3 files changed, 187 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
new file mode 100644
index 0000000000..d3db455cdf
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
@@ -0,0 +1,60 @@
+From 788a624d7387a758ffd5c7ab010f1870dea753a1 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sat, 29 Nov 2025 00:39:16 +0200
+Subject: [PATCH] Fix an out-of-bounds read in `png_image_read_composite`
+Add a defensive bounds check before calling PNG_sRGB_FROM_LINEAR to
+prevent reading up to 506 entries (1012 bytes) past `png_sRGB_base[]`.
+For palette images with gamma, `png_init_read_transformations`
+clears PNG_COMPOSE after compositing on the palette, but it leaves
+PNG_FLAG_OPTIMIZE_ALPHA set. The simplified API then calls
+`png_image_read_composite` with sRGB data (not linear premultiplied),
+causing the index to reach 1017. (The maximum valid index is 511.)
+NOTE:
+This is a defensive fix that addresses the security issue (out-of-bounds
+read) but *NOT* the correctness issue (wrong output). When the clamp
+triggers, the affected pixels are clamped to white instead of the
+correct composited color. Valid PNG images may render incorrectly with
+the simplified API.
+TODO:
+We already know the root cause is a flag synchronization error.
+For palette images with gamma, `png_init_read_transformations`
+clears PNG_COMPOSE but leaves PNG_FLAG_OPTIMIZE_ALPHA set, causing
+`png_image_read_composite` to misinterpret sRGB data as linear
+premultiplied. However, we have yet to implement an architectural fix
+that requires coordinating the simplified API with the transformation
+pipeline.
+Reported-by: flyfish101 <flyfish101@users.noreply.github.com>
+CVE: CVE-2025-66293
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngread.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+diff --git a/pngread.c b/pngread.c
+index 79917daaa..ab62edd9d 100644
+--- a/pngread.c
+++ b/pngread.c
+@@ -3404,9 +3404,14 @@ png_image_read_composite(png_voidp argument)
+                         component += (255-alpha)*png_sRGB_table[outrow[c]];
+ 
+                         /* So 'component' is scaled by 255*65535 and is
+-                         * therefore appropriate for the sRGB to linear
+-                         * conversion table.
+                         * therefore appropriate for the sRGB-to-linear
+                         * conversion table.  Clamp to the valid range
+                         * as a defensive measure against an internal
+                         * libpng bug where the data is sRGB rather than
+                         * linear premultiplied.
+                          */
+                        if (component > 255*65535)
+                           component = 255*65535;
+                         component = PNG_sRGB_FROM_LINEAR(component);
+                      }
+ 
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
new file mode 100644
index 0000000000..e725f1e0f2
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
@@ -0,0 +1,125 @@
+From a05a48b756de63e3234ea6b3b938b8f5f862484a Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Mon, 1 Dec 2025 22:31:54 +0200
+Subject: [PATCH] Finalize the fix for out-of-bounds read in
+ `png_image_read_composite`
+Following up on commit 788a624d7387a758ffd5c7ab010f1870dea753a1.
+The previous commit added a defensive bounds check to address the
+security issue (out-of-bounds read), but noted that the correctness
+issue remained: when the clamp triggered, the affected pixels were
+clamped to white instead of the correct composited color.
+This commit addresses the correctness issue by fixing the flag
+synchronization error identified in the previous commit's TODO:
+1. In `png_init_read_transformations`:
+   Clear PNG_FLAG_OPTIMIZE_ALPHA when clearing PNG_COMPOSE for palette
+   images. This correctly signals that the data is sRGB, not linear
+   premultiplied.
+2. In `png_image_read_composite`:
+   Check PNG_FLAG_OPTIMIZE_ALPHA and use the appropriate composition
+   formula. When set, use the existing linear composition. When cleared
+   (palette composition already done), use sRGB composition to match
+   what was done to the palette.
+Retain the previous clamp to the valid range as belt-and-suspenders
+protection against any other unforeseen cases.
