   png_ptr->palette = NULL;
> -
> - #if defined(PNG_tRNS_SUPPORTED) || \
> -     defined(PNG_READ_EXPAND_SUPPORTED) ||
> defined(PNG_READ_BACKGROUND_SUPPORTED)
> -diff --git a/pngrtran.c b/pngrtran.c
> -index bfb7d423b7..fd736ab672 100644
> ---- a/pngrtran.c
> -+++ b/pngrtran.c
> -@@ -750,7 +750,13 @@ png_set_quantize(png_structrp png_ptr, p
> -    }
> -    if (png_ptr->palette == NULL)
> -    {
> --      png_ptr->palette = palette;
> -+      /* Allocate an owned copy rather than aliasing the caller's pointer,
> -+       * so that png_read_destroy can free png_ptr->palette unconditionally.
> -+       */
> -+      png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
> -+          PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
> -+      memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
> -+          (sizeof (png_color)));
> -    }
> -    png_ptr->num_palette = (png_uint_16)num_palette;
> -
> -diff --git a/pngrutil.c b/pngrutil.c
> -index a19507bf1b..3a35fe9de2 100644
> ---- a/pngrutil.c
> -+++ b/pngrutil.c
> -@@ -1047,14 +1047,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
> -    }
> - #endif
> -
> --   /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
> --    * own copy of the palette.  This has the side effect that when png_start_row
> --    * is called (this happens after any call to png_read_update_info) the
> --    * info_ptr palette gets changed.  This is extremely unexpected and
> --    * confusing.
> --    *
> --    * Fix this by not sharing the palette in this way.
> --    */
> -    png_set_PLTE(png_ptr, info_ptr, palette, num);
> -
> -    /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and
> before
> -diff --git a/pngset.c b/pngset.c
> -index dccc6498d7..b9ccb7fb15 100644
> ---- a/pngset.c
> -+++ b/pngset.c
> -@@ -595,28 +595,38 @@ png_set_PLTE(png_structrp png_ptr, png_i
> -       png_error(png_ptr, "Invalid palette");
> -    }
> -
> --   /* It may not actually be necessary to set png_ptr->palette here;
> --    * we do it for backward compatibility with the way the png_handle_tRNS
> --    * function used to do the allocation.
> --    *
> --    * 1.6.0: the above statement appears to be incorrect; something has to set
> --    * the palette inside png_struct on read.
> --    */
> -    png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
> -
> -    /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
> -     * of num_palette entries, in case of an invalid PNG file or incorrect
> -     * call to png_set_PLTE() with too-large sample values.
> -+    *
> -+    * Allocate independent buffers for info_ptr and png_ptr so that the
> -+    * lifetime of png_ptr->palette is decoupled from the lifetime of
> -+    * info_ptr->palette.  Previously, these two pointers were aliased,
> -+    * which caused a use-after-free vulnerability if png_free_data freed
> -+    * info_ptr->palette while png_ptr->palette was still in use by the
> -+    * row transform functions (e.g. png_do_expand_palette).
> -+    *
> -+    * Both buffers are allocated with png_calloc to zero-fill, because
> -+    * the ARM NEON palette riffle reads all 256 entries unconditionally,
> -+    * regardless of num_palette.
> -     */
> -+   png_free(png_ptr, png_ptr->palette);
> -    png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
> -        PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
> -+   info_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
> -+       PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
> -+   png_ptr->num_palette = info_ptr->num_palette = (png_uint_16)num_palette;
> -
> -    if (num_palette > 0)
> -+      {
> -+      memcpy(info_ptr->palette, palette, (unsigned int)num_palette *
> -+          (sizeof (png_color)));
> -       memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
> -           (sizeof (png_color)));
> -+      }
> -
> --   info_ptr->palette = png_ptr->palette;
> --   info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette;
> -    info_ptr->free_me |= PNG_FREE_PLTE;
> -    info_ptr->valid |= PNG_INFO_PLTE;
> - }
> -diff --git a/pngwrite.c b/pngwrite.c
> -index 84af1e73fb..348763e940 100644
> ---- a/pngwrite.c
> -+++ b/pngwrite.c
> -@@ -982,6 +982,10 @@ png_write_destroy(png_structrp png_ptr)
> -    png_free(png_ptr, png_ptr->trans_alpha);
> -    png_ptr->trans_alpha = NULL;
> - #endif
> -+
> -+   /* Free the independent copy of the palette owned by png_struct. */
> -+   png_free(png_ptr, png_ptr->palette);
> -+   png_ptr->palette = NULL;
> -
> -    /* The error handling and memory handling information is left intact at this
> -     * point: the jmp_buf may still have to be freed.  See png_destroy_png_struct
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch
> deleted file mode 100644
> index ff7db53..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch
> +++ /dev/null
> @@ -1,53 +0,0 @@
> -From c1b0318b393c90679e6fa5bc1d329fd5d5012ec1 Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Fri, 20 Mar 2026 21:25:12 +0200
> -Subject: [PATCH] fix: Sync `info_ptr->palette` after in-place transforms
> -
> -Copy `png_ptr->palette` into `info_ptr->palette` upon entering
> -the function that runs immediately after the in-place transforms.
> -
> -The palette decoupling in the previous commit gave `png_struct`
> -and `png_info` independently-allocated palette buffers, fixing a
> -use-after-free vulnerability. However, `png_init_read_transformations`
> -modifies `png_ptr->palette` in place (e.g. for gamma correction or
> -background compositing), and the old aliasing made those modifications
> -visible through `png_get_PLTE`. With independent buffers,
> -`info_ptr->palette` retained the original values, causing our tests to
> -fail on indexed-colour background compositing.
> -
> -CVE: CVE-2026-33416
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd
> 5d5012ec1]
> -Comment: Refreshed hunk to match latest scarthgap
> -
> -Signed-off-by: Sourav Kumar Pramanik
> <Souravkumar.Pramanik@bmwtechworks.in>
> -Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
> ----
> - pngrtran.c | 15 +++++++++++++++
> - 1 file changed, 15 insertions(+)
> -
> -diff --git a/pngrtran.c b/pngrtran.c
> -index fd736ab672..978dac5888 100644
> ---- a/pngrtran.c
> -+++ b/pngrtran.c
> -@@ -1984,6 +1984,21 @@ png_read_transform_info(png_structrp png
> - {
> -    png_debug(1, "in png_read_transform_info");
> -
> -+   if (png_ptr->transformations != 0)
> -+   {
> -+      if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
> -+          info_ptr->palette != NULL && png_ptr->palette != NULL)
> -+      {
> -+         /* Sync info_ptr->palette with png_ptr->palette.
> -+          * The function png_init_read_transformations may have modified
> -+          * png_ptr->palette in place (e.g. for gamma correction or for
> -+          * background compositing).
> -+          */
> -+         memcpy(info_ptr->palette, png_ptr->palette,
> -+             PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
> -+      }
> -+   }
> -+
> - #ifdef PNG_READ_EXPAND_SUPPORTED
> -    if ((png_ptr->transformations & PNG_EXPAND) != 0)
> -    {
> diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch
> b/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch
> deleted file mode 100644
> index 3bd6aae..0000000
> --- a/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch
> +++ /dev/null
> @@ -1,99 +0,0 @@
> -From 9ff847dfcbb54f6dee3fd4e408150ae944278391 Mon Sep 17 00:00:00
> 2001
> -From: Cosmin Truta <ctruta@gmail.com>
> -Date: Sat, 21 Mar 2026 23:48:49 +0200
> -Subject: [PATCH] fix(arm): Resolve out-of-bounds read/write in NEON palette
> - expansion
> -
> -Both `png_do_expand_palette_rgba8_neon` and
> -`png_do_expand_palette_rgb8_neon` advanced in fixed-size chunks without
> -guarding the final iteration, allowing out-of-bounds reads and writes
> -when the row width is not a multiple of the chunk size.
> -
> -Restrict the NEON loop to full chunks only, remove the now-unnecessary
> -post-loop adjustment, and undo the `*ddp` pre-adjustment before the
> -pointer handoff to the scalar fallback.
> -
> -CVE: CVE-2026-33636
> -Upstream-Status: Backport
> [https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d7345
> 1349e339c3]
> -
> -Reported-by: Amemoyoi <Amemoyoi@users.noreply.github.com>
> -Co-authored-by: Amemoyoi <Amemoyoi@users.noreply.github.com>
> -Signed-off-by: Cosmin Truta <ctruta@gmail.com>
> -(cherry picked from commit aba9f18eba870d14fb52c5ba5d73451349e339c3)
> -Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
> ----
> - arm/palette_neon_intrinsics.c | 29 +++++++++++++----------------
> - 1 file changed, 13 insertions(+), 16 deletions(-)
> -
> -diff --git a/arm/palette_neon_intrinsics.c b/arm/palette_neon_intrinsics.c
> -index 92c7d6f9f..bdd15849d 100644
> ---- a/arm/palette_neon_intrinsics.c
> -+++ b/arm/palette_neon_intrinsics.c
> -@@ -1,7 +1,7 @@
> -
> - /* palette_neon_intrinsics.c - NEON optimised palette expansion functions
> -  *
> -- * Copyright (c) 2018-2019 Cosmin Truta
> -+ * Copyright (c) 2018-2026 Cosmin Truta
> -  * Copyright (c) 2017-2018 Arm Holdings. All rights reserved.
> -  * Written by Richard Townsend <Richard.Townsend@arm.com>, February
> 2017.
> -  *
> -@@ -80,7 +80,7 @@ png_do_expand_palette_rgba8_neon(png_structrp
> png_ptr, png_row_infop row_info,
> -     */
> -    *ddp = *ddp - ((pixels_per_chunk * sizeof(png_uint_32)) - 1);
> -
> --   for (i = 0; i < row_width; i += pixels_per_chunk)
> -+   for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk)
> -    {
> -       uint32x4_t cur;
> -       png_bytep sp = *ssp - i, dp = *ddp - (i << 2);
> -@@ -90,13 +90,12 @@ png_do_expand_palette_rgba8_neon(png_structrp
> png_ptr, png_row_infop row_info,
> -       cur = vld1q_lane_u32(riffled_palette + *(sp - 0), cur, 3);
> -       vst1q_u32((void *)dp, cur);
> -    }
> --   if (i != row_width)
> --   {
> --      /* Remove the amount that wasn't processed. */
> --      i -= pixels_per_chunk;
> --   }
> -
> --   /* Decrement output pointers. */
> -+   /* Undo the pre-adjustment of *ddp before the pointer handoff,
> -+    * so the scalar fallback in pngrtran.c receives a dp that points
> -+    * to the correct position.
