From patchwork Thu Nov 27 18:03:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 75495 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DFBE3D111A8 for ; Thu, 27 Nov 2025 18:03:53 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.717.1764266632193340866 for ; Thu, 27 Nov 2025 10:03:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=N4N8VhGg; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20251127180350978f4d784a00020722-i_y9jp@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20251127180350978f4d784a00020722 for ; Thu, 27 Nov 2025 19:03:50 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=fskDB+nHRkhQH0RwPKOJz85kh+6nsJquKqXrG0bQvJY=; b=N4N8VhGgt9JpSdXqNw/bV7ef+K6QnSbBkG23byBPhUtst8gfulueREh9T7yDY8aQ6KNHqC tN+0JWgAPNIwvFE1g7er6OAqtJvlY641KmCaYVFP3lDNZI+ek3YwfYfhuTYKEylLFcg0uiHw OYEI3y+rBcMZx2wIWt1g1kMGJilcOKxYoCWRE8rbB454QNpKINerR9kUFn/blDQ89IbB1cWg zra4C5IbffdzOeqPg7GefO4LdkQPddvyOcRT7BRgGOOZDeGqiccJlLcCritjgCnjgf6WmKGk LWG1umKCD2SwY/77CYutXnjyBt/pAerQxl+FAubYmCFA9626bXQT/xog==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][kirkstone][PATCH 1/4] libpng: patch CVE-2025-64505 Date: Thu, 27 Nov 2025 19:03:45 +0100 Message-Id: <20251127180348.3347694-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Nov 2025 18:03:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226860 From: Peter Marko Pick commit per NVD report. Add two patches to apply it cleanly. Signed-off-by: Peter Marko --- .../libpng/files/CVE-2025-64505-01.patch | 111 ++++++++++++ .../libpng/files/CVE-2025-64505-02.patch | 163 ++++++++++++++++++ .../libpng/files/CVE-2025-64505-03.patch | 52 ++++++ .../libpng/libpng_1.6.39.bb | 3 + 4 files changed, 329 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch new file mode 100644 index 00000000000..c8ca222d148 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch @@ -0,0 +1,111 @@ +From 0fa3c0f698c2ca618a0fa44e10a822678df85373 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Thu, 15 Feb 2024 21:53:24 +0200 +Subject: [PATCH] chore: Clean up the spurious uses of `sizeof(png_byte)`; fix + the manual + +By definition, `sizeof(png_byte)` is 1. + +Remove all the occurences of `sizeof(png_byte)` from the code, and fix +a related typo in the libpng manual. + +Also update the main .editorconfig file to reflect the fixing expected +by a FIXME note. + +CVE: CVE-2025-64505 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/0fa3c0f698c2ca618a0fa44e10a822678df85373] +Signed-off-by: Peter Marko +--- + libpng-manual.txt | 4 ++-- + libpng.3 | 4 ++-- + pngrtran.c | 17 +++++++---------- + 3 files changed, 11 insertions(+), 14 deletions(-) + +diff --git a/libpng-manual.txt b/libpng-manual.txt +index eb24ef483..d2918ce31 100644 +--- a/libpng-manual.txt ++++ b/libpng-manual.txt +@@ -1180,11 +1180,11 @@ where row_pointers is an array of pointers to the pixel data for each row: + If you know your image size and pixel size ahead of time, you can allocate + row_pointers prior to calling png_read_png() with + +- if (height > PNG_UINT_32_MAX/(sizeof (png_byte))) ++ if (height > PNG_UINT_32_MAX / (sizeof (png_bytep))) + png_error (png_ptr, + "Image is too tall to process in memory"); + +- if (width > PNG_UINT_32_MAX/pixel_size) ++ if (width > PNG_UINT_32_MAX / pixel_size) + png_error (png_ptr, + "Image is too wide to process in memory"); + +diff --git a/libpng.3 b/libpng.3 +index 57d06f2db..8875b219a 100644 +--- a/libpng.3 ++++ b/libpng.3 +@@ -1699,11 +1699,11 @@ where row_pointers is an array of pointers to the pixel data for each row: + If you know your image size and pixel size ahead of time, you can allocate + row_pointers prior to calling png_read_png() with + +- if (height > PNG_UINT_32_MAX/(sizeof (png_byte))) ++ if (height > PNG_UINT_32_MAX / (sizeof (png_bytep))) + png_error (png_ptr, + "Image is too tall to process in memory"); + +- if (width > PNG_UINT_32_MAX/pixel_size) ++ if (width > PNG_UINT_32_MAX / pixel_size) + png_error (png_ptr, + "Image is too wide to process in memory"); + +diff --git a/pngrtran.c b/pngrtran.c +index 74cca476b..041f9306c 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -441,7 +441,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + int i; + + png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr, +- (png_alloc_size_t)((png_uint_32)num_palette * (sizeof (png_byte)))); ++ (png_alloc_size_t)num_palette); + for (i = 0; i < num_palette; i++) + png_ptr->quantize_index[i] = (png_byte)i; + } +@@ -458,7 +458,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + + /* Initialize an array to sort colors */ + png_ptr->quantize_sort = (png_bytep)png_malloc(png_ptr, +- (png_alloc_size_t)((png_uint_32)num_palette * (sizeof (png_byte)))); ++ (png_alloc_size_t)num_palette); + + /* Initialize the quantize_sort array */ + for (i = 0; i < num_palette; i++) +@@ -592,11 +592,9 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + + /* Initialize palette index arrays */ + png_ptr->index_to_palette = (png_bytep)png_malloc(png_ptr, +- (png_alloc_size_t)((png_uint_32)num_palette * +- (sizeof (png_byte)))); ++ (png_alloc_size_t)num_palette); + png_ptr->palette_to_index = (png_bytep)png_malloc(png_ptr, +- (png_alloc_size_t)((png_uint_32)num_palette * +- (sizeof (png_byte)))); ++ (png_alloc_size_t)num_palette); + + /* Initialize the sort array */ + for (i = 0; i < num_palette; i++) +@@ -761,12 +759,11 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + size_t num_entries = ((size_t)1 << total_bits); + + png_ptr->palette_lookup = (png_bytep)png_calloc(png_ptr, +- (png_alloc_size_t)(num_entries * (sizeof (png_byte)))); ++ (png_alloc_size_t)(num_entries)); + +- distance = (png_bytep)png_malloc(png_ptr, (png_alloc_size_t)(num_entries * +- (sizeof (png_byte)))); ++ distance = (png_bytep)png_malloc(png_ptr, (png_alloc_size_t)num_entries); + +- memset(distance, 0xff, num_entries * (sizeof (png_byte))); ++ memset(distance, 0xff, num_entries); + + for (i = 0; i < num_palette; i++) + { diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch new file mode 100644 index 00000000000..5a3e50b6424 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch @@ -0,0 +1,163 @@ +From ea094764f3436e3c6524622724c2d342a3eff235 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Sat, 8 Nov 2025 17:16:59 +0200 +Subject: [PATCH] Fix a memory leak in function `png_set_quantize`; refactor + +Release the previously-allocated array `quantize_index` before +reallocating it. This avoids leaking memory when the function +`png_set_quantize` is called multiple times on the same `png_struct`. + +This function assumed single-call usage, but fuzzing revealed that +repeated calls would overwrite the pointers without freeing the +original allocations, leaking 256 bytes per call for `quantize_index` +and additional memory for `quantize_sort` when histogram-based +quantization is used. + +Also remove the array `quantize_sort` from the list of `png_struct` +members and make it a local variable. This array is initialized, +used and released exclusively inside the function `png_set_quantize`. + +Reported-by: Samsung-PENTEST +Analyzed-by: degrigis +Reviewed-by: John Bowler + +CVE: CVE-2025-64505 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/ea094764f3436e3c6524622724c2d342a3eff235] +Signed-off-by: Peter Marko +--- + pngrtran.c | 43 +++++++++++++++++++++++-------------------- + pngstruct.h | 1 - + 2 files changed, 23 insertions(+), 21 deletions(-) + +diff --git a/pngrtran.c b/pngrtran.c +index 1809db704..4632dd521 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -440,6 +440,12 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + { + int i; + ++ /* Initialize the array to index colors. ++ * ++ * Be careful to avoid leaking memory. Applications are allowed to call ++ * this function more than once per png_struct. ++ */ ++ png_free(png_ptr, png_ptr->quantize_index); + png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr, + (png_alloc_size_t)num_palette); + for (i = 0; i < num_palette; i++) +@@ -454,15 +460,14 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + * Perhaps not the best solution, but good enough. + */ + +- int i; ++ png_bytep quantize_sort; ++ int i, j; + +- /* Initialize an array to sort colors */ +- png_ptr->quantize_sort = (png_bytep)png_malloc(png_ptr, ++ /* Initialize the local array to sort colors. */ ++ quantize_sort = (png_bytep)png_malloc(png_ptr, + (png_alloc_size_t)num_palette); +- +- /* Initialize the quantize_sort array */ + for (i = 0; i < num_palette; i++) +- png_ptr->quantize_sort[i] = (png_byte)i; ++ quantize_sort[i] = (png_byte)i; + + /* Find the least used palette entries by starting a + * bubble sort, and running it until we have sorted +@@ -474,19 +479,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + for (i = num_palette - 1; i >= maximum_colors; i--) + { + int done; /* To stop early if the list is pre-sorted */ +- int j; + + done = 1; + for (j = 0; j < i; j++) + { +- if (histogram[png_ptr->quantize_sort[j]] +- < histogram[png_ptr->quantize_sort[j + 1]]) ++ if (histogram[quantize_sort[j]] ++ < histogram[quantize_sort[j + 1]]) + { + png_byte t; + +- t = png_ptr->quantize_sort[j]; +- png_ptr->quantize_sort[j] = png_ptr->quantize_sort[j + 1]; +- png_ptr->quantize_sort[j + 1] = t; ++ t = quantize_sort[j]; ++ quantize_sort[j] = quantize_sort[j + 1]; ++ quantize_sort[j + 1] = t; + done = 0; + } + } +@@ -498,18 +502,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + /* Swap the palette around, and set up a table, if necessary */ + if (full_quantize != 0) + { +- int j = num_palette; ++ j = num_palette; + + /* Put all the useful colors within the max, but don't + * move the others. + */ + for (i = 0; i < maximum_colors; i++) + { +- if ((int)png_ptr->quantize_sort[i] >= maximum_colors) ++ if ((int)quantize_sort[i] >= maximum_colors) + { + do + j--; +- while ((int)png_ptr->quantize_sort[j] >= maximum_colors); ++ while ((int)quantize_sort[j] >= maximum_colors); + + palette[i] = palette[j]; + } +@@ -517,7 +521,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + } + else + { +- int j = num_palette; ++ j = num_palette; + + /* Move all the used colors inside the max limit, and + * develop a translation table. +@@ -525,13 +529,13 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + for (i = 0; i < maximum_colors; i++) + { + /* Only move the colors we need to */ +- if ((int)png_ptr->quantize_sort[i] >= maximum_colors) ++ if ((int)quantize_sort[i] >= maximum_colors) + { + png_color tmp_color; + + do + j--; +- while ((int)png_ptr->quantize_sort[j] >= maximum_colors); ++ while ((int)quantize_sort[j] >= maximum_colors); + + tmp_color = palette[j]; + palette[j] = palette[i]; +@@ -569,8 +573,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + } + } + } +- png_free(png_ptr, png_ptr->quantize_sort); +- png_ptr->quantize_sort = NULL; ++ png_free(png_ptr, quantize_sort); + } + else + { +diff --git a/pngstruct.h b/pngstruct.h +index 084422bc1..fe5fa0415 100644 +--- a/pngstruct.h ++++ b/pngstruct.h +@@ -413,7 +413,6 @@ struct png_struct_def + + #ifdef PNG_READ_QUANTIZE_SUPPORTED + /* The following three members were added at version 1.0.14 and 1.2.4 */ +- png_bytep quantize_sort; /* working sort array */ + png_bytep index_to_palette; /* where the original index currently is + in the palette */ + png_bytep palette_to_index; /* which original index points to this diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch new file mode 100644 index 00000000000..ddda8678ce2 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch @@ -0,0 +1,52 @@ +From 6a528eb5fd0dd7f6de1c39d30de0e41473431c37 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Sat, 8 Nov 2025 23:58:26 +0200 +Subject: [PATCH] Fix a buffer overflow in `png_do_quantize` + +Allocate the quantize_index array to PNG_MAX_PALETTE_LENGTH (256 bytes) +instead of num_palette bytes. This approach matches the allocation +pattern for `palette[]`, `trans_alpha[]` and `riffled_palette[]` which +were similarly oversized in libpng 1.2.1 to prevent buffer overflows +from malformed PNG files with out-of-range palette indices. + +Out-of-range palette indices `index >= num_palette` will now read +identity-mapped values from the `quantize_index` array (where index N +maps to palette entry N). This prevents undefined behavior while +avoiding runtime bounds checking overhead in the performance-critical +pixel processing loop. + +Reported-by: Samsung-PENTEST +Analyzed-by: degrigis + +CVE: CVE-2025-64505 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37] +Signed-off-by: Peter Marko +--- + pngrtran.