+CVE: CVE-2025-66293
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngread.c  | 56 ++++++++++++++++++++++++++++++++++++------------------
+ pngrtran.c |  1 +
+ 2 files changed, 39 insertions(+), 18 deletions(-)
+diff --git a/pngread.c b/pngread.c
+index ab62edd9d..f8ca2b7e3 100644
+--- a/pngread.c
+++ b/pngread.c
+@@ -3338,6 +3338,7 @@ png_image_read_composite(png_voidp argument)
+       ptrdiff_t    step_row = display->row_bytes;
+       unsigned int channels =
+           (image->format & PNG_FORMAT_FLAG_COLOR) != 0 ? 3 : 1;
+      int optimize_alpha = (png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0;
+       int pass;
+ 
+       for (pass = 0; pass < passes; ++pass)
+@@ -3394,25 +3395,44 @@ png_image_read_composite(png_voidp argument)
+ 
+                      if (alpha < 255) /* else just use component */
+                      {
+-                        /* This is PNG_OPTIMIZED_ALPHA, the component value
+-                         * is a linear 8-bit value.  Combine this with the
+-                         * current outrow[c] value which is sRGB encoded.
+-                         * Arithmetic here is 16-bits to preserve the output
+-                         * values correctly.
+-                         */
+-                        component *= 257*255; /* =65535 */
+-                        component += (255-alpha)*png_sRGB_table[outrow[c]];
+                        if (optimize_alpha != 0)
+                        {
+                           /* This is PNG_OPTIMIZED_ALPHA, the component value
+                            * is a linear 8-bit value.  Combine this with the
+                            * current outrow[c] value which is sRGB encoded.
+                            * Arithmetic here is 16-bits to preserve the output
+                            * values correctly.
+                            */
+                           component *= 257*255; /* =65535 */
+                           component += (255-alpha)*png_sRGB_table[outrow[c]];
+ 
+-                        /* So 'component' is scaled by 255*65535 and is
+-                         * therefore appropriate for the sRGB-to-linear
+-                         * conversion table.  Clamp to the valid range
+-                         * as a defensive measure against an internal
+-                         * libpng bug where the data is sRGB rather than
+-                         * linear premultiplied.
+-                         */
+-                        if (component > 255*65535)
+-                           component = 255*65535;
+-                        component = PNG_sRGB_FROM_LINEAR(component);
+                           /* Clamp to the valid range to defend against
+                            * unforeseen cases where the data might be sRGB
+                            * instead of linear premultiplied.
+                            * (Belt-and-suspenders for GitHub Issue #764.)
+                            */
+                           if (component > 255*65535)
+                              component = 255*65535;
+
+                           /* So 'component' is scaled by 255*65535 and is
+                            * therefore appropriate for the sRGB-to-linear
+                            * conversion table.
+                            */
+                           component = PNG_sRGB_FROM_LINEAR(component);
+                        }
+                        else
+                        {
+                           /* Compositing was already done on the palette
+                            * entries.  The data is sRGB premultiplied on black.
+                            * Composite with the background in sRGB space.
+                            * This is not gamma-correct, but matches what was
+                            * done to the palette.
+                            */
+                           png_uint_32 background = outrow[c];
+                           component += ((255-alpha) * background + 127) / 255;
+                           if (component > 255)
+                              component = 255;
+                        }
+                      }
+ 
+                      outrow[c] = (png_byte)component;
+diff --git a/pngrtran.c b/pngrtran.c
+index 2f5202255..507d11381 100644
+--- a/pngrtran.c
+++ b/pngrtran.c
+@@ -1760,6 +1760,7 @@ png_init_read_transformations(png_structrp png_ptr)
+              * transformations elsewhere.
+              */
+             png_ptr->transformations &= ~(PNG_COMPOSE | PNG_GAMMA);
+            png_ptr->flags &= ~PNG_FLAG_OPTIMIZE_ALPHA;
+          } /* color_type == PNG_COLOR_TYPE_PALETTE */
+ 
+          /* if (png_ptr->background_gamma_type!=PNG_BACKGROUND_GAMMA_UNKNOWN) */
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index 47b76a704b..70685b68e7 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -20,6 +20,8 @@ SRC_URI = "\
           file://CVE-2025-64720.patch \
           file://CVE-2025-65018-01.patch \
           file://CVE-2025-65018-02.patch \
+           file://CVE-2025-66293-01.patch \
+           file://CVE-2025-66293-02.patch \
 "
 SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"

diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch new file mode 100644 index 0000000000..d3db455cdf --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
@@ -0,0 +1,60 @@
		1	From 788a624d7387a758ffd5c7ab010f1870dea753a1 Mon Sep 17 00:00:00 2001
		2	From: Cosmin Truta <ctruta@gmail.com>
		3	Date: Sat, 29 Nov 2025 00:39:16 +0200
		4	Subject: [PATCH] Fix an out-of-bounds read in `png_image_read_composite`
		5
		6	Add a defensive bounds check before calling PNG_sRGB_FROM_LINEAR to
		7	prevent reading up to 506 entries (1012 bytes) past `png_sRGB_base[]`.