> -+    */
> -+   *ddp = *ddp + (pixels_per_chunk * 4 - 1);
> -    *ssp = *ssp - i;
> -    *ddp = *ddp - (i << 2);
> -    return i;
> -@@ -121,7 +120,7 @@ png_do_expand_palette_rgb8_neon(png_structrp
> png_ptr, png_row_infop row_info,
> -    /* Seeking this back by 8 pixels x 3 bytes. */
> -    *ddp = *ddp - ((pixels_per_chunk * sizeof(png_color)) - 1);
> -
> --   for (i = 0; i < row_width; i += pixels_per_chunk)
> -+   for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk)
> -    {
> -       uint8x8x3_t cur;
> -       png_bytep sp = *ssp - i, dp = *ddp - ((i << 1) + i);
> -@@ -136,13 +135,11 @@ png_do_expand_palette_rgb8_neon(png_structrp
> png_ptr, png_row_infop row_info,
> -       vst3_u8((void *)dp, cur);
> -    }
> -
> --   if (i != row_width)
> --   {
> --      /* Remove the amount that wasn't processed. */
> --      i -= pixels_per_chunk;
> --   }
> --
> --   /* Decrement output pointers. */
> -+   /* Undo the pre-adjustment of *ddp before the pointer handoff,
> -+    * so the scalar fallback in pngrtran.c receives a dp that points
> -+    * to the correct position.
> -+    */
> -+   *ddp = *ddp + (pixels_per_chunk * 3 - 1);
> -    *ssp = *ssp - i;
> -    *ddp = *ddp - ((i << 1) + i);
> -    return i;
> ---
> -2.44.4
> -
> diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-
> multimedia/libpng/libpng_1.6.58.bb
> similarity index 77%
> rename from meta/recipes-multimedia/libpng/libpng_1.6.42.bb
> rename to meta/recipes-multimedia/libpng/libpng_1.6.58.bb
> index e4cc636..9e6a991 100644
> --- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
> +++ b/meta/recipes-multimedia/libpng/libpng_1.6.58.bb
> @@ -5,33 +5,16 @@ library for use in applications that read, create, and
> manipulate PNG \
>  HOMEPAGE = "http://www.libpng.org/"
>  SECTION = "libs"
>  LICENSE = "Libpng"
> -LIC_FILES_CHKSUM =
> "file://LICENSE;md5=0fdbfbe10fc294a6fca24dc76134222a"
> +LIC_FILES_CHKSUM =
> "file://LICENSE;md5=9dc350edbbbee660c7d9af79487168f2"
>  DEPENDS = "zlib"
> 
>  LIBV = "16"
> 
>  SRC_URI =
> "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \
>             file://run-ptest \
> -           file://CVE-2025-64505-01.patch \
> -           file://CVE-2025-64505-02.patch \
> -           file://CVE-2025-64505-03.patch \
> -           file://CVE-2025-64506.patch \
> -           file://CVE-2025-64720.patch \
> -           file://CVE-2025-65018-01.patch \
> -           file://CVE-2025-65018-02.patch \
> -           file://CVE-2025-66293-01.patch \
> -           file://CVE-2025-66293-02.patch \
> -           file://CVE-2026-22695.patch \
> -           file://CVE-2026-22801.patch \
> -           file://CVE-2026-25646.patch \
> -           file://CVE-2026-33636.patch \
> -           file://CVE-2026-33416-01.patch \
> -           file://CVE-2026-33416-02.patch \
> -           file://CVE-2026-33416-03.patch \
> -           file://CVE-2026-33416-04.patch \
>  "
> 
> -SRC_URI[sha256sum] =
> "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"
> +SRC_URI[sha256sum] =
> "28eb403f51f0f7405249132cecfe82ea5c0ef97f1b32c5a65828814ae0d34775"
> 
>  MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/
> ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/"
> 
> --
> 2.55.0
diff mbox series

Patch

diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
deleted file mode 100644
index 1e7d122..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
+++ /dev/null
@@ -1,111 +0,0 @@ 
-From 0fa3c0f698c2ca618a0fa44e10a822678df85373 Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Thu, 15 Feb 2024 21:53:24 +0200
-Subject: [PATCH] chore: Clean up the spurious uses of `sizeof(png_byte)`; fix
- the manual
-
-By definition, `sizeof(png_byte)` is 1.
-
-Remove all the occurences of `sizeof(png_byte)` from the code, and fix
-a related typo in the libpng manual.
-
-Also update the main .editorconfig file to reflect the fixing expected
-by a FIXME note.
-
-CVE: CVE-2025-64505
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/0fa3c0f698c2ca618a0fa44e10a822678df85373]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- libpng-manual.txt |  4 ++--
- libpng.3          |  4 ++--
- pngrtran.c        | 17 +++++++----------
- 3 files changed, 11 insertions(+), 14 deletions(-)
-
-diff --git a/libpng-manual.txt b/libpng-manual.txt
-index eb24ef483..d2918ce31 100644
---- a/libpng-manual.txt
-+++ b/libpng-manual.txt
-@@ -1178,11 +1178,11 @@ where row_pointers is an array of pointers to the pixel data for each row:
- If you know your image size and pixel size ahead of time, you can allocate
- row_pointers prior to calling png_read_png() with
- 
--   if (height > PNG_UINT_32_MAX/(sizeof (png_byte)))
-+   if (height > PNG_UINT_32_MAX / (sizeof (png_bytep)))
-       png_error(png_ptr,
-           "Image is too tall to process in memory");
- 
--   if (width > PNG_UINT_32_MAX/pixel_size)
-+   if (width > PNG_UINT_32_MAX / pixel_size)
-       png_error(png_ptr,
-           "Image is too wide to process in memory");
- 
-diff --git a/libpng.3 b/libpng.3
-index 57d06f2db..8875b219a 100644
---- a/libpng.3
-+++ b/libpng.3
-@@ -1697,11 +1697,11 @@ where row_pointers is an array of pointers to the pixel data for each row:
- If you know your image size and pixel size ahead of time, you can allocate
- row_pointers prior to calling png_read_png() with
- 
--   if (height > PNG_UINT_32_MAX/(sizeof (png_byte)))
-+   if (height > PNG_UINT_32_MAX / (sizeof (png_bytep)))
-       png_error(png_ptr,
-           "Image is too tall to process in memory");
- 
--   if (width > PNG_UINT_32_MAX/pixel_size)
-+   if (width > PNG_UINT_32_MAX / pixel_size)
-       png_error(png_ptr,
-           "Image is too wide to process in memory");
- 
-diff --git a/pngrtran.c b/pngrtran.c
-index 74cca476b..041f9306c 100644
---- a/pngrtran.c
-+++ b/pngrtran.c
-@@ -441,7 +441,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
-       int i;
- 
-       png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
--          (png_alloc_size_t)((png_uint_32)num_palette * (sizeof (png_byte))));
-+          (png_alloc_size_t)num_palette);
-       for (i = 0; i < num_palette; i++)
-          png_ptr->quantize_index[i] = (png_byte)i;
-    }
-@@ -458,7 +458,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
- 
-          /* Initialize an array to sort colors */
-          png_ptr->quantize_sort = (png_bytep)png_malloc(png_ptr,
--             (png_alloc_size_t)((png_uint_32)num_palette * (sizeof (png_byte))));
-+             (png_alloc_size_t)num_palette);
- 
-          /* Initialize the quantize_sort array */
-          for (i = 0; i < num_palette; i++)
-@@ -592,11 +592,9 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
- 
-          /* Initialize palette index arrays */
-          png_ptr->index_to_palette = (png_bytep)png_malloc(png_ptr,
--             (png_alloc_size_t)((png_uint_32)num_palette *
--             (sizeof (png_byte))));
-+             (png_alloc_size_t)num_palette);
-          png_ptr->palette_to_index = (png_bytep)png_malloc(png_ptr,
--             (png_alloc_size_t)((png_uint_32)num_palette *
--             (sizeof (png_byte))));
-+             (png_alloc_size_t)num_palette);
- 
-          /* Initialize the sort array */
-          for (i = 0; i < num_palette; i++)
-@@ -761,12 +759,11 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
-       size_t num_entries = ((size_t)1 << total_bits);
- 
-       png_ptr->palette_lookup = (png_bytep)png_calloc(png_ptr,
--          (png_alloc_size_t)(num_entries * (sizeof (png_byte))));
-+          (png_alloc_size_t)(num_entries));
- 
--      distance = (png_bytep)png_malloc(png_ptr, (png_alloc_size_t)(num_entries *
--          (sizeof (png_byte))));
-+      distance = (png_bytep)png_malloc(png_ptr, (png_alloc_size_t)num_entries);
- 
--      memset(distance, 0xff, num_entries * (sizeof (png_byte)));
-+      memset(distance, 0xff, num_entries);
- 
-       for (i = 0; i < num_palette; i++)
-       {
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
deleted file mode 100644
index 5a3e50b..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
+++ /dev/null
@@ -1,163 +0,0 @@ 
-From ea094764f3436e3c6524622724c2d342a3eff235 Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Sat, 8 Nov 2025 17:16:59 +0200
-Subject: [PATCH] Fix a memory leak in function `png_set_quantize`; refactor
-
-Release the previously-allocated array `quantize_index` before
-reallocating it. This avoids leaking memory when the function
-`png_set_quantize` is called multiple times on the same `png_struct`.
-
-This function assumed single-call usage, but fuzzing revealed that
-repeated calls would overwrite the pointers without freeing the
-original allocations, leaking 256 bytes per call for `quantize_index`
-and additional memory for `quantize_sort` when histogram-based
-quantization is used.
-
-Also remove the array `quantize_sort` from the list of `png_struct`
-members and make it a local variable. This array is initialized,
-used and released exclusively inside the function `png_set_quantize`.
-
-Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
-Analyzed-by: degrigis <degrigis@users.noreply.github.com>
-Reviewed-by: John Bowler <jbowler@acm.org>
-
-CVE: CVE-2025-64505
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/ea094764f3436e3c6524622724c2d342a3eff235]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- pngrtran.c  | 43 +++++++++++++++++++++++--------------------
- pngstruct.h |  1 -
- 2 files changed, 23 insertions(+), 21 deletions(-)
-
-diff --git a/pngrtran.c b/pngrtran.c
-index 1809db704..4632dd521 100644
---- a/pngrtran.c
-+++ b/pngrtran.c
-@@ -440,6 +440,12 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
-    {
-       int i;
- 
-+      /* Initialize the array to index colors.
-+       *
-+       * Be careful to avoid leaking memory. Applications are allowed to call
-+       * this function more than once per png_struct.
-+       */
-+      png_free(png_ptr, png_ptr->quantize_index);
-       png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
-           (png_alloc_size_t)num_palette);
-       for (i = 0; i < num_palette; i++)
-@@ -454,15 +460,14 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
-           * Perhaps not the best solution, but good enough.