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/pngrtran.c b/pngrtran.c +index 4632dd521..9c2475fde 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -441,14 +441,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + int i; + + /* Initialize the array to index colors. ++ * ++ * Ensure quantize_index can fit 256 elements (PNG_MAX_PALETTE_LENGTH) ++ * rather than num_palette elements. This is to prevent buffer overflows ++ * caused by malformed PNG files with out-of-range palette indices. + * + * Be careful to avoid leaking memory. Applications are allowed to call + * this function more than once per png_struct. + */ + png_free(png_ptr, png_ptr->quantize_index); + png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr, +- (png_alloc_size_t)num_palette); +- for (i = 0; i < num_palette; i++) ++ PNG_MAX_PALETTE_LENGTH); ++ for (i = 0; i < PNG_MAX_PALETTE_LENGTH; i++) + png_ptr->quantize_index[i] = (png_byte)i; + } + diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index 011eec94a2b..62e3e81b4f2 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb @@ -13,6 +13,9 @@ LIBV = "16" SRC_URI = "\ ${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \ file://run-ptest \ + file://CVE-2025-64505-01.patch \ + file://CVE-2025-64505-02.patch \ + file://CVE-2025-64505-03.patch \ " SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937" From patchwork Thu Nov 27 18:03:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 75496 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE64FD111A8 for ; Thu, 27 Nov 2025 18:04:03 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.717.1764266632193340866 for ; Thu, 27 Nov 2025 10:03:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=fcmXPLE6; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20251127180354675f8ba0480002070f-sht2ai@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20251127180354675f8ba0480002070f for ; Thu, 27 Nov 2025 19:03:54 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=tu9gm2mTL9ZKIFGwJvwLMV15/Dvw1hMdaYUDv45DXyA=; b=fcmXPLE6/k3P95+l5NgcKoHcGGhVes11daw/MR1gHMiATdRZBRG6QCOAunOA6uiW1fniPJ y1d7jJPo+rMODjWX+8woocgbRqpYYc671WfJqd44H5dM3LK6Qj6CfOofdl6bbh3IxifkXgAe ICOb7a00c98bZWVdL9OgE5JdwbAmQtwLFFK6CUYhztbj8py7M18S1T/+mziVB5Sp16mWs++l gPTQaK+2dKjNyiWiicWxv+dHYB+KcqEXx/gZINpaPHwYC3TxGsyTFAU5PLSepY4Jermk/I2s dcugNs/WZm7u0g8kmVMUrycBdTmcaFieNLDK+3T+Rt+nXb8ZdDFzoLEQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][kirkstone][PATCH 2/4] libpng: patch CVE-2025-64506 Date: Thu, 27 Nov 2025 19:03:46 +0100 Message-Id: <20251127180348.3347694-2-peter.marko@siemens.com> In-Reply-To: <20251127180348.3347694-1-peter.marko@siemens.com> References: <20251127180348.3347694-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Nov 2025 18:04:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226861 From: Peter Marko Pick commit per NVD report. Signed-off-by: Peter Marko --- .../libpng/files/CVE-2025-64506.patch | 57 +++++++++++++++++++ .../libpng/libpng_1.6.39.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch new file mode 100644 index 00000000000..696f4599717 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch @@ -0,0 +1,57 @@ +From 2bd84c019c300b78e811743fbcddb67c9d9bf821 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Fri, 7 Nov 2025 22:40:05 +0200 +Subject: [PATCH] Fix a heap buffer overflow in `png_write_image_8bit` + +The condition guarding the pre-transform path incorrectly allowed 8-bit +input data to enter `png_write_image_8bit` which expects 16-bit input. +This caused out-of-bounds reads when processing 8-bit grayscale+alpha +images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746), +with the `convert_to_8bit` flag set (an invalid combination that should +bypass the pre-transform path). + +The second part of the condition, i.e. + + colormap == 0 && convert_to_8bit != 0 + +failed to verify that input was 16-bit, i.e. + + linear != 0 + +contradicting the comment "This only applies when the input is 16-bit". + +The fix consists in restructuring the condition to ensure both the +`alpha` path and the `convert_to_8bit` path require linear (16-bit) +input. The corrected condition, i.e. + + linear != 0 && (alpha != 0 || display->convert_to_8bit != 0) + +matches the expectation of the `png_write_image_8bit` function and +prevents treating 8-bit buffers as 16-bit data. + +Reported-by: Samsung-PENTEST +Reported-by: weijinjinnihao +Analyzed-by: degrigis +Reviewed-by: John Bowler + +CVE: CVE-2025-64506 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821] +Signed-off-by: Peter Marko +--- + pngwrite.