libpng: patch CVE-2026-25646

Backport patch mentioned in NVD CVE report. (From OE-Core rev: dd08ef6de714ea06d6b6255faca2ddbc66450977) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2026-02-17 22:05:41 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27 17:45:06 +0000
commit: d95e14f86c18454d48baa48415de447343595b1d (patch)
tree: 8577094d7b347e09b61173e4555e4ccb0c4fd34e /meta
parent: 119ec1b846b0a380474c15dbafac6181a05120a6 (diff)
download: poky-d95e14f86c18454d48baa48415de447343595b1d.tar.gz
2 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
new file mode 100644
index 0000000000..5fbf5eb0f7
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
@@ -0,0 +1,61 @@
+From 01d03b8453eb30ade759cd45c707e5a1c7277d88 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Fri, 6 Feb 2026 19:11:54 +0200
+Subject: [PATCH] Fix a heap buffer overflow in `png_set_quantize`
+The color distance hash table stored the current palette indices, but
+the color-pruning loop assumed the original indices. When colors were
+eliminated and indices changed, the stored indices became stale. This
+caused the loop bound `max_d` to grow past the 769-element hash array.
+The fix consists in storing the original indices via `palette_to_index`
+to match the pruning loop's expectations.
+Reported-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
+Co-authored-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
+Signed-off-by: Cosmin Truta <ctruta@gmail.com>
+CVE: CVE-2026-25646
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ AUTHORS    | 1 +
+ pngrtran.c | 6 +++---
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+diff --git a/AUTHORS b/AUTHORS
+index b9c0fffcf..4094f4a57 100644
+--- a/AUTHORS
+++ b/AUTHORS
+@@ -15,6 +15,7 @@ Authors, for copyright and licensing purposes.
+  * Guy Eric Schalnat
+  * James Yu
+  * John Bowler
+ * Joshua Inscoe
+  * Kevin Bracey
+  * Magnus Holmgren
+  * Mandar Sahastrabuddhe
+diff --git a/pngrtran.c b/pngrtran.c
+index fe8f9d32c..1fce9af12 100644
+--- a/pngrtran.c
+++ b/pngrtran.c
+@@ -1,7 +1,7 @@
+ 
+ /* pngrtran.c - transforms the data in a row for PNG readers
+  *
+- * Copyright (c) 2018-2024 Cosmin Truta
+ * Copyright (c) 2018-2026 Cosmin Truta
+  * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
+  * Copyright (c) 1996-1997 Andreas Dilger
+  * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
+@@ -647,8 +647,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+                          break;
+ 
+                      t->next = hash[d];
+-                     t->left = (png_byte)i;
+-                     t->right = (png_byte)j;
+                     t->left = png_ptr->palette_to_index[i];
+                     t->right = png_ptr->palette_to_index[j];
+                      hash[d] = t;
+                   }
+                }
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
index 0e375a0ce8..7471315fdd 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
@@ -23,6 +23,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz
           file://CVE-2025-66293-02.patch \
           file://CVE-2026-22695.patch \
           file://CVE-2026-22801.patch \
+           file://CVE-2026-25646.patch \
 "
 SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"
author	Peter Marko <peter.marko@siemens.com>	2026-02-17 22:05:41 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-02-27 17:45:06 +0000
commit	d95e14f86c18454d48baa48415de447343595b1d (patch)
tree	8577094d7b347e09b61173e4555e4ccb0c4fd34e /meta
parent	119ec1b846b0a380474c15dbafac6181a05120a6 (diff)
download	poky-d95e14f86c18454d48baa48415de447343595b1d.tar.gz

diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch new file mode 100644 index 0000000000..5fbf5eb0f7 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
@@ -0,0 +1,61 @@
		1	From 01d03b8453eb30ade759cd45c707e5a1c7277d88 Mon Sep 17 00:00:00 2001
		2	From: Cosmin Truta <ctruta@gmail.com>
		3	Date: Fri, 6 Feb 2026 19:11:54 +0200
		4	Subject: [PATCH] Fix a heap buffer overflow in `png_set_quantize`
		5
		6	The color distance hash table stored the current palette indices, but
		7	the color-pruning loop assumed the original indices. When colors were
		8	eliminated and indices changed, the stored indices became stale. This
		9	caused the loop bound `max_d` to grow past the 769-element hash array.
		10
		11	The fix consists in storing the original indices via `palette_to_index`
		12	to match the pruning loop's expectations.
		13
		14	Reported-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
		15	Co-authored-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
		16	Signed-off-by: Cosmin Truta <ctruta@gmail.com>
		17
		18	CVE: CVE-2026-25646
		19	Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88]
		20	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		21	---
		22	AUTHORS \| 1 +
		23	pngrtran.c \| 6 +++---
		24	2 files changed, 4 insertions(+), 3 deletions(-)
		25
		26	diff --git a/AUTHORS b/AUTHORS
		27	index b9c0fffcf..4094f4a57 100644
		28	--- a/AUTHORS
		29	+++ b/AUTHORS
		30	@@ -15,6 +15,7 @@ Authors, for copyright and licensing purposes.
		31	* Guy Eric Schalnat
		32	* James Yu
		33	* John Bowler
		34	+ * Joshua Inscoe
		35	* Kevin Bracey
		36	* Magnus Holmgren
		37	* Mandar Sahastrabuddhe
		38	diff --git a/pngrtran.c b/pngrtran.c
		39	index fe8f9d32c..1fce9af12 100644
		40	--- a/pngrtran.c
		41	+++ b/pngrtran.c
		42	@@ -1,7 +1,7 @@
		43
		44	/* pngrtran.c - transforms the data in a row for PNG readers
		45	*
		46	- * Copyright (c) 2018-2024 Cosmin Truta
		47	+ * Copyright (c) 2018-2026 Cosmin Truta
		48	* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
		49	* Copyright (c) 1996-1997 Andreas Dilger
		50	* Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
		51	@@ -647,8 +647,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
		52	break;
		53
		54	t->next = hash[d];
		55	- t->left = (png_byte)i;
		56	- t->right = (png_byte)j;
		57	+ t->left = png_ptr->palette_to_index[i];
		58	+ t->right = png_ptr->palette_to_index[j];
		59	hash[d] = t;
		60	}
		61	}


diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb index 0e375a0ce8..7471315fdd 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
@@ -23,6 +23,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz
23	file://CVE-2025-66293-02.patch \	23	file://CVE-2025-66293-02.patch \
24	file://CVE-2026-22695.patch \	24	file://CVE-2026-22695.patch \
25	file://CVE-2026-22801.patch \	25	file://CVE-2026-22801.patch \
		26	file://CVE-2026-25646.patch \
26	"	27	"
27		28
28	SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"	29	SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"