-           */
- 
--         int i;
-+         png_bytep quantize_sort;
-+         int i, j;
- 
--         /* Initialize an array to sort colors */
--         png_ptr->quantize_sort = (png_bytep)png_malloc(png_ptr,
-+         /* Initialize the local array to sort colors. */
-+         quantize_sort = (png_bytep)png_malloc(png_ptr,
-              (png_alloc_size_t)num_palette);
--
--         /* Initialize the quantize_sort array */
-          for (i = 0; i < num_palette; i++)
--            png_ptr->quantize_sort[i] = (png_byte)i;
-+            quantize_sort[i] = (png_byte)i;
- 
-          /* Find the least used palette entries by starting a
-           * bubble sort, and running it until we have sorted
-@@ -474,19 +479,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
-          for (i = num_palette - 1; i >= maximum_colors; i--)
-          {
-             int done; /* To stop early if the list is pre-sorted */
--            int j;
- 
-             done = 1;
-             for (j = 0; j < i; j++)
-             {
--               if (histogram[png_ptr->quantize_sort[j]]
--                   < histogram[png_ptr->quantize_sort[j + 1]])
-+               if (histogram[quantize_sort[j]]
-+                   < histogram[quantize_sort[j + 1]])
-                {
-                   png_byte t;
- 
--                  t = png_ptr->quantize_sort[j];
--                  png_ptr->quantize_sort[j] = png_ptr->quantize_sort[j + 1];
--                  png_ptr->quantize_sort[j + 1] = t;
-+                  t = quantize_sort[j];
-+                  quantize_sort[j] = quantize_sort[j + 1];
-+                  quantize_sort[j + 1] = t;
-                   done = 0;
-                }
-             }
-@@ -498,18 +502,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
-          /* Swap the palette around, and set up a table, if necessary */
-          if (full_quantize != 0)
-          {
--            int j = num_palette;
-+            j = num_palette;
- 
-             /* Put all the useful colors within the max, but don't
-              * move the others.
-              */
-             for (i = 0; i < maximum_colors; i++)
-             {
--               if ((int)png_ptr->quantize_sort[i] >= maximum_colors)
-+               if ((int)quantize_sort[i] >= maximum_colors)
-                {
-                   do
-                      j--;
--                  while ((int)png_ptr->quantize_sort[j] >= maximum_colors);
-+                  while ((int)quantize_sort[j] >= maximum_colors);
- 
-                   palette[i] = palette[j];
-                }
-@@ -517,7 +521,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
-          }
-          else
-          {
--            int j = num_palette;
-+            j = num_palette;
- 
-             /* Move all the used colors inside the max limit, and
-              * develop a translation table.
-@@ -525,13 +529,13 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
-             for (i = 0; i < maximum_colors; i++)
-             {
-                /* Only move the colors we need to */
--               if ((int)png_ptr->quantize_sort[i] >= maximum_colors)
-+               if ((int)quantize_sort[i] >= maximum_colors)
-                {
-                   png_color tmp_color;
- 
-                   do
-                      j--;
--                  while ((int)png_ptr->quantize_sort[j] >= maximum_colors);
-+                  while ((int)quantize_sort[j] >= maximum_colors);
- 
-                   tmp_color = palette[j];
-                   palette[j] = palette[i];
-@@ -569,8 +573,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
-                }
-             }
-          }
--         png_free(png_ptr, png_ptr->quantize_sort);
--         png_ptr->quantize_sort = NULL;
-+         png_free(png_ptr, quantize_sort);
-       }
-       else
-       {
-diff --git a/pngstruct.h b/pngstruct.h
-index 084422bc1..fe5fa0415 100644
---- a/pngstruct.h
-+++ b/pngstruct.h
-@@ -413,7 +413,6 @@ struct png_struct_def
- 
- #ifdef PNG_READ_QUANTIZE_SUPPORTED
- /* The following three members were added at version 1.0.14 and 1.2.4 */
--   png_bytep quantize_sort;          /* working sort array */
-    png_bytep index_to_palette;       /* where the original index currently is
-                                         in the palette */
-    png_bytep palette_to_index;       /* which original index points to this
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
deleted file mode 100644
index ddda867..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
+++ /dev/null
@@ -1,52 +0,0 @@ 
-From 6a528eb5fd0dd7f6de1c39d30de0e41473431c37 Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Sat, 8 Nov 2025 23:58:26 +0200
-Subject: [PATCH] Fix a buffer overflow in `png_do_quantize`
-
-Allocate the quantize_index array to PNG_MAX_PALETTE_LENGTH (256 bytes)
-instead of num_palette bytes. This approach matches the allocation
-pattern for `palette[]`, `trans_alpha[]` and `riffled_palette[]` which
-were similarly oversized in libpng 1.2.1 to prevent buffer overflows
-from malformed PNG files with out-of-range palette indices.
-
-Out-of-range palette indices `index >= num_palette` will now read
-identity-mapped values from the `quantize_index` array (where index N
-maps to palette entry N). This prevents undefined behavior while
-avoiding runtime bounds checking overhead in the performance-critical
-pixel processing loop.
-
-Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
-Analyzed-by: degrigis <degrigis@users.noreply.github.com>
-
-CVE: CVE-2025-64505
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- pngrtran.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/pngrtran.c b/pngrtran.c
-index 4632dd521..9c2475fde 100644
---- a/pngrtran.c
-+++ b/pngrtran.c
-@@ -441,14 +441,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
-       int i;
- 
-       /* Initialize the array to index colors.
-+       *
-+       * Ensure quantize_index can fit 256 elements (PNG_MAX_PALETTE_LENGTH)
-+       * rather than num_palette elements. This is to prevent buffer overflows
-+       * caused by malformed PNG files with out-of-range palette indices.
-        *
-        * Be careful to avoid leaking memory. Applications are allowed to call
-        * this function more than once per png_struct.
-        */
-       png_free(png_ptr, png_ptr->quantize_index);
-       png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
--          (png_alloc_size_t)num_palette);
--      for (i = 0; i < num_palette; i++)
-+          PNG_MAX_PALETTE_LENGTH);
-+      for (i = 0; i < PNG_MAX_PALETTE_LENGTH; i++)
-          png_ptr->quantize_index[i] = (png_byte)i;
-    }
- 
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
deleted file mode 100644
index dc7fe00..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
+++ /dev/null
@@ -1,57 +0,0 @@ 
-From 2bd84c019c300b78e811743fbcddb67c9d9bf821 Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Fri, 7 Nov 2025 22:40:05 +0200
-Subject: [PATCH] Fix a heap buffer overflow in `png_write_image_8bit`
-
-The condition guarding the pre-transform path incorrectly allowed 8-bit
-input data to enter `png_write_image_8bit` which expects 16-bit input.
-This caused out-of-bounds reads when processing 8-bit grayscale+alpha
-images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746),
-with the `convert_to_8bit` flag set (an invalid combination that should
-bypass the pre-transform path).
-
-The second part of the condition, i.e.
-
-    colormap == 0 && convert_to_8bit != 0
-
-failed to verify that input was 16-bit, i.e.
-
-    linear != 0
-
-contradicting the comment "This only applies when the input is 16-bit".
-
-The fix consists in restructuring the condition to ensure both the
-`alpha` path and the `convert_to_8bit` path require linear (16-bit)
-input. The corrected condition, i.e.
-
-    linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)
-
-matches the expectation of the `png_write_image_8bit` function and
-prevents treating 8-bit buffers as 16-bit data.
-
-Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
-Reported-by: weijinjinnihao <weijinjinnihao@users.noreply.github.com>
-Analyzed-by: degrigis <degrigis@users.noreply.github.com>
-Reviewed-by: John Bowler <jbowler@acm.org>
-
-CVE: CVE-2025-64506
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- pngwrite.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/pngwrite.c b/pngwrite.c
-index 35a5d17b6..83148960e 100644
---- a/pngwrite.c
-+++ b/pngwrite.c
-@@ -2142,8 +2142,7 @@ png_image_write_main(png_voidp argument)
-     * before it is written.  This only applies when the input is 16-bit and
-     * either there is an alpha channel or it is converted to 8-bit.
-     */
--   if ((linear != 0 && alpha != 0 ) ||
--       (colormap == 0 && display->convert_to_8bit != 0))
-+   if (linear != 0 && (alpha != 0 || display->convert_to_8bit != 0))
-    {
-       png_bytep row = png_voidcast(png_bytep, png_malloc(png_ptr,
-           png_get_rowbytes(png_ptr, info_ptr)));
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
deleted file mode 100644
index 08df7c3..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
+++ /dev/null
@@ -1,103 +0,0 @@ 
-From 08da33b4c88cfcd36e5a706558a8d7e0e4773643 Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Wed, 12 Nov 2025 13:46:23 +0200
-Subject: [PATCH] Fix a buffer overflow in `png_init_read_transformations`
-
-The palette compositing code in `png_init_read_transformations` was
-incorrectly applying background compositing when PNG_FLAG_OPTIMIZE_ALPHA
-was set. This violated the premultiplied alpha invariant
-`component <= alpha` expected by `png_image_read_composite`, causing
-values that exceeded the valid range for the PNG_sRGB_FROM_LINEAR lookup
-tables.
-
-When PNG_ALPHA_OPTIMIZED is active, palette entries should contain pure
-premultiplied RGB values without background compositing. The background
-compositing must happen later in `png_image_read_composite` where the
-actual background color from the PNG file is available.
-
-The fix consists in introducing conditional behavior based on
-PNG_FLAG_OPTIMIZE_ALPHA: when set, the code performs only
-premultiplication using the formula `component * alpha + 127) / 255`
-with proper gamma correction. When not set, the original background
-compositing calculation based on the `png_composite` macro is preserved.
-
-This prevents buffer overflows in `png_image_read_composite` where
-out-of-range premultiplied values would cause out-of-bounds array access
-in `png_sRGB_base[]` and `png_sRGB_delta[]`.
