libpng: patch CVE-2025-64506

Pick commit per NVD report. (From OE-Core rev: eb4af9b4cea963b650be217d33bc12f560ed84a6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-11-27 19:03:46 +0100
committer: Steve Sakoman <steve@sakoman.com> 2025-12-05 06:56:34 -0800
commit: 5d27e8f05da66cda8dae6b1dc2a41687deac758d (patch)
tree: 1348f226953a2027f3509f71f847053b4ae59a9c
parent: d4925371886786849fe0e4408aaf285cf3c5e04b (diff)
download: poky-5d27e8f05da66cda8dae6b1dc2a41687deac758d.tar.gz
2 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
new file mode 100644
index 0000000000..696f459971
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
@@ -0,0 +1,57 @@
+From 2bd84c019c300b78e811743fbcddb67c9d9bf821 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Fri, 7 Nov 2025 22:40:05 +0200
+Subject: [PATCH] Fix a heap buffer overflow in `png_write_image_8bit`
+The condition guarding the pre-transform path incorrectly allowed 8-bit
+input data to enter `png_write_image_8bit` which expects 16-bit input.
+This caused out-of-bounds reads when processing 8-bit grayscale+alpha
+images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746),
+with the `convert_to_8bit` flag set (an invalid combination that should
+bypass the pre-transform path).
+The second part of the condition, i.e.
+    colormap == 0 && convert_to_8bit != 0
+failed to verify that input was 16-bit, i.e.
+    linear != 0
+contradicting the comment "This only applies when the input is 16-bit".
+The fix consists in restructuring the condition to ensure both the
+`alpha` path and the `convert_to_8bit` path require linear (16-bit)
+input. The corrected condition, i.e.
+    linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)
+matches the expectation of the `png_write_image_8bit` function and
+prevents treating 8-bit buffers as 16-bit data.
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Reported-by: weijinjinnihao <weijinjinnihao@users.noreply.github.com>
+Analyzed-by: degrigis <degrigis@users.noreply.github.com>
+Reviewed-by: John Bowler <jbowler@acm.org>
+CVE: CVE-2025-64506
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngwrite.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+diff --git a/pngwrite.c b/pngwrite.c
+index 35a5d17b6..83148960e 100644
+--- a/pngwrite.c
+++ b/pngwrite.c
+@@ -2129,8 +2129,7 @@ png_image_write_main(png_voidp argument)
+     * before it is written.  This only applies when the input is 16-bit and
+     * either there is an alpha channel or it is converted to 8-bit.
+     */
+-   if ((linear != 0 && alpha != 0 ) ||
+-       (colormap == 0 && display->convert_to_8bit != 0))
+   if (linear != 0 && (alpha != 0 || display->convert_to_8bit != 0))
+    {
+       png_bytep row = png_voidcast(png_bytep, png_malloc(png_ptr,
+           png_get_rowbytes(png_ptr, info_ptr)));
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index 62e3e81b4f..cc35e7a725 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -16,6 +16,7 @@ SRC_URI = "\
           file://CVE-2025-64505-01.patch \
           file://CVE-2025-64505-02.patch \
           file://CVE-2025-64505-03.patch \
+           file://CVE-2025-64506.patch \
 "
 SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"
author	Peter Marko <peter.marko@siemens.com>	2025-11-27 19:03:46 +0100
committer	Steve Sakoman <steve@sakoman.com>	2025-12-05 06:56:34 -0800
commit	5d27e8f05da66cda8dae6b1dc2a41687deac758d (patch)
tree	1348f226953a2027f3509f71f847053b4ae59a9c
parent	d4925371886786849fe0e4408aaf285cf3c5e04b (diff)
download	poky-5d27e8f05da66cda8dae6b1dc2a41687deac758d.tar.gz

diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch new file mode 100644 index 0000000000..696f459971 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
@@ -0,0 +1,57 @@
		1	From 2bd84c019c300b78e811743fbcddb67c9d9bf821 Mon Sep 17 00:00:00 2001
		2	From: Cosmin Truta <ctruta@gmail.com>
		3	Date: Fri, 7 Nov 2025 22:40:05 +0200
		4	Subject: [PATCH] Fix a heap buffer overflow in `png_write_image_8bit`
		5
		6	The condition guarding the pre-transform path incorrectly allowed 8-bit
		7	input data to enter `png_write_image_8bit` which expects 16-bit input.
		8	This caused out-of-bounds reads when processing 8-bit grayscale+alpha
		9	images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746),
		10	with the `convert_to_8bit` flag set (an invalid combination that should
		11	bypass the pre-transform path).
		12
		13	The second part of the condition, i.e.
		14
		15	colormap == 0 && convert_to_8bit != 0
		16
		17	failed to verify that input was 16-bit, i.e.
		18
		19	linear != 0
		20
		21	contradicting the comment "This only applies when the input is 16-bit".
		22
		23	The fix consists in restructuring the condition to ensure both the
		24	`alpha` path and the `convert_to_8bit` path require linear (16-bit)
		25	input. The corrected condition, i.e.
		26
		27	linear != 0 && (alpha != 0 \|\| display->convert_to_8bit != 0)
		28
		29	matches the expectation of the `png_write_image_8bit` function and
		30	prevents treating 8-bit buffers as 16-bit data.
		31
		32	Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
		33	Reported-by: weijinjinnihao <weijinjinnihao@users.noreply.github.com>
		34	Analyzed-by: degrigis <degrigis@users.noreply.github.com>
		35	Reviewed-by: John Bowler <jbowler@acm.org>
		36
		37	CVE: CVE-2025-64506
		38	Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821]
		39	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		40	---
		41	pngwrite.c \| 3 +--
		42	1 file changed, 1 insertion(+), 2 deletions(-)
		43
		44	diff --git a/pngwrite.c b/pngwrite.c
		45	index 35a5d17b6..83148960e 100644
		46	--- a/pngwrite.c
		47	+++ b/pngwrite.c
		48	@@ -2129,8 +2129,7 @@ png_image_write_main(png_voidp argument)
		49	* before it is written. This only applies when the input is 16-bit and
		50	* either there is an alpha channel or it is converted to 8-bit.
		51	*/
		52	- if ((linear != 0 && alpha != 0 ) \|\|
		53	- (colormap == 0 && display->convert_to_8bit != 0))
		54	+ if (linear != 0 && (alpha != 0 \|\| display->convert_to_8bit != 0))
		55	{
		56	png_bytep row = png_voidcast(png_bytep, png_malloc(png_ptr,
		57	png_get_rowbytes(png_ptr, info_ptr)));


diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index 62e3e81b4f..cc35e7a725 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -16,6 +16,7 @@ SRC_URI = "\
16	file://CVE-2025-64505-01.patch \	16	file://CVE-2025-64505-01.patch \
17	file://CVE-2025-64505-02.patch \	17	file://CVE-2025-64505-02.patch \
18	file://CVE-2025-64505-03.patch \	18	file://CVE-2025-64505-03.patch \
		19	file://CVE-2025-64506.patch \
19	"	20	"
20		21
21	SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"	22	SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"