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/pngwrite.c b/pngwrite.c +index 35a5d17b6..83148960e 100644 +--- a/pngwrite.c ++++ b/pngwrite.c +@@ -2129,8 +2129,7 @@ png_image_write_main(png_voidp argument) + * before it is written. This only applies when the input is 16-bit and + * either there is an alpha channel or it is converted to 8-bit. + */ +- if ((linear != 0 && alpha != 0 ) || +- (colormap == 0 && display->convert_to_8bit != 0)) ++ if (linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)) + { + png_bytep row = png_voidcast(png_bytep, png_malloc(png_ptr, + png_get_rowbytes(png_ptr, info_ptr))); diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index 62e3e81b4f2..cc35e7a7253 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb @@ -16,6 +16,7 @@ SRC_URI = "\ file://CVE-2025-64505-01.patch \ file://CVE-2025-64505-02.patch \ file://CVE-2025-64505-03.patch \ + file://CVE-2025-64506.patch \ " SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937" From patchwork Thu Nov 27 18:03:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 75497 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6B14D116F3 for ; Thu, 27 Nov 2025 18:04:03 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.705.1764266640091703450 for ; Thu, 27 Nov 2025 10:04:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=GCbgVNCv; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-20251127180358ab0a314f77000207aa-gy7pld@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20251127180358ab0a314f77000207aa for ; Thu, 27 Nov 2025 19:03:58 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=okREegF7rRAgOeEL7o15eM0GRhlQc8ni3Dtp0TXrR9k=; b=GCbgVNCvYSB8pVe64eA2OlzVASFk32UikszO7OxUCx9wws1iUflI7dNsf3q/BZJQWw3/12 tBwvuT1Ffj4aQkYRCOaKvekLEgcG1D4H/PIB9UElVGWF4HZ3bx70FtKXQ3pZAE+QogP6xwF7 4a6OVv2dOEYocPheKHDDqU+obpxtWEvyks/mtWDV3SZWXak+sFW2+pY4lUoC1XBd6AwuCkhZ 6C6KIGT3mdVVyjJVuDbeUoi54BZ/TN8EqpVJ/7k2J+U66RtExzd/pN5kNX+4IwONfyurdQCC SE5wfFOHpzyyAB9OL3FRKJCMZCJvyGnrRXfbVYuGC4Ak/dOsx/hKAsLQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][kirkstone][PATCH 3/4] libpng: patch CVE-2025-64720 Date: Thu, 27 Nov 2025 19:03:47 +0100 Message-Id: <20251127180348.3347694-3-peter.marko@siemens.com> In-Reply-To: <20251127180348.3347694-1-peter.marko@siemens.com> References: <20251127180348.3347694-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Nov 2025 18:04:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226862 From: Peter Marko Pick commit per NVD report. Signed-off-by: Peter Marko --- .../libpng/files/CVE-2025-64720.patch | 103 ++++++++++++++++++ .../libpng/libpng_1.6.39.bb | 1 + 2 files changed, 104 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch new file mode 100644 index 00000000000..08df7c32107 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch @@ -0,0 +1,103 @@ +From 08da33b4c88cfcd36e5a706558a8d7e0e4773643 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Wed, 12 Nov 2025 13:46:23 +0200 +Subject: [PATCH] Fix a buffer overflow in `png_init_read_transformations` + +The palette compositing code in `png_init_read_transformations` was +incorrectly applying background compositing when PNG_FLAG_OPTIMIZE_ALPHA +was set. This violated the premultiplied alpha invariant +`component <= alpha` expected by `png_image_read_composite`, causing +values that exceeded the valid range for the PNG_sRGB_FROM_LINEAR lookup +tables. + +When PNG_ALPHA_OPTIMIZED is active, palette entries should contain pure +premultiplied RGB values without background compositing. The background +compositing must happen later in `png_image_read_composite` where the +actual background color from the PNG file is available. + +The fix consists in introducing conditional behavior based on +PNG_FLAG_OPTIMIZE_ALPHA: when set, the code performs only +premultiplication using the formula `component * alpha + 127) / 255` +with proper gamma correction. When not set, the original background +compositing calculation based on the `png_composite` macro is preserved. + +This prevents buffer overflows in `png_image_read_composite` where +out-of-range premultiplied values would cause