-
-Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
-Analyzed-by: John Bowler <jbowler@acm.org>
-
-CVE: CVE-2025-64720
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- pngrtran.c | 52 ++++++++++++++++++++++++++++++++++++++++++----------
- 1 file changed, 42 insertions(+), 10 deletions(-)
-
-diff --git a/pngrtran.c b/pngrtran.c
-index 548780030..2f5202255 100644
---- a/pngrtran.c
-+++ b/pngrtran.c
-@@ -1698,19 +1698,51 @@ png_init_read_transformations(png_structrp png_ptr)
-                   }
-                   else /* if (png_ptr->trans_alpha[i] != 0xff) */
-                   {
--                     png_byte v, w;
-+                     if ((png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0)
-+                     {
-+                        /* Premultiply only:
-+                         * component = round((component * alpha) / 255)
-+                         */
-+                        png_uint_32 component;
- 
--                     v = png_ptr->gamma_to_1[palette[i].red];
--                     png_composite(w, v, png_ptr->trans_alpha[i], back_1.red);
--                     palette[i].red = png_ptr->gamma_from_1[w];
-+                        component = png_ptr->gamma_to_1[palette[i].red];
-+                        component =
-+                            (component * png_ptr->trans_alpha[i] + 128) / 255;
-+                        palette[i].red = png_ptr->gamma_from_1[component];
- 
--                     v = png_ptr->gamma_to_1[palette[i].green];
--                     png_composite(w, v, png_ptr->trans_alpha[i], back_1.green);
--                     palette[i].green = png_ptr->gamma_from_1[w];
-+                        component = png_ptr->gamma_to_1[palette[i].green];
-+                        component =
-+                            (component * png_ptr->trans_alpha[i] + 128) / 255;
-+                        palette[i].green = png_ptr->gamma_from_1[component];
- 
--                     v = png_ptr->gamma_to_1[palette[i].blue];
--                     png_composite(w, v, png_ptr->trans_alpha[i], back_1.blue);
--                     palette[i].blue = png_ptr->gamma_from_1[w];
-+                        component = png_ptr->gamma_to_1[palette[i].blue];
-+                        component =
-+                            (component * png_ptr->trans_alpha[i] + 128) / 255;
-+                        palette[i].blue = png_ptr->gamma_from_1[component];
-+                     }
-+                     else
-+                     {
-+                        /* Composite with background color:
-+                         * component =
-+                         *    alpha * component + (1 - alpha) * background
-+                         */
-+                        png_byte v, w;
-+
-+                        v = png_ptr->gamma_to_1[palette[i].red];
-+                        png_composite(w, v,
-+                            png_ptr->trans_alpha[i], back_1.red);
-+                        palette[i].red = png_ptr->gamma_from_1[w];
-+
-+                        v = png_ptr->gamma_to_1[palette[i].green];
-+                        png_composite(w, v,
-+                            png_ptr->trans_alpha[i], back_1.green);
-+                        palette[i].green = png_ptr->gamma_from_1[w];
-+
-+                        v = png_ptr->gamma_to_1[palette[i].blue];
-+                        png_composite(w, v,
-+                            png_ptr->trans_alpha[i], back_1.blue);
-+                        palette[i].blue = png_ptr->gamma_from_1[w];
-+                     }
-                   }
-                }
-                else
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
deleted file mode 100644
index cdee6c7..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
+++ /dev/null
@@ -1,60 +0,0 @@ 
-From 16b5e3823918840aae65c0a6da57c78a5a496a4d Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Mon, 17 Nov 2025 20:38:47 +0200
-Subject: [PATCH] Fix a buffer overflow in `png_image_finish_read`
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reject bit-depth mismatches between IHDR and the requested output
-format. When a 16-bit PNG is processed with an 8-bit output format
-request, `png_combine_row` writes using the IHDR depth before
-transformation, causing writes beyond the buffer allocated via
-`PNG_IMAGE_SIZE(image)`.
-
-The validation establishes a safe API contract where
-`PNG_IMAGE_SIZE(image)` is guaranteed to be sufficient across the
-transformation pipeline.
-
-Example overflow (32×32 pixels, 16-bit RGB to 8-bit RGBA):
-- Input format: 16 bits/channel × 3 channels = 6144 bytes
-- Output buffer: 8 bits/channel × 4 channels = 4096 bytes
-- Overflow: 6144 bytes - 4096 bytes = 2048 bytes
-
-Larger images produce proportionally larger overflows. For example,
-for 256×256 pixels, the overflow is 131072 bytes.
-
-Reported-by: yosiimich <yosiimich@users.noreply.github.com>
-
-CVE: CVE-2025-65018
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- pngread.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/pngread.c b/pngread.c
-index 212afb7d2..92571ec33 100644
---- a/pngread.c
-+++ b/pngread.c
-@@ -4166,6 +4166,20 @@ png_image_finish_read(png_imagep image, png_const_colorp background,
-                   int result;
-                   png_image_read_control display;
- 
-+                  /* Reject bit depth mismatches to avoid buffer overflows. */
-+                  png_uint_32 ihdr_bit_depth =
-+                      image->opaque->png_ptr->bit_depth;
-+                  int requested_linear =
-+                      (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
-+                  if (ihdr_bit_depth == 16 && !requested_linear)
-+                     return png_image_error(image,
-+                         "png_image_finish_read: "
-+                         "16-bit PNG must use 16-bit output format");
-+                  if (ihdr_bit_depth < 16 && requested_linear)
-+                     return png_image_error(image,
-+                         "png_image_finish_read: "
-+                         "8-bit PNG must not use 16-bit output format");
-+
-                   memset(&display, 0, (sizeof display));
-                   display.image = image;
-                   display.buffer = buffer;
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
deleted file mode 100644
index 891cd20..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
+++ /dev/null
@@ -1,163 +0,0 @@ 
-From 218612ddd6b17944e21eda56caf8b4bf7779d1ea Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Wed, 19 Nov 2025 21:45:13 +0200
-Subject: [PATCH] Rearchitect the fix to the buffer overflow in
- `png_image_finish_read`
-
-Undo the fix from commit 16b5e3823918840aae65c0a6da57c78a5a496a4d.
-That fix turned out to be unnecessarily limiting. It rejected all
-16-to-8 bit transformations, although the vulnerability only affects
-interlaced PNGs where `png_combine_row` writes using IHDR bit-depth
-before the transformation completes.
-
-The proper solution is to add an intermediate `local_row` buffer,
-specifically for the slow but necessary step of 16-to-8 bit conversion
-of interlaced images. (The processing of non-interlaced images remains
-intact, using the fast path.) We added the flag `do_local_scale` and
-the function `png_image_read_direct_scaled`, following the pattern that
-involves `do_local_compose`.
-
-In conclusion:
-- The 16-to-8 bit transformations of interlaced images are now safe,
-  as they use an intermediate buffer.
-- The 16-to-8 bit transformations of non-interlaced images remain safe,
-  as the fast path remains unchanged.
-- All our regression tests are now passing.
-
-CVE: CVE-2025-65018
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- pngread.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++---------
- 1 file changed, 75 insertions(+), 14 deletions(-)
-
-diff --git a/pngread.c b/pngread.c
-index 92571ec33..79917daaa 100644
---- a/pngread.c
-+++ b/pngread.c
-@@ -3262,6 +3262,54 @@ png_image_read_colormapped(png_voidp argument)
-    }
- }
- 
-+/* Row reading for interlaced 16-to-8 bit depth conversion with local buffer. */
-+static int
-+png_image_read_direct_scaled(png_voidp argument)
-+{
-+   png_image_read_control *display = png_voidcast(png_image_read_control*,
-+       argument);
-+   png_imagep image = display->image;
-+   png_structrp png_ptr = image->opaque->png_ptr;
-+   png_bytep local_row = png_voidcast(png_bytep, display->local_row);
-+   png_bytep first_row = png_voidcast(png_bytep, display->first_row);
-+   ptrdiff_t row_bytes = display->row_bytes;
-+   int passes;
-+
-+   /* Handle interlacing. */
-+   switch (png_ptr->interlaced)
-+   {
-+      case PNG_INTERLACE_NONE:
-+         passes = 1;
-+         break;
-+
-+      case PNG_INTERLACE_ADAM7:
-+         passes = PNG_INTERLACE_ADAM7_PASSES;
-+         break;
-+
-+      default:
-+         png_error(png_ptr, "unknown interlace type");
-+   }
-+
-+   /* Read each pass using local_row as intermediate buffer. */
-+   while (--passes >= 0)
-+   {
-+      png_uint_32 y = image->height;
-+      png_bytep output_row = first_row;
-+
-+      for (; y > 0; --y)
-+      {
-+         /* Read into local_row (gets transformed 8-bit data). */
-+         png_read_row(png_ptr, local_row, NULL);
-+
-+         /* Copy from local_row to user buffer. */
-+         memcpy(output_row, local_row, (size_t)row_bytes);
-+         output_row += row_bytes;
-+      }
-+   }
-+
-+   return 1;
-+}
-+
- /* Just the row reading part of png_image_read. */
- static int
- png_image_read_composite(png_voidp argument)
-@@ -3680,6 +3728,7 @@ png_image_read_direct(png_voidp argument)
-    int linear = (format & PNG_FORMAT_FLAG_LINEAR) != 0;
-    int do_local_compose = 0;
-    int do_local_background = 0; /* to avoid double gamma correction bug */
-+   int do_local_scale = 0; /* for interlaced 16-to-8 bit conversion */
-    int passes = 0;
- 
-    /* Add transforms to ensure the correct output format is produced then check
-@@ -3806,8 +3855,16 @@ png_image_read_direct(png_voidp argument)
-             png_set_expand_16(png_ptr);
- 
-          else /* 8-bit output */
-+         {
-             png_set_scale_16(png_ptr);
- 
-+            /* For interlaced images, use local_row buffer to avoid overflow
-+             * in png_combine_row() which writes using IHDR bit-depth.
-+             */
-+            if (png_ptr->interlaced != 0)
-+               do_local_scale = 1;
-+         }
-+
-          change &= ~PNG_FORMAT_FLAG_LINEAR;
-       }
- 
-@@ -4083,6 +4140,24 @@ png_image_read_direct(png_voidp argument)
-       return result;
-    }
- 
-+   else if (do_local_scale != 0)
-+   {
-+      /* For interlaced 16-to-8 conversion, use an intermediate row buffer
-+       * to avoid buffer overflows in png_combine_row. The local_row is sized
-+       * for the transformed (8-bit) output, preventing the overflow that would
-+       * occur if png_combine_row wrote 16-bit data directly to the user buffer.
-+       */
-+      int result;
-+      png_voidp row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr));
-+
-+      display->local_row = row;
-+      result = png_safe_execute(image, png_image_read_direct_scaled, display);
-+      display->local_row = NULL;
-+      png_free(png_ptr, row);
-+
-+      return result;
-+   }
-+
-    else
-    {
-       png_alloc_size_t row_bytes = (png_alloc_size_t)display->row_bytes;
-@@ -4166,20 +4241,6 @@ png_image_finish_read(png_imagep image, png_const_colorp background,
-                   int result;
-                   png_image_read_control display;
- 
--                  /* Reject bit depth mismatches to avoid buffer overflows. */
--                  png_uint_32 ihdr_bit_depth =
--                      image->opaque->png_ptr->bit_depth;
--                  int requested_linear =
--                      (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
--                  if (ihdr_bit_depth == 16 && !requested_linear)
--                     return png_image_error(image,
--                         "png_image_finish_read: "
--                         "16-bit PNG must use 16-bit output format");
--                  if (ihdr_bit_depth < 16 && requested_linear)
--                     return png_image_error(image,
--                         "png_image_finish_read: "
--                         "8-bit PNG must not use 16-bit output format");
--
-                   memset(&display, 0, (sizeof display));
-                   display.image = image;
-                   display.buffer = buffer;
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
deleted file mode 100644
index 0b958b9..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
+++ /dev/null
@@ -1,60 +0,0 @@ 
-From 788a624d7387a758ffd5c7ab010f1870dea753a1 Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Sat, 29 Nov 2025 00:39:16 +0200
-Subject: [PATCH] Fix an out-of-bounds read in `png_image_read_composite`
-
-Add a defensive bounds check before calling PNG_sRGB_FROM_LINEAR to
-prevent reading up to 506 entries (1012 bytes) past `png_sRGB_base[]`.