		8
		9	For palette images with gamma, `png_init_read_transformations`
		10	clears PNG_COMPOSE after compositing on the palette, but it leaves
		11	PNG_FLAG_OPTIMIZE_ALPHA set. The simplified API then calls
		12	`png_image_read_composite` with sRGB data (not linear premultiplied),
		13	causing the index to reach 1017. (The maximum valid index is 511.)
		14
		15	NOTE:
		16	This is a defensive fix that addresses the security issue (out-of-bounds
		17	read) but NOT the correctness issue (wrong output). When the clamp
		18	triggers, the affected pixels are clamped to white instead of the
		19	correct composited color. Valid PNG images may render incorrectly with
		20	the simplified API.
		21
		22	TODO:
		23	We already know the root cause is a flag synchronization error.
		24	For palette images with gamma, `png_init_read_transformations`
		25	clears PNG_COMPOSE but leaves PNG_FLAG_OPTIMIZE_ALPHA set, causing
		26	`png_image_read_composite` to misinterpret sRGB data as linear
		27	premultiplied. However, we have yet to implement an architectural fix
		28	that requires coordinating the simplified API with the transformation
		29	pipeline.
		30
		31	Reported-by: flyfish101 <flyfish101@users.noreply.github.com>
		32
		33	CVE: CVE-2025-66293
		34	Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1]
		35	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		36	---
		37	pngread.c \| 9 +++++++--
		38	1 file changed, 7 insertions(+), 2 deletions(-)
		39
		40	diff --git a/pngread.c b/pngread.c
		41	index 79917daaa..ab62edd9d 100644
		42	--- a/pngread.c
		43	+++ b/pngread.c
		44	@@ -3404,9 +3404,14 @@ png_image_read_composite(png_voidp argument)
		45	component += (255-alpha)*png_sRGB_table[outrow[c]];
		46
		47	/* So 'component' is scaled by 255*65535 and is
		48	- * therefore appropriate for the sRGB to linear
		49	- * conversion table.
		50	+ * therefore appropriate for the sRGB-to-linear
		51	+ * conversion table. Clamp to the valid range
		52	+ * as a defensive measure against an internal
		53	+ * libpng bug where the data is sRGB rather than
		54	+ * linear premultiplied.
		55	*/
		56	+ if (component > 255*65535)
		57	+ component = 255*65535;
		58	component = PNG_sRGB_FROM_LINEAR(component);
		59	}
		60


diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch new file mode 100644 index 0000000000..e725f1e0f2 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
@@ -0,0 +1,125 @@
		1	From a05a48b756de63e3234ea6b3b938b8f5f862484a Mon Sep 17 00:00:00 2001
		2	From: Cosmin Truta <ctruta@gmail.com>
		3	Date: Mon, 1 Dec 2025 22:31:54 +0200
		4	Subject: [PATCH] Finalize the fix for out-of-bounds read in
		5	`png_image_read_composite`
		6
		7	Following up on commit 788a624d7387a758ffd5c7ab010f1870dea753a1.
		8
		9	The previous commit added a defensive bounds check to address the
		10	security issue (out-of-bounds read), but noted that the correctness
		11	issue remained: when the clamp triggered, the affected pixels were
		12	clamped to white instead of the correct composited color.
		13
		14	This commit addresses the correctness issue by fixing the flag
		15	synchronization error identified in the previous commit's TODO:
		16
		17	1. In `png_init_read_transformations`:
		18	Clear PNG_FLAG_OPTIMIZE_ALPHA when clearing PNG_COMPOSE for palette
		19	images. This correctly signals that the data is sRGB, not linear
		20	premultiplied.
		21
		22	2. In `png_image_read_composite`:
		23	Check PNG_FLAG_OPTIMIZE_ALPHA and use the appropriate composition
		24	formula. When set, use the existing linear composition. When cleared
		25	(palette composition already done), use sRGB composition to match
		26	what was done to the palette.
		27
		28	Retain the previous clamp to the valid range as belt-and-suspenders
		29	protection against any other unforeseen cases.