out-of-bounds array access +in `png_sRGB_base[]` and `png_sRGB_delta[]`. + +Reported-by: Samsung-PENTEST +Analyzed-by: John Bowler + +CVE: CVE-2025-64720 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643] +Signed-off-by: Peter Marko +--- + pngrtran.c | 52 ++++++++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 42 insertions(+), 10 deletions(-) + +diff --git a/pngrtran.c b/pngrtran.c +index 548780030..2f5202255 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -1698,19 +1698,51 @@ png_init_read_transformations(png_structrp png_ptr) + } + else /* if (png_ptr->trans_alpha[i] != 0xff) */ + { +- png_byte v, w; ++ if ((png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0) ++ { ++ /* Premultiply only: ++ * component = round((component * alpha) / 255) ++ */ ++ png_uint_32 component; + +- v = png_ptr->gamma_to_1[palette[i].red]; +- png_composite(w, v, png_ptr->trans_alpha[i], back_1.red); +- palette[i].red = png_ptr->gamma_from_1[w]; ++ component = png_ptr->gamma_to_1[palette[i].red]; ++ component = ++ (component * png_ptr->trans_alpha[i] + 128) / 255; ++ palette[i].red = png_ptr->gamma_from_1[component]; + +- v = png_ptr->gamma_to_1[palette[i].green]; +- png_composite(w, v, png_ptr->trans_alpha[i], back_1.green); +- palette[i].green = png_ptr->gamma_from_1[w]; ++ component = png_ptr->gamma_to_1[palette[i].green]; ++ component = ++ (component * png_ptr->trans_alpha[i] + 128) / 255; ++ palette[i].green = png_ptr->gamma_from_1[component]; + +- v = png_ptr->gamma_to_1[palette[i].blue]; +- png_composite(w, v, png_ptr->trans_alpha[i], back_1.blue); +- palette[i].blue = png_ptr->gamma_from_1[w]; ++ component = png_ptr->gamma_to_1[palette[i].blue]; ++ component = ++ (component * png_ptr->trans_alpha[i] + 128) / 255; ++ palette[i].blue = png_ptr->gamma_from_1[component]; ++ } ++ else ++ { ++ /* Composite with background color: ++ * component = ++ * alpha * component + (1 - alpha) * background ++ */ ++ png_byte v, w; ++ ++ v = png_ptr->gamma_to_1[palette[i].red]; ++ png_composite(w, v, ++ png_ptr->trans_alpha[i], back_1.red); ++ palette[i].red = png_ptr->gamma_from_1[w]; ++ ++ v = png_ptr->gamma_to_1[palette[i].green]; ++ png_composite(w, v, ++ png_ptr->trans_alpha[i], back_1.green); ++ palette[i].green = png_ptr->gamma_from_1[w]; ++ ++ v = png_ptr->gamma_to_1[palette[i].blue]; ++ png_composite(w, v, ++ png_ptr->trans_alpha[i], back_1.blue); ++ palette[i].blue = png_ptr->gamma_from_1[w]; ++ } + } + } + else diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index cc35e7a7253..efb8eba3721 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb @@ -17,6 +17,7 @@ SRC_URI = "\ file://CVE-2025-64505-02.patch \ file://CVE-2025-64505-03.patch \ file://CVE-2025-64506.patch \ + file://CVE-2025-64720.patch \ " SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937" From patchwork Thu Nov 27 18:03:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 75498 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DFA01CFD2F6 for ; Thu, 27 Nov 2025 18:04:13 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.707.1764266643632825960 for ; Thu, 27 Nov 2025 10:04:03 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=cH/NjAUd; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-202511271804015b2efb6d13000207ba-86qma1@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 202511271804015b2efb6d13000207ba for ; Thu, 27 Nov 2025 19:04:01 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=U5ndyinzTrKgmgjX+/25dZbUIDrgSm4kYedPXoxMSmo=; b=cH/NjAUdt1765DsNcT5bdwMVyjcah7XMww2LwV80MOsVlu+WKR/bNx8qjst3p0mPQ6+iti jelNnnd0hdYLF9PHySVTIWLroaLc1FoqZy9rPy/zYytZ9EWq/WsB2CLHFDXO2XOCakvmXpsJ KWlgdItvgoazo502jo4BCVXz0x/cr7exMCs2TG9FC+IXo2TOut0PL1m9+4Gd/zMNzd1hpWqd yrWr+ZEF1CKUMSjoW0TXCsua6LFOT/kKM1nCpU9C1HbDL6wLqNdVLcnZgb0B1KJnYA9upEb5 K1PbrJQiFvqdZQMpB2SQgIOV/lGsYXoikfdy+6EHDJFo3xLmgcZk6YgA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][kirkstone][PATCH 4/4] libpng: patch CVE-2025-65018 Date: Thu, 27 Nov 2025 19:03:48 +0100 Message-Id: <20251127180348.3347694-4-peter.marko@siemens.com> In-Reply-To: <20251127180348.3347694-1-peter.marko@siemens.com> References: <20251127180348.3347694-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Nov 2025 18:04:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226863 