-
-For palette images with gamma, `png_init_read_transformations`
-clears PNG_COMPOSE after compositing on the palette, but it leaves
-PNG_FLAG_OPTIMIZE_ALPHA set. The simplified API then calls
-`png_image_read_composite` with sRGB data (not linear premultiplied),
-causing the index to reach 1017. (The maximum valid index is 511.)
-
-NOTE:
-This is a defensive fix that addresses the security issue (out-of-bounds
-read) but *NOT* the correctness issue (wrong output). When the clamp
-triggers, the affected pixels are clamped to white instead of the
-correct composited color. Valid PNG images may render incorrectly with
-the simplified API.
-
-TODO:
-We already know the root cause is a flag synchronization error.
-For palette images with gamma, `png_init_read_transformations`
-clears PNG_COMPOSE but leaves PNG_FLAG_OPTIMIZE_ALPHA set, causing
-`png_image_read_composite` to misinterpret sRGB data as linear
-premultiplied. However, we have yet to implement an architectural fix
-that requires coordinating the simplified API with the transformation
-pipeline.
-
-Reported-by: flyfish101 <flyfish101@users.noreply.github.com>
-
-CVE: CVE-2025-66293
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- pngread.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/pngread.c b/pngread.c
-index 79917daaa..ab62edd9d 100644
---- a/pngread.c
-+++ b/pngread.c
-@@ -3406,9 +3406,14 @@ png_image_read_composite(png_voidp argument)
-                         component += (255-alpha)*png_sRGB_table[outrow[c]];
- 
-                         /* So 'component' is scaled by 255*65535 and is
--                         * therefore appropriate for the sRGB to linear
--                         * conversion table.
-+                         * therefore appropriate for the sRGB-to-linear
-+                         * conversion table.  Clamp to the valid range
-+                         * as a defensive measure against an internal
-+                         * libpng bug where the data is sRGB rather than
-+                         * linear premultiplied.
-                          */
-+                        if (component > 255*65535)
-+                           component = 255*65535;
-                         component = PNG_sRGB_FROM_LINEAR(component);
-                      }
- 
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
deleted file mode 100644
index ba563e1..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
+++ /dev/null
@@ -1,125 +0,0 @@ 
-From a05a48b756de63e3234ea6b3b938b8f5f862484a Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Mon, 1 Dec 2025 22:31:54 +0200
-Subject: [PATCH] Finalize the fix for out-of-bounds read in
- `png_image_read_composite`
-
-Following up on commit 788a624d7387a758ffd5c7ab010f1870dea753a1.
-
-The previous commit added a defensive bounds check to address the
-security issue (out-of-bounds read), but noted that the correctness
-issue remained: when the clamp triggered, the affected pixels were
-clamped to white instead of the correct composited color.
-
-This commit addresses the correctness issue by fixing the flag
-synchronization error identified in the previous commit's TODO:
-
-1. In `png_init_read_transformations`:
-   Clear PNG_FLAG_OPTIMIZE_ALPHA when clearing PNG_COMPOSE for palette
-   images. This correctly signals that the data is sRGB, not linear
-   premultiplied.
-
-2. In `png_image_read_composite`:
-   Check PNG_FLAG_OPTIMIZE_ALPHA and use the appropriate composition
-   formula. When set, use the existing linear composition. When cleared
-   (palette composition already done), use sRGB composition to match
-   what was done to the palette.
-
-Retain the previous clamp to the valid range as belt-and-suspenders
-protection against any other unforeseen cases.
-
-CVE: CVE-2025-66293
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- pngread.c  | 56 ++++++++++++++++++++++++++++++++++++------------------
- pngrtran.c |  1 +
- 2 files changed, 39 insertions(+), 18 deletions(-)
-
-diff --git a/pngread.c b/pngread.c
-index ab62edd9d..f8ca2b7e3 100644
---- a/pngread.c
-+++ b/pngread.c
-@@ -3340,6 +3340,7 @@ png_image_read_composite(png_voidp argument)
-       ptrdiff_t    step_row = display->row_bytes;
-       unsigned int channels =
-           (image->format & PNG_FORMAT_FLAG_COLOR) != 0 ? 3 : 1;
-+      int optimize_alpha = (png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0;
-       int pass;
- 
-       for (pass = 0; pass < passes; ++pass)
-@@ -3396,25 +3397,44 @@ png_image_read_composite(png_voidp argument)
- 
-                      if (alpha < 255) /* else just use component */
-                      {
--                        /* This is PNG_OPTIMIZED_ALPHA, the component value
--                         * is a linear 8-bit value.  Combine this with the
--                         * current outrow[c] value which is sRGB encoded.
--                         * Arithmetic here is 16-bits to preserve the output
--                         * values correctly.
--                         */
--                        component *= 257*255; /* =65535 */
--                        component += (255-alpha)*png_sRGB_table[outrow[c]];
-+                        if (optimize_alpha != 0)
-+                        {
-+                           /* This is PNG_OPTIMIZED_ALPHA, the component value
-+                            * is a linear 8-bit value.  Combine this with the
-+                            * current outrow[c] value which is sRGB encoded.
-+                            * Arithmetic here is 16-bits to preserve the output
-+                            * values correctly.
-+                            */
-+                           component *= 257*255; /* =65535 */
-+                           component += (255-alpha)*png_sRGB_table[outrow[c]];
- 
--                        /* So 'component' is scaled by 255*65535 and is
--                         * therefore appropriate for the sRGB-to-linear
--                         * conversion table.  Clamp to the valid range
--                         * as a defensive measure against an internal
--                         * libpng bug where the data is sRGB rather than
--                         * linear premultiplied.
--                         */
--                        if (component > 255*65535)
--                           component = 255*65535;
--                        component = PNG_sRGB_FROM_LINEAR(component);
-+                           /* Clamp to the valid range to defend against
-+                            * unforeseen cases where the data might be sRGB
-+                            * instead of linear premultiplied.
-+                            * (Belt-and-suspenders for GitHub Issue #764.)
-+                            */
-+                           if (component > 255*65535)
-+                              component = 255*65535;
-+
-+                           /* So 'component' is scaled by 255*65535 and is
-+                            * therefore appropriate for the sRGB-to-linear
-+                            * conversion table.
-+                            */
-+                           component = PNG_sRGB_FROM_LINEAR(component);
-+                        }
-+                        else
-+                        {
-+                           /* Compositing was already done on the palette
-+                            * entries.  The data is sRGB premultiplied on black.
-+                            * Composite with the background in sRGB space.
-+                            * This is not gamma-correct, but matches what was
-+                            * done to the palette.
-+                            */
-+                           png_uint_32 background = outrow[c];
-+                           component += ((255-alpha) * background + 127) / 255;
-+                           if (component > 255)
-+                              component = 255;
-+                        }
-                      }
- 
-                      outrow[c] = (png_byte)component;
-diff --git a/pngrtran.c b/pngrtran.c
-index 2f5202255..507d11381 100644
---- a/pngrtran.c
-+++ b/pngrtran.c
-@@ -1760,6 +1760,7 @@ png_init_read_transformations(png_structrp png_ptr)
-              * transformations elsewhere.
-              */
-             png_ptr->transformations &= ~(PNG_COMPOSE | PNG_GAMMA);
-+            png_ptr->flags &= ~PNG_FLAG_OPTIMIZE_ALPHA;
-          } /* color_type == PNG_COLOR_TYPE_PALETTE */
- 
-          /* if (png_ptr->background_gamma_type!=PNG_BACKGROUND_GAMMA_UNKNOWN) */
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch
deleted file mode 100644
index 6456b6c..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch
+++ /dev/null
@@ -1,77 +0,0 @@ 
-From e4f7ad4ea2a471776c81dda4846b7691925d9786 Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Fri, 9 Jan 2026 20:51:53 +0200
-Subject: [PATCH] Fix a heap buffer over-read in `png_image_read_direct_scaled`
-
-Fix a regression from commit 218612ddd6b17944e21eda56caf8b4bf7779d1ea.
-
-The function `png_image_read_direct_scaled`, introduced by the fix for
-CVE-2025-65018, copies transformed row data from an intermediate buffer
-(`local_row`) to the user's output buffer. The copy incorrectly used
-`row_bytes` (the caller's stride) as the size parameter to memcpy, even
-though `local_row` is only `png_get_rowbytes()` bytes long.
-
-This causes a heap buffer over-read when:
-
-1. The caller provides a padded stride (e.g., for memory alignment):
-   memcpy reads past the end of `local_row` by `stride - row_width`
-   bytes.
-
-2. The caller provides a negative stride (for bottom-up layouts):
-   casting ptrdiff_t to size_t produces ~2^64, causing memcpy to
-   attempt reading exabytes, resulting in an immediate crash.
-
-The fix consists in using the size of the row buffer for the copy and
-using the stride for pointer advancement only.
-
-Reported-by: Petr Simecek <simecek@users.noreply.github.com>
-Analyzed-by: Stanislav Fort
-Analyzed-by: Pavel Kohout
-Co-authored-by: Petr Simecek <simecek@users.noreply.github.com>
-Signed-off-by: Cosmin Truta <ctruta@gmail.com>
-
-CVE: CVE-2026-22695
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/e4f7ad4ea2a471776c81dda4846b7691925d9786]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- AUTHORS   | 1 +
- pngread.c | 4 +++-
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/AUTHORS b/AUTHORS
-index 26b7bb50f..b9c0fffcf 100644
---- a/AUTHORS
-+++ b/AUTHORS
-@@ -23,6 +23,7 @@ Authors, for copyright and licensing purposes.
-  * Mike Klein
-  * Pascal Massimino
-  * Paul Schmidt
-+ * Petr Simecek
-  * Philippe Antoine
-  * Qiang Zhou
-  * Sam Bushell
-diff --git a/pngread.c b/pngread.c
-index e3426292b..9d86b01dc 100644
---- a/pngread.c
-+++ b/pngread.c
-@@ -3270,9 +3270,11 @@ png_image_read_direct_scaled(png_voidp argument)
-        argument);
-    png_imagep image = display->image;
-    png_structrp png_ptr = image->opaque->png_ptr;
-+   png_inforp info_ptr = image->opaque->info_ptr;
-    png_bytep local_row = png_voidcast(png_bytep, display->local_row);
-    png_bytep first_row = png_voidcast(png_bytep, display->first_row);
-    ptrdiff_t row_bytes = display->row_bytes;
-+   size_t copy_bytes = png_get_rowbytes(png_ptr, info_ptr);
-    int passes;
- 
-    /* Handle interlacing. */
-@@ -3302,7 +3304,7 @@ png_image_read_direct_scaled(png_voidp argument)
-          png_read_row(png_ptr, local_row, NULL);
- 
-          /* Copy from local_row to user buffer. */
--         memcpy(output_row, local_row, (size_t)row_bytes);
-+         memcpy(output_row, local_row, copy_bytes);
-          output_row += row_bytes;
-       }
-    }
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch
deleted file mode 100644
index 8a611ac..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch
+++ /dev/null
@@ -1,173 +0,0 @@ 
-From cf155de014fc6c5cb199dd681dd5c8fb70429072 Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Sat, 10 Jan 2026 15:20:18 +0200
-Subject: [PATCH] fix: Remove incorrect truncation casts from
- `png_write_image_*`
-
-The type of the row stride (`display->row_bytes`) is ptrdiff_t. Casting
-to png_uint_16 before division will truncate large strides, causing
-incorrect pointer arithmetic for images exceeding 65535 bytes per row.