		30
		31	CVE: CVE-2025-66293
		32	Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a]
		33	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		34	---
		35	pngread.c \| 56 ++++++++++++++++++++++++++++++++++++------------------
		36	pngrtran.c \| 1 +
		37	2 files changed, 39 insertions(+), 18 deletions(-)
		38
		39	diff --git a/pngread.c b/pngread.c
		40	index ab62edd9d..f8ca2b7e3 100644
		41	--- a/pngread.c
		42	+++ b/pngread.c
		43	@@ -3338,6 +3338,7 @@ png_image_read_composite(png_voidp argument)
		44	ptrdiff_t step_row = display->row_bytes;
		45	unsigned int channels =
		46	(image->format & PNG_FORMAT_FLAG_COLOR) != 0 ? 3 : 1;
		47	+ int optimize_alpha = (png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0;
		48	int pass;
		49
		50	for (pass = 0; pass < passes; ++pass)
		51	@@ -3394,25 +3395,44 @@ png_image_read_composite(png_voidp argument)
		52
		53	if (alpha < 255) /* else just use component */
		54	{
		55	- /* This is PNG_OPTIMIZED_ALPHA, the component value
		56	- * is a linear 8-bit value. Combine this with the
		57	- * current outrow[c] value which is sRGB encoded.
		58	- * Arithmetic here is 16-bits to preserve the output
		59	- * values correctly.
		60	- */
		61	- component = 257255; /* =65535 */
		62	- component += (255-alpha)*png_sRGB_table[outrow[c]];
		63	+ if (optimize_alpha != 0)
		64	+ {
		65	+ /* This is PNG_OPTIMIZED_ALPHA, the component value
		66	+ * is a linear 8-bit value. Combine this with the
		67	+ * current outrow[c] value which is sRGB encoded.
		68	+ * Arithmetic here is 16-bits to preserve the output
		69	+ * values correctly.
		70	+ */
		71	+ component = 257255; /* =65535 */
		72	+ component += (255-alpha)*png_sRGB_table[outrow[c]];
		73
		74	- /* So 'component' is scaled by 255*65535 and is
		75	- * therefore appropriate for the sRGB-to-linear
		76	- * conversion table. Clamp to the valid range
		77	- * as a defensive measure against an internal
		78	- * libpng bug where the data is sRGB rather than
		79	- * linear premultiplied.
		80	- */
		81	- if (component > 255*65535)
		82	- component = 255*65535;
		83	- component = PNG_sRGB_FROM_LINEAR(component);
		84	+ /* Clamp to the valid range to defend against
		85	+ * unforeseen cases where the data might be sRGB
		86	+ * instead of linear premultiplied.
		87	+ * (Belt-and-suspenders for GitHub Issue #764.)
		88	+ */
		89	+ if (component > 255*65535)
		90	+ component = 255*65535;
		91	+
		92	+ /* So 'component' is scaled by 255*65535 and is
		93	+ * therefore appropriate for the sRGB-to-linear
		94	+ * conversion table.
		95	+ */
		96	+ component = PNG_sRGB_FROM_LINEAR(component);
		97	+ }
		98	+ else
		99	+ {
		100	+ /* Compositing was already done on the palette
		101	+ * entries. The data is sRGB premultiplied on black.
		102	+ * Composite with the background in sRGB space.
		103	+ * This is not gamma-correct, but matches what was
		104	+ * done to the palette.
		105	+ */
		106	+ png_uint_32 background = outrow[c];
		107	+ component += ((255-alpha) * background + 127) / 255;
		108	+ if (component > 255)
		109	+ component = 255;
		110	+ }
		111	}
		112
		113	outrow[c] = (png_byte)component;
		114	diff --git a/pngrtran.c b/pngrtran.c
		115	index 2f5202255..507d11381 100644
		116	--- a/pngrtran.c
		117	+++ b/pngrtran.c
		118	@@ -1760,6 +1760,7 @@ png_init_read_transformations(png_structrp png_ptr)
		119	* transformations elsewhere.
		120	*/
		121	png_ptr->transformations &= ~(PNG_COMPOSE \| PNG_GAMMA);
		122	+ png_ptr->flags &= ~PNG_FLAG_OPTIMIZE_ALPHA;
		123	} /* color_type == PNG_COLOR_TYPE_PALETTE */
		124
		125	/* if (png_ptr->background_gamma_type!=PNG_BACKGROUND_GAMMA_UNKNOWN) */


diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index 47b76a704b..70685b68e7 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -20,6 +20,8 @@ SRC_URI = "\
20	file://CVE-2025-64720.patch \	20	file://CVE-2025-64720.patch \
21	file://CVE-2025-65018-01.patch \	21	file://CVE-2025-65018-01.patch \
22	file://CVE-2025-65018-02.patch \	22	file://CVE-2025-65018-02.patch \
		23	file://CVE-2025-66293-01.patch \
		24	file://CVE-2025-66293-02.patch \
23	"	25	"
24		26
25	SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"	27	SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"