From: Peter Marko Pick commits per NVD report. Signed-off-by: Peter Marko --- .../libpng/files/CVE-2025-65018-01.patch | 60 +++++++ .../libpng/files/CVE-2025-65018-02.patch | 163 ++++++++++++++++++ .../libpng/libpng_1.6.39.bb | 2 + 3 files changed, 225 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch new file mode 100644 index 00000000000..a3e31ea6ac3 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch @@ -0,0 +1,60 @@ +From 16b5e3823918840aae65c0a6da57c78a5a496a4d Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Mon, 17 Nov 2025 20:38:47 +0200 +Subject: [PATCH] Fix a buffer overflow in `png_image_finish_read` +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reject bit-depth mismatches between IHDR and the requested output +format. When a 16-bit PNG is processed with an 8-bit output format +request, `png_combine_row` writes using the IHDR depth before +transformation, causing writes beyond the buffer allocated via +`PNG_IMAGE_SIZE(image)`. + +The validation establishes a safe API contract where +`PNG_IMAGE_SIZE(image)` is guaranteed to be sufficient across the +transformation pipeline. + +Example overflow (32×32 pixels, 16-bit RGB to 8-bit RGBA): +- Input format: 16 bits/channel × 3 channels = 6144 bytes +- Output buffer: 8 bits/channel × 4 channels = 4096 bytes +- Overflow: 6144 bytes - 4096 bytes = 2048 bytes + +Larger images produce proportionally larger overflows. For example, +for 256×256 pixels, the overflow is 131072 bytes. + +Reported-by: yosiimich + +CVE: CVE-2025-65018 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d] +Signed-off-by: Peter Marko +--- + pngread.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/pngread.c b/pngread.c +index 212afb7d2..92571ec33 100644 +--- a/pngread.c ++++ b/pngread.c +@@ -4164,6 +4164,20 @@ png_image_finish_read(png_imagep image, png_const_colorp background, + int result; + png_image_read_control display; + ++ /* Reject bit depth mismatches to avoid buffer overflows. */ ++ png_uint_32 ihdr_bit_depth = ++ image->opaque->png_ptr->bit_depth; ++ int requested_linear = ++ (image->format & PNG_FORMAT_FLAG_LINEAR) != 0; ++ if (ihdr_bit_depth == 16 && !requested_linear) ++ return png_image_error(image, ++ "png_image_finish_read: " ++ "16-bit PNG must use 16-bit output format"); ++ if (ihdr_bit_depth < 16 && requested_linear) ++ return png_image_error(image, ++ "png_image_finish_read: " ++ "8-bit PNG must not use 16-bit output format"); ++ + memset(&display, 0, (sizeof display)); + display.image = image; + display.buffer = buffer; diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch new file mode 100644 index 00000000000..b64a45e9f3f --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch @@ -0,0 +1,163 @@ +From 218612ddd6b17944e21eda56caf8b4bf7779d1ea Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Wed, 19 Nov 2025 21:45:13 +0200 +Subject: [PATCH] Rearchitect the fix to the buffer overflow in + `png_image_finish_read` + +Undo the fix from commit 16b5e3823918840aae65c0a6da57c78a5a496a4d. +That fix turned out to be unnecessarily limiting. It rejected all +16-to-8 bit transformations, although the vulnerability only affects +interlaced PNGs where `png_combine_row` writes using IHDR bit-depth +before the transformation completes. + +The proper solution is to add an intermediate `local_row` buffer, +specifically for the slow but necessary step of 16-to-8 bit conversion +of interlaced images. (The processing of non-interlaced images remains +intact, using the fast path.) We added the flag `do_local_scale` and +the function `png_image_read_direct_scaled`, following the pattern that +involves `do_local_compose`. + +In conclusion: +- The 16-to-8 bit transformations of interlaced images are now safe, + as they use an intermediate buffer. +- The 16-to-8 bit transformations of non-interlaced images remain safe, + as the fast path remains unchanged. +- All our regression tests are now passing. + +CVE: CVE-2025-65018 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea] +Signed-off-by: Peter Marko +--- + pngread.