-For bottom-up images (negative stride), the truncation also corrupts
-the sign, advancing the row pointer forward instead of backward.
-
-Remove the erroneous casts and let the compiler handle the pointer
-arithmetic correctly. Also replace `sizeof (png_uint_16)` with 2.
-
-Add regression test via `pngstest --stride-extra N` where N > 32767
-triggers the affected code paths.
-
-A NOTE ABOUT HISTORY:
-The original code in libpng 1.5.6 (2011) had no such casts. They were
-introduced in libpng 1.6.26 (2016), likely to silence compiler warnings
-on 16-bit systems where the cast would be a no-op. On 32/64-bit systems
-the cast truncates the strides above 65535 and corrupts the negative
-strides.
-
-CVE: CVE-2026-22801
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- CMakeLists.txt              |  9 ++++++++-
- contrib/libtests/pngstest.c | 29 ++++++++++++++++++++++++++++-
- pngwrite.c                  | 10 +++++-----
- tests/pngstest-large-stride |  8 ++++++++
- 4 files changed, 49 insertions(+), 7 deletions(-)
- create mode 100755 tests/pngstest-large-stride
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index a8cd82402..a595ed91d 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -1,7 +1,7 @@
- 
- # CMakeLists.txt - CMake lists for libpng
- #
--# Copyright (c) 2018-2024 Cosmin Truta.
-+# Copyright (c) 2018-2026 Cosmin Truta
- # Copyright (c) 2007-2018 Glenn Randers-Pehrson.
- # Originally written by Christian Ehrlicher, 2007.
- #
-@@ -859,6 +859,13 @@ if(PNG_TESTS AND PNG_SHARED)
-     endforeach()
-   endforeach()
- 
-+  # Regression test:
-+  # Use stride_extra > 32767 to trigger row_bytes > 65535 for linear images.
-+  png_add_test(NAME pngstest-large-stride
-+               COMMAND pngstest
-+               OPTIONS --stride-extra 33000 --tmpfile "large-stride-" --log
-+               FILES "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-16-linear.png")
-+
-   add_executable(pngunknown ${pngunknown_sources})
-   target_link_libraries(pngunknown PRIVATE png_shared)
- 
-diff --git a/contrib/libtests/pngstest.c b/contrib/libtests/pngstest.c
-index ff4c2b24a..2f29afee2 100644
---- a/contrib/libtests/pngstest.c
-+++ b/contrib/libtests/pngstest.c
-@@ -1,7 +1,7 @@
- 
- /* pngstest.c
-  *
-- * Copyright (c) 2021 Cosmin Truta
-+ * Copyright (c) 2021-2026 Cosmin Truta
-  * Copyright (c) 2013-2017 John Cunningham Bowler
-  *
-  * This code is released under the libpng license.
-@@ -3571,6 +3571,33 @@ main(int argc, char **argv)
-          opts |= NO_RESEED;
-       else if (strcmp(arg, "--fault-gbg-warning") == 0)
-          opts |= GBG_ERROR;
-+      else if (strcmp(arg, "--stride-extra") == 0)
-+      {
-+         if (c+1 < argc)
-+         {
-+            char *ep;
-+            unsigned long val = strtoul(argv[++c], &ep, 0);
-+
-+            if (ep > argv[c] && *ep == 0 && val <= 65535)
-+               stride_extra = (int)val;
-+
-+            else
-+            {
-+               fflush(stdout);
-+               fprintf(stderr, "%s: bad argument for --stride-extra: %s\n",
-+                  argv[0], argv[c]);
-+               exit(99);
-+            }
-+         }
-+
-+         else
-+         {
-+            fflush(stdout);
-+            fprintf(stderr, "%s: missing argument for --stride-extra\n",
-+               argv[0]);
-+            exit(99);
-+         }
-+      }
-       else if (strcmp(arg, "--tmpfile") == 0)
-       {
-          if (c+1 < argc)
-diff --git a/pngwrite.c b/pngwrite.c
-index 08066bcc4..a95b846c8 100644
---- a/pngwrite.c
-+++ b/pngwrite.c
-@@ -1,7 +1,7 @@
- 
- /* pngwrite.c - general routines to write a PNG file
-  *
-- * Copyright (c) 2018-2024 Cosmin Truta
-+ * Copyright (c) 2018-2026 Cosmin Truta
-  * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
-  * Copyright (c) 1996-1997 Andreas Dilger
-  * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
-@@ -1645,7 +1645,7 @@ png_write_image_16bit(png_voidp argument)
-       }
- 
-       png_write_row(png_ptr, png_voidcast(png_const_bytep, display->local_row));
--      input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
-+      input_row += display->row_bytes / 2;
-    }
- 
-    return 1;
-@@ -1771,7 +1771,7 @@ png_write_image_8bit(png_voidp argument)
- 
-          png_write_row(png_ptr, png_voidcast(png_const_bytep,
-              display->local_row));
--         input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
-+         input_row += display->row_bytes / 2;
-       } /* while y */
-    }
- 
-@@ -1796,7 +1796,7 @@ png_write_image_8bit(png_voidp argument)
-          }
- 
-          png_write_row(png_ptr, output_row);
--         input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
-+         input_row += display->row_bytes / 2;
-       }
-    }
- 
-@@ -2115,7 +2115,7 @@ png_image_write_main(png_voidp argument)
-       ptrdiff_t row_bytes = display->row_stride;
- 
-       if (linear != 0)
--         row_bytes *= (sizeof (png_uint_16));
-+         row_bytes *= 2;
- 
-       if (row_bytes < 0)
-          row += (image->height-1) * (-row_bytes);
-diff --git a/tests/pngstest-large-stride b/tests/pngstest-large-stride
-new file mode 100755
-index 000000000..7958c5b42
---- /dev/null
-+++ b/tests/pngstest-large-stride
-@@ -0,0 +1,8 @@
-+#!/bin/sh
-+
-+# Regression test:
-+# Use stride_extra > 32767 to trigger row_bytes > 65535 for linear images.
-+exec ./pngstest \
-+     --stride-extra 33000 \
-+     --tmpfile "large-stride-" \
-+     --log "${srcdir}/contrib/testpngs/rgb-alpha-16-linear.png"
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
deleted file mode 100644
index 5fbf5eb..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
+++ /dev/null
@@ -1,61 +0,0 @@ 
-From 01d03b8453eb30ade759cd45c707e5a1c7277d88 Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Fri, 6 Feb 2026 19:11:54 +0200
-Subject: [PATCH] Fix a heap buffer overflow in `png_set_quantize`
-
-The color distance hash table stored the current palette indices, but
-the color-pruning loop assumed the original indices. When colors were
-eliminated and indices changed, the stored indices became stale. This
-caused the loop bound `max_d` to grow past the 769-element hash array.
-
-The fix consists in storing the original indices via `palette_to_index`
-to match the pruning loop's expectations.
-
-Reported-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
-Co-authored-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
-Signed-off-by: Cosmin Truta <ctruta@gmail.com>
-
-CVE: CVE-2026-25646
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- AUTHORS    | 1 +
- pngrtran.c | 6 +++---
- 2 files changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/AUTHORS b/AUTHORS
-index b9c0fffcf..4094f4a57 100644
---- a/AUTHORS
-+++ b/AUTHORS
-@@ -15,6 +15,7 @@ Authors, for copyright and licensing purposes.
-  * Guy Eric Schalnat
-  * James Yu
-  * John Bowler
-+ * Joshua Inscoe
-  * Kevin Bracey
-  * Magnus Holmgren
-  * Mandar Sahastrabuddhe
-diff --git a/pngrtran.c b/pngrtran.c
-index fe8f9d32c..1fce9af12 100644
---- a/pngrtran.c
-+++ b/pngrtran.c
-@@ -1,7 +1,7 @@
- 
- /* pngrtran.c - transforms the data in a row for PNG readers
-  *
-- * Copyright (c) 2018-2024 Cosmin Truta
-+ * Copyright (c) 2018-2026 Cosmin Truta
-  * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
-  * Copyright (c) 1996-1997 Andreas Dilger
-  * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
-@@ -647,8 +647,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
-                          break;
- 
-                      t->next = hash[d];
--                     t->left = (png_byte)i;
--                     t->right = (png_byte)j;
-+                     t->left = png_ptr->palette_to_index[i];
-+                     t->right = png_ptr->palette_to_index[j];
-                      hash[d] = t;
-                   }
-                }
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch
deleted file mode 100644
index a60a8d6..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch
+++ /dev/null
@@ -1,143 +0,0 @@ 
-From 23019269764e35ed8458e517f1897bd3c54820eb Mon Sep 17 00:00:00 2001
-From: Oblivionsage <cookieandcream560@gmail.com>
-Date: Sun, 15 Mar 2026 10:35:29 +0100
-Subject: [PATCH] fix: Resolve use-after-free on `png_ptr->trans_alpha`
-
-The function `png_set_tRNS` sets `png_ptr->trans_alpha` to point at
-`info_ptr->trans_alpha` directly, so both structs share the same heap
-buffer. If the application calls `png_free_data(PNG_FREE_TRNS)`, or if
-`png_set_tRNS` is called a second time, the buffer is freed through
-`info_ptr` while `png_ptr` still holds a dangling reference. Any
-subsequent row read that hits the function `png_do_expand_palette` will
-dereference freed memory.
-
-The fix gives `png_struct` its own allocation instead of aliasing the
-`info_ptr` pointer. This was already flagged with a TODO in
-`png_handle_tRNS` ("horrible side effect ... Fix this.") but it was
-never addressed.
-
-Verified with AddressSanitizer. All 34 existing tests pass without
-regressions.
-
-CVE: CVE-2026-33416
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb]
-Comment: Refreshed hunk to match latest scarthgap
-
-Reviewed-by: Cosmin Truta <ctruta@gmail.com>
-Signed-off-by: Cosmin Truta <ctruta@gmail.com>
-Signed-off-by: Sourav Kumar Pramanik <Souravkumar.Pramanik@bmwtechworks.in>
-Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
----
- pngread.c  | 11 +++++------
- pngrutil.c |  4 ----
- pngset.c   | 31 +++++++++++++++++++------------
- pngwrite.c |  6 ++++++
- 4 files changed, 30 insertions(+), 22 deletions(-)
-
-diff --git a/pngread.c b/pngread.c
-index 01b731d8eb..0086edf6cf 100644
---- a/pngread.c
-+++ b/pngread.c
-@@ -968,12 +968,11 @@ png_read_destroy(png_structrp png_ptr)
- 
- #if defined(PNG_tRNS_SUPPORTED) || \
-     defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED)
--   if ((png_ptr->free_me & PNG_FREE_TRNS) != 0)
--   {
--      png_free(png_ptr, png_ptr->trans_alpha);
--      png_ptr->trans_alpha = NULL;
--   }
--   png_ptr->free_me &= ~PNG_FREE_TRNS;
-+   /* png_ptr->trans_alpha is always independently allocated (not aliased
-+    * with info_ptr->trans_alpha), so free it unconditionally.
-+    */
-+   png_free(png_ptr, png_ptr->trans_alpha);
-+   png_ptr->trans_alpha = NULL;
- #endif
- 
-    inflateEnd(&png_ptr->zstream);
-diff --git a/pngrutil.c b/pngrutil.c
-index 366379b991..a19507bf1b 100644
---- a/pngrutil.c
-+++ b/pngrutil.c
-@@ -1905,10 +1905,6 @@ png_handle_tRNS(png_structrp png_ptr, pn
-       return;
-    }
- 
--   /* TODO: this is a horrible side effect in the palette case because the
--    * png_struct ends up with a pointer to the tRNS buffer owned by the
--    * png_info.  Fix this.
--    */
-    png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
-        &(png_ptr->trans_color));
- }
-diff --git a/pngset.c b/pngset.c
-index 4b78b8960c..47883684e4 100644
---- a/pngset.c
-+++ b/pngset.c
-@@ -990,28 +990,36 @@ png_set_tRNS(png_structrp png_ptr, png_i
- 
-    if (trans_alpha != NULL)
-    {
--       /* It may not actually be necessary to set png_ptr->trans_alpha here;
--        * we do it for backward compatibility with the way the png_handle_tRNS
--        * function used to do the allocation.
--        *
--        * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively
--        * relies on png_set_tRNS storing the information in png_struct
--        * (otherwise it won't be there for the code in pngrtran.c).
--        */
--
-        png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
- 
-        if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
-        {
--         /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */
-+          /* Allocate info_ptr's copy of the transparency data. */
-           info_ptr->trans_alpha = png_voidcast(png_bytep,
-               png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
-           memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
--
-           info_ptr->free_me |= PNG_FREE_TRNS;
-           info_ptr->valid |= PNG_INFO_tRNS;
-+
-+
-+          /* Allocate an independent copy for png_struct, so that the
-+           * lifetime of png_ptr->trans_alpha is decoupled from the
-+           * lifetime of info_ptr->trans_alpha.  Previously these two
-+           * pointers were aliased, which caused a use-after-free if
-+           * png_free_data freed info_ptr->trans_alpha while
-+           * png_ptr->trans_alpha was still in use by the row transform
-+           * functions (e.g. png_do_expand_palette).
-+           */
-+          png_free(png_ptr, png_ptr->trans_alpha);
-+          png_ptr->trans_alpha = png_voidcast(png_bytep,
-+              png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
-+          memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
-+       }
-+       else
-+       {
-+          png_free(png_ptr, png_ptr->trans_alpha);
-+          png_ptr->trans_alpha = NULL;
-        }
--       png_ptr->trans_alpha = info_ptr->trans_alpha;
-    }
- 
-    if (trans_color != NULL)
-diff --git a/pngwrite.c b/pngwrite.c
-index 5fc77d91f7..84af1e73fb 100644
---- a/pngwrite.c
-+++ b/pngwrite.c
-@@ -977,6 +977,12 @@ png_write_destroy(png_structrp png_ptr)
-    png_ptr->chunk_list = NULL;
- #endif
- 
-+#if defined(PNG_tRNS_SUPPORTED)
-+   /* Free the independent copy of trans_alpha owned by png_struct. */
-+   png_free(png_ptr, png_ptr->trans_alpha);
-+   png_ptr->trans_alpha = NULL;
-+#endif
-+
-    /* The error handling and memory handling information is left intact at this
-     * point: the jmp_buf may still have to be freed.  See png_destroy_png_struct
-     * for how this happens.
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch
deleted file mode 100644
index e746293..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch
+++ /dev/null
@@ -1,53 +0,0 @@ 
-From a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25 Mon Sep 17 00:00:00 2001
-From: Oblivionsage <cookieandcream560@gmail.com>
-Date: Tue, 17 Mar 2026 08:55:18 +0100
-Subject: [PATCH] fix: Initialize tail bytes in `trans_alpha` buffers
-
-Although the arrays `info_ptr->trans_alpha` and `png_ptr->trans_alpha`
-are allocated 256 bytes, only `num_trans` bytes are copied.
-The remaining entries were left uninitialized. Set them to 0xff (fully
-opaque) before copying, which matches the conventional treatment of
-entries beyond `num_trans`.
-
-This is a follow-up to the previous use-after-free fix.
-
-CVE: CVE-2026-33416
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25]
-Comment: Refreshed hunk to match latest scarthgap
-
-Reported-by: Cosmin Truta <ctruta@gmail.com>
-Reviewed-by: Cosmin Truta <ctruta@gmail.com>
-Signed-off-by: Cosmin Truta <ctruta@gmail.com>
-Signed-off-by: Sourav Kumar Pramanik <Souravkumar.Pramanik@bmwtechworks.in>
-Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
----
- pngset.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/pngset.c b/pngset.c
-index 47883684e4..dccc6498d7 100644
---- a/pngset.c
-+++ b/pngset.c
-@@ -994,9 +994,13 @@ png_set_tRNS(png_structrp png_ptr, png_i
- 
-        if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
-        {
--          /* Allocate info_ptr's copy of the transparency data. */
-+	       /* Allocate info_ptr's copy of the transparency data.
-+           * Initialize all entries to fully opaque (0xff), then overwrite
-+           * the first num_trans entries with the actual values.
-+           */
-           info_ptr->trans_alpha = png_voidcast(png_bytep,
-               png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
-+	       memset(info_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
-           memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
-           info_ptr->free_me |= PNG_FREE_TRNS;
-           info_ptr->valid |= PNG_INFO_tRNS;
-@@ -1013,6 +1017,7 @@ png_set_tRNS(png_structrp png_ptr, png_i
-           png_free(png_ptr, png_ptr->trans_alpha);
-           png_ptr->trans_alpha = png_voidcast(png_bytep,
-               png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
-+	       memset(png_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
-           memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
-        }
-        else
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch
deleted file mode 100644
index 21ce35d..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch
+++ /dev/null
@@ -1,163 +0,0 @@ 
-From 7ea9eea884a2328cc7fdcb3c0c00246a50d90667 Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Fri, 20 Mar 2026 17:37:22 +0200
-Subject: [PATCH] fix: Resolve use-after-free on `png_ptr->palette`
-
-Give `png_struct` its own independently-allocated copy of the palette
-buffer, decoupling it from `info_struct`'s palette. Allocate both
-copies with `png_calloc` to zero-fill, because the ARM NEON palette
-riffle reads all 256 entries unconditionally.
-
-In function `png_set_PLTE`, `png_ptr->palette` was aliased directly to
-`info_ptr->palette`: a single heap buffer shared across two structs
-with independent lifetimes. If the buffer was freed through `info_ptr`
-(via `png_free_data(PNG_FREE_PLTE)` or a second call to `png_set_PLTE`),
-`png_ptr->palette` became a dangling pointer. Subsequent row reads,
-performed in `png_do_expand_palette` and in other transform functions,
-dereferenced (and in the bit-shift path, wrote to) freed memory.
-
-Also fix `png_set_quantize` to allocate an owned copy of the caller's
-palette rather than aliasing the user pointer, so that the unconditional
-free in `png_read_destroy` does not free unmanaged memory.
-
-CVE: CVE-2026-33416
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667]
-Comment: Refreshed hunk to match latest scarthgap
-
-Signed-off-by: Sourav Kumar Pramanik <Souravkumar.Pramanik@bmwtechworks.in>
-Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
----
- pngread.c  | 11 +++++------
- pngrtran.c |  8 +++++++-
- pngrutil.c | 13 -------------
- pngset.c   | 28 +++++++++++++++++++---------
- pngwrite.c |  4 ++++
- 5 files changed, 35 insertions(+), 29 deletions(-)
-
-diff --git a/pngread.c b/pngread.c
-index 0086edf6cf..e1d38d578a 100644
---- a/pngread.c
-+++ b/pngread.c
-@@ -959,12 +959,11 @@ png_read_destroy(png_structrp png_ptr)
-    png_ptr->quantize_index = NULL;
- #endif
- 
--   if ((png_ptr->free_me & PNG_FREE_PLTE) != 0)
--   {
--      png_zfree(png_ptr, png_ptr->palette);
--      png_ptr->palette = NULL;
--   }
--   png_ptr->free_me &= ~PNG_FREE_PLTE;
-+   /* png_ptr->palette is always independently allocated (not aliased
-+    * with info_ptr->palette), so free it unconditionally.
-+    */
-+   png_free(png_ptr, png_ptr->palette);
-+   png_ptr->palette = NULL;
- 
- #if defined(PNG_tRNS_SUPPORTED) || \
-     defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED)
-diff --git a/pngrtran.c b/pngrtran.c
-index bfb7d423b7..fd736ab672 100644
---- a/pngrtran.c
-+++ b/pngrtran.c
-@@ -750,7 +750,13 @@ png_set_quantize(png_structrp png_ptr, p
-    }
-    if (png_ptr->palette == NULL)
-    {
--      png_ptr->palette = palette;
-+      /* Allocate an owned copy rather than aliasing the caller's pointer,
-+       * so that png_read_destroy can free png_ptr->palette unconditionally.
-+       */
-+      png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
-+          PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
-+      memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
-+          (sizeof (png_color)));
-    }
-    png_ptr->num_palette = (png_uint_16)num_palette;
-
-diff --git a/pngrutil.c b/pngrutil.c
-index a19507bf1b..3a35fe9de2 100644
---- a/pngrutil.c
-+++ b/pngrutil.c
-@@ -1047,14 +1047,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
-    }
- #endif
- 
--   /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
--    * own copy of the palette.  This has the side effect that when png_start_row
--    * is called (this happens after any call to png_read_update_info) the
--    * info_ptr palette gets changed.  This is extremely unexpected and
--    * confusing.
--    *
--    * Fix this by not sharing the palette in this way.