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 75 insertions(+), 14 deletions(-) + +diff --git a/pngread.c b/pngread.c +index 92571ec33..79917daaa 100644 +--- a/pngread.c ++++ b/pngread.c +@@ -3260,6 +3260,54 @@ png_image_read_colormapped(png_voidp argument) + } + } + ++/* Row reading for interlaced 16-to-8 bit depth conversion with local buffer. */ ++static int ++png_image_read_direct_scaled(png_voidp argument) ++{ ++ png_image_read_control *display = png_voidcast(png_image_read_control*, ++ argument); ++ png_imagep image = display->image; ++ png_structrp png_ptr = image->opaque->png_ptr; ++ png_bytep local_row = png_voidcast(png_bytep, display->local_row); ++ png_bytep first_row = png_voidcast(png_bytep, display->first_row); ++ ptrdiff_t row_bytes = display->row_bytes; ++ int passes; ++ ++ /* Handle interlacing. */ ++ switch (png_ptr->interlaced) ++ { ++ case PNG_INTERLACE_NONE: ++ passes = 1; ++ break; ++ ++ case PNG_INTERLACE_ADAM7: ++ passes = PNG_INTERLACE_ADAM7_PASSES; ++ break; ++ ++ default: ++ png_error(png_ptr, "unknown interlace type"); ++ } ++ ++ /* Read each pass using local_row as intermediate buffer. */ ++ while (--passes >= 0) ++ { ++ png_uint_32 y = image->height; ++ png_bytep output_row = first_row; ++ ++ for (; y > 0; --y) ++ { ++ /* Read into local_row (gets transformed 8-bit data). */ ++ png_read_row(png_ptr, local_row, NULL); ++ ++ /* Copy from local_row to user buffer. */ ++ memcpy(output_row, local_row, (size_t)row_bytes); ++ output_row += row_bytes; ++ } ++ } ++ ++ return 1; ++} ++ + /* Just the row reading part of png_image_read. */ + static int + png_image_read_composite(png_voidp argument) +@@ -3678,6 +3726,7 @@ png_image_read_direct(png_voidp argument) + int linear = (format & PNG_FORMAT_FLAG_LINEAR) != 0; + int do_local_compose = 0; + int do_local_background = 0; /* to avoid double gamma correction bug */ ++ int do_local_scale = 0; /* for interlaced 16-to-8 bit conversion */ + int passes = 0; + + /* Add transforms to ensure the correct output format is produced then check +@@ -3804,8 +3853,16 @@ png_image_read_direct(png_voidp argument) + png_set_expand_16(png_ptr); + + else /* 8-bit output */ ++ { + png_set_scale_16(png_ptr); + ++ /* For interlaced images, use local_row buffer to avoid overflow ++ * in png_combine_row() which writes using IHDR bit-depth. ++ */ ++ if (png_ptr->interlaced != 0) ++ do_local_scale = 1; ++ } ++ + change &= ~PNG_FORMAT_FLAG_LINEAR; + } + +@@ -4081,6 +4138,24 @@ png_image_read_direct(png_voidp argument) + return result; + } + ++ else if (do_local_scale != 0) ++ { ++ /* For interlaced 16-to-8 conversion, use an intermediate row buffer ++ * to avoid buffer overflows in png_combine_row. The local_row is sized ++ * for the transformed (8-bit) output, preventing the overflow that would ++ * occur if png_combine_row wrote 16-bit data directly to the user buffer. ++ */ ++ int result; ++ png_voidp row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr)); ++ ++ display->local_row = row; ++ result = png_safe_execute(image, png_image_read_direct_scaled, display); ++ display->local_row = NULL; ++ png_free(png_ptr, row); ++ ++ return result; ++ } ++ + else + { + png_alloc_size_t row_bytes = (png_alloc_size_t)display->row_bytes; +@@ -4164,20 +4239,6 @@ png_image_finish_read(png_imagep image, png_const_colorp background, + int result; + png_image_read_control display; + +- /* Reject bit depth mismatches to avoid buffer overflows. */ +- png_uint_32 ihdr_bit_depth = +- image->opaque->png_ptr->bit_depth; +- int requested_linear = +- (image->format & PNG_FORMAT_FLAG_LINEAR) != 0; +- if (ihdr_bit_depth == 16 && !requested_linear) +- return png_image_error(image, +- "png_image_finish_read: " +- "16-bit PNG must use 16-bit output format"); +- if (ihdr_bit_depth < 16 && requested_linear) +- return png_image_error(image, +- "png_image_finish_read: " +- "8-bit PNG must not use 16-bit output format"); +- + memset(&display, 0, (sizeof display)); + display.image = image; + display.buffer = buffer; diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index efb8eba3721..47b76a704b8 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb @@ -18,6 +18,8 @@ SRC_URI = "\ file://CVE-2025-64505-03.patch \ file://CVE-2025-64506.patch \ file://CVE-2025-64720.patch \ + file://CVE-2025-65018-01.patch \ + file://CVE-2025-65018-02.patch \ " SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"