--    */
-    png_set_PLTE(png_ptr, info_ptr, palette, num);
- 
-    /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
-diff --git a/pngset.c b/pngset.c
-index dccc6498d7..b9ccb7fb15 100644
---- a/pngset.c
-+++ b/pngset.c
-@@ -595,28 +595,38 @@ png_set_PLTE(png_structrp png_ptr, png_i
-       png_error(png_ptr, "Invalid palette");
-    }
- 
--   /* It may not actually be necessary to set png_ptr->palette here;
--    * we do it for backward compatibility with the way the png_handle_tRNS
--    * function used to do the allocation.
--    *
--    * 1.6.0: the above statement appears to be incorrect; something has to set
--    * the palette inside png_struct on read.
--    */
-    png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
- 
-    /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
-     * of num_palette entries, in case of an invalid PNG file or incorrect
-     * call to png_set_PLTE() with too-large sample values.
-+    *
-+    * Allocate independent buffers for info_ptr and png_ptr so that the
-+    * lifetime of png_ptr->palette is decoupled from the lifetime of
-+    * info_ptr->palette.  Previously, these two pointers were aliased,
-+    * which caused a use-after-free vulnerability if png_free_data freed
-+    * info_ptr->palette while png_ptr->palette was still in use by the
-+    * row transform functions (e.g. png_do_expand_palette).
-+    *
-+    * Both buffers are allocated with png_calloc to zero-fill, because
-+    * the ARM NEON palette riffle reads all 256 entries unconditionally,
-+    * regardless of num_palette.
-     */
-+   png_free(png_ptr, png_ptr->palette);
-    png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
-        PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
-+   info_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
-+       PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
-+   png_ptr->num_palette = info_ptr->num_palette = (png_uint_16)num_palette;
- 
-    if (num_palette > 0)
-+      {
-+      memcpy(info_ptr->palette, palette, (unsigned int)num_palette *
-+          (sizeof (png_color)));
-       memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
-           (sizeof (png_color)));
-+      }
- 
--   info_ptr->palette = png_ptr->palette;
--   info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette;
-    info_ptr->free_me |= PNG_FREE_PLTE;
-    info_ptr->valid |= PNG_INFO_PLTE;
- }
-diff --git a/pngwrite.c b/pngwrite.c
-index 84af1e73fb..348763e940 100644
---- a/pngwrite.c
-+++ b/pngwrite.c
-@@ -982,6 +982,10 @@ png_write_destroy(png_structrp png_ptr)
-    png_free(png_ptr, png_ptr->trans_alpha);
-    png_ptr->trans_alpha = NULL;
- #endif
-+   
-+   /* Free the independent copy of the palette owned by png_struct. */
-+   png_free(png_ptr, png_ptr->palette);
-+   png_ptr->palette = NULL;
- 
-    /* The error handling and memory handling information is left intact at this
-     * point: the jmp_buf may still have to be freed.  See png_destroy_png_struct
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch
deleted file mode 100644
index ff7db53..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch
+++ /dev/null
@@ -1,53 +0,0 @@ 
-From c1b0318b393c90679e6fa5bc1d329fd5d5012ec1 Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Fri, 20 Mar 2026 21:25:12 +0200
-Subject: [PATCH] fix: Sync `info_ptr->palette` after in-place transforms
-
-Copy `png_ptr->palette` into `info_ptr->palette` upon entering
-the function that runs immediately after the in-place transforms.
-
-The palette decoupling in the previous commit gave `png_struct`
-and `png_info` independently-allocated palette buffers, fixing a
-use-after-free vulnerability. However, `png_init_read_transformations`
-modifies `png_ptr->palette` in place (e.g. for gamma correction or
-background compositing), and the old aliasing made those modifications
-visible through `png_get_PLTE`. With independent buffers,
-`info_ptr->palette` retained the original values, causing our tests to
-fail on indexed-colour background compositing.
-
-CVE: CVE-2026-33416
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1]
-Comment: Refreshed hunk to match latest scarthgap
-
-Signed-off-by: Sourav Kumar Pramanik <Souravkumar.Pramanik@bmwtechworks.in>
-Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
----
- pngrtran.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/pngrtran.c b/pngrtran.c
-index fd736ab672..978dac5888 100644
---- a/pngrtran.c
-+++ b/pngrtran.c
-@@ -1984,6 +1984,21 @@ png_read_transform_info(png_structrp png
- {
-    png_debug(1, "in png_read_transform_info");
- 
-+   if (png_ptr->transformations != 0)
-+   {
-+      if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
-+          info_ptr->palette != NULL && png_ptr->palette != NULL)
-+      {
-+         /* Sync info_ptr->palette with png_ptr->palette.
-+          * The function png_init_read_transformations may have modified
-+          * png_ptr->palette in place (e.g. for gamma correction or for
-+          * background compositing).
-+          */
-+         memcpy(info_ptr->palette, png_ptr->palette,
-+             PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
-+      }
-+   }
-+
- #ifdef PNG_READ_EXPAND_SUPPORTED
-    if ((png_ptr->transformations & PNG_EXPAND) != 0)
-    {
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch
deleted file mode 100644
index 3bd6aae..0000000
--- a/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch
+++ /dev/null
@@ -1,99 +0,0 @@ 
-From 9ff847dfcbb54f6dee3fd4e408150ae944278391 Mon Sep 17 00:00:00 2001
-From: Cosmin Truta <ctruta@gmail.com>
-Date: Sat, 21 Mar 2026 23:48:49 +0200
-Subject: [PATCH] fix(arm): Resolve out-of-bounds read/write in NEON palette
- expansion
-
-Both `png_do_expand_palette_rgba8_neon` and
-`png_do_expand_palette_rgb8_neon` advanced in fixed-size chunks without
-guarding the final iteration, allowing out-of-bounds reads and writes
-when the row width is not a multiple of the chunk size.
-
-Restrict the NEON loop to full chunks only, remove the now-unnecessary
-post-loop adjustment, and undo the `*ddp` pre-adjustment before the
-pointer handoff to the scalar fallback.
-
-CVE: CVE-2026-33636
-Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3]
-
-Reported-by: Amemoyoi <Amemoyoi@users.noreply.github.com>
-Co-authored-by: Amemoyoi <Amemoyoi@users.noreply.github.com>
-Signed-off-by: Cosmin Truta <ctruta@gmail.com>
-(cherry picked from commit aba9f18eba870d14fb52c5ba5d73451349e339c3)
-Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
----
- arm/palette_neon_intrinsics.c | 29 +++++++++++++----------------
- 1 file changed, 13 insertions(+), 16 deletions(-)
-
-diff --git a/arm/palette_neon_intrinsics.c b/arm/palette_neon_intrinsics.c
-index 92c7d6f9f..bdd15849d 100644
---- a/arm/palette_neon_intrinsics.c
-+++ b/arm/palette_neon_intrinsics.c
-@@ -1,7 +1,7 @@
- 
- /* palette_neon_intrinsics.c - NEON optimised palette expansion functions
-  *
-- * Copyright (c) 2018-2019 Cosmin Truta
-+ * Copyright (c) 2018-2026 Cosmin Truta
-  * Copyright (c) 2017-2018 Arm Holdings. All rights reserved.
-  * Written by Richard Townsend <Richard.Townsend@arm.com>, February 2017.
-  *
-@@ -80,7 +80,7 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info,
-     */
-    *ddp = *ddp - ((pixels_per_chunk * sizeof(png_uint_32)) - 1);
- 
--   for (i = 0; i < row_width; i += pixels_per_chunk)
-+   for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk)
-    {
-       uint32x4_t cur;
-       png_bytep sp = *ssp - i, dp = *ddp - (i << 2);
-@@ -90,13 +90,12 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info,
-       cur = vld1q_lane_u32(riffled_palette + *(sp - 0), cur, 3);
-       vst1q_u32((void *)dp, cur);
-    }
--   if (i != row_width)
--   {
--      /* Remove the amount that wasn't processed. */
--      i -= pixels_per_chunk;
--   }
- 
--   /* Decrement output pointers. */
-+   /* Undo the pre-adjustment of *ddp before the pointer handoff,
-+    * so the scalar fallback in pngrtran.c receives a dp that points
-+    * to the correct position.
-+    */
-+   *ddp = *ddp + (pixels_per_chunk * 4 - 1);
-    *ssp = *ssp - i;
-    *ddp = *ddp - (i << 2);
-    return i;
-@@ -121,7 +120,7 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info,
-    /* Seeking this back by 8 pixels x 3 bytes. */
-    *ddp = *ddp - ((pixels_per_chunk * sizeof(png_color)) - 1);
- 
--   for (i = 0; i < row_width; i += pixels_per_chunk)
-+   for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk)
-    {
-       uint8x8x3_t cur;
-       png_bytep sp = *ssp - i, dp = *ddp - ((i << 1) + i);
-@@ -136,13 +135,11 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info,
-       vst3_u8((void *)dp, cur);
-    }
- 
--   if (i != row_width)
--   {
--      /* Remove the amount that wasn't processed. */
--      i -= pixels_per_chunk;
--   }
--
--   /* Decrement output pointers. */
-+   /* Undo the pre-adjustment of *ddp before the pointer handoff,
-+    * so the scalar fallback in pngrtran.c receives a dp that points
-+    * to the correct position.
-+    */
-+   *ddp = *ddp + (pixels_per_chunk * 3 - 1);
-    *ssp = *ssp - i;
-    *ddp = *ddp - ((i << 1) + i);
-    return i;
--- 
-2.44.4
-
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.58.bb
similarity index 77%
rename from meta/recipes-multimedia/libpng/libpng_1.6.42.bb
rename to meta/recipes-multimedia/libpng/libpng_1.6.58.bb
index e4cc636..9e6a991 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.58.bb
@@ -5,33 +5,16 @@  library for use in applications that read, create, and manipulate PNG \
 HOMEPAGE = "http://www.libpng.org/"
 SECTION = "libs"
 LICENSE = "Libpng"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=0fdbfbe10fc294a6fca24dc76134222a"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=9dc350edbbbee660c7d9af79487168f2"
 DEPENDS = "zlib"
 
 LIBV = "16"
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \
            file://run-ptest \
-           file://CVE-2025-64505-01.patch \
-           file://CVE-2025-64505-02.patch \
-           file://CVE-2025-64505-03.patch \
-           file://CVE-2025-64506.patch \
-           file://CVE-2025-64720.patch \
-           file://CVE-2025-65018-01.patch \
-           file://CVE-2025-65018-02.patch \
-           file://CVE-2025-66293-01.patch \
-           file://CVE-2025-66293-02.patch \
-           file://CVE-2026-22695.patch \
-           file://CVE-2026-22801.patch \
-           file://CVE-2026-25646.patch \
-           file://CVE-2026-33636.patch \
-           file://CVE-2026-33416-01.patch \
-           file://CVE-2026-33416-02.patch \
-           file://CVE-2026-33416-03.patch \
-           file://CVE-2026-33416-04.patch \
 "
 
-SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"
+SRC_URI[sha256sum] = "28eb403f51f0f7405249132cecfe82ea5c0ef97f1b32c5a65828814ae0d34775"
 
 MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/"