2 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
new file mode 100644
index 0000000000..08df7c3210
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
@@ -0,0 +1,103 @@
+From 08da33b4c88cfcd36e5a706558a8d7e0e4773643 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Wed, 12 Nov 2025 13:46:23 +0200
+Subject: [PATCH] Fix a buffer overflow in `png_init_read_transformations`
+The palette compositing code in `png_init_read_transformations` was
+incorrectly applying background compositing when PNG_FLAG_OPTIMIZE_ALPHA
+was set. This violated the premultiplied alpha invariant
+`component <= alpha` expected by `png_image_read_composite`, causing
+values that exceeded the valid range for the PNG_sRGB_FROM_LINEAR lookup
+tables.
+When PNG_ALPHA_OPTIMIZED is active, palette entries should contain pure
+premultiplied RGB values without background compositing. The background
+compositing must happen later in `png_image_read_composite` where the
+actual background color from the PNG file is available.
+The fix consists in introducing conditional behavior based on
+PNG_FLAG_OPTIMIZE_ALPHA: when set, the code performs only
+premultiplication using the formula `component * alpha + 127) / 255`
+with proper gamma correction. When not set, the original background
+compositing calculation based on the `png_composite` macro is preserved.
+This prevents buffer overflows in `png_image_read_composite` where
+out-of-range premultiplied values would cause out-of-bounds array access
+in `png_sRGB_base[]` and `png_sRGB_delta[]`.
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Analyzed-by: John Bowler <jbowler@acm.org>
+CVE: CVE-2025-64720
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngrtran.c | 52 ++++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 42 insertions(+), 10 deletions(-)
+diff --git a/pngrtran.c b/pngrtran.c
+index 548780030..2f5202255 100644
+--- a/pngrtran.c
+++ b/pngrtran.c
+@@ -1698,19 +1698,51 @@ png_init_read_transformations(png_structrp png_ptr)
+                   }
+                   else /* if (png_ptr->trans_alpha[i] != 0xff) */
+                   {
+-                     png_byte v, w;
+                     if ((png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0)
+                     {
+                        /* Premultiply only:
+                         * component = round((component * alpha) / 255)
+                         */
+                        png_uint_32 component;
+ 
+-                     v = png_ptr->gamma_to_1[palette[i].red];
+-                     png_composite(w, v, png_ptr->trans_alpha[i], back_1.red);
+-                     palette[i].red = png_ptr->gamma_from_1[w];
+                        component = png_ptr->gamma_to_1[palette[i].red];
+                        component =
+                            (component * png_ptr->trans_alpha[i] + 128) / 255;
+                        palette[i].red = png_ptr->gamma_from_1[component];
+ 
+-                     v = png_ptr->gamma_to_1[palette[i].green];
+-                     png_composite(w, v, png_ptr->trans_alpha[i], back_1.green);
+-                     palette[i].green = png_ptr->gamma_from_1[w];
+                        component = png_ptr->gamma_to_1[palette[i].green];
+                        component =
+                            (component * png_ptr->trans_alpha[i] + 128) / 255;
+                        palette[i].green = png_ptr->gamma_from_1[component];
+ 
+-                     v = png_ptr->gamma_to_1[palette[i].blue];
+-                     png_composite(w, v, png_ptr->trans_alpha[i], back_1.blue);
+-                     palette[i].blue = png_ptr->gamma_from_1[w];
+                        component = png_ptr->gamma_to_1[palette[i].blue];
+                        component =
+                            (component * png_ptr->trans_alpha[i] + 128) / 255;
+                        palette[i].blue = png_ptr->gamma_from_1[component];
+                     }
+                     else
+                     {
+                        /* Composite with background color:
+                         * component =
+                         *    alpha * component + (1 - alpha) * background
+                         */
+                        png_byte v, w;
+
+                        v = png_ptr->gamma_to_1[palette[i].red];
+                        png_composite(w, v,
+                            png_ptr->trans_alpha[i], back_1.red);
+                        palette[i].red = png_ptr->gamma_from_1[w];
+
+                        v = png_ptr->gamma_to_1[palette[i].green];
+                        png_composite(w, v,
+                            png_ptr->trans_alpha[i], back_1.green);
+                        palette[i].green = png_ptr->gamma_from_1[w];
+
+                        v = png_ptr->gamma_to_1[palette[i].blue];
+                        png_composite(w, v,
+                            png_ptr->trans_alpha[i], back_1.blue);
+                        palette[i].blue = png_ptr->gamma_from_1[w];
+                     }
+                   }
+                }
+                else
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index cc35e7a725..efb8eba372 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -17,6 +17,7 @@ SRC_URI = "\
           file://CVE-2025-64505-02.patch \
           file://CVE-2025-64505-03.patch \
           file://CVE-2025-64506.patch \
+           file://CVE-2025-64720.patch \
 "
 SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"

diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch new file mode 100644 index 0000000000..08df7c3210 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
@@ -0,0 +1,103 @@
		1	From 08da33b4c88cfcd36e5a706558a8d7e0e4773643 Mon Sep 17 00:00:00 2001
		2	From: Cosmin Truta <ctruta@gmail.com>
		3	Date: Wed, 12 Nov 2025 13:46:23 +0200
		4	Subject: [PATCH] Fix a buffer overflow in `png_init_read_transformations`
		5
		6	The palette compositing code in `png_init_read_transformations` was
		7	incorrectly applying background compositing when PNG_FLAG_OPTIMIZE_ALPHA
		8	was set. This violated the premultiplied alpha invariant
		9	`component <= alpha` expected by `png_image_read_composite`, causing
		10	values that exceeded the valid range for the PNG_sRGB_FROM_LINEAR lookup
		11	tables.
		12
		13	When PNG_ALPHA_OPTIMIZED is active, palette entries should contain pure
		14	premultiplied RGB values without background compositing. The background
		15	compositing must happen later in `png_image_read_composite` where the
		16	actual background color from the PNG file is available.
		17
		18	The fix consists in introducing conditional behavior based on
		19	PNG_FLAG_OPTIMIZE_ALPHA: when set, the code performs only
		20	premultiplication using the formula `component * alpha + 127) / 255`
		21	with proper gamma correction. When not set, the original background
		22	compositing calculation based on the `png_composite` macro is preserved.
		23
		24	This prevents buffer overflows in `png_image_read_composite` where
		25	out-of-range premultiplied values would cause out-of-bounds array access
		26	in `png_sRGB_base[]` and `png_sRGB_delta[]`.
		27
		28	Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
		29	Analyzed-by: John Bowler <jbowler@acm.org>
		30
		31	CVE: CVE-2025-64720
		32	Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643]
		33	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		34	---
		35	pngrtran.c \| 52 ++++++++++++++++++++++++++++++++++++++++++----------
		36	1 file changed, 42 insertions(+), 10 deletions(-)
		37
		38	diff --git a/pngrtran.c b/pngrtran.c
		39	index 548780030..2f5202255 100644
		40	--- a/pngrtran.c
		41	+++ b/pngrtran.c
		42	@@ -1698,19 +1698,51 @@ png_init_read_transformations(png_structrp png_ptr)
		43	}
		44	else /* if (png_ptr->trans_alpha[i] != 0xff) */
		45	{
		46	- png_byte v, w;
		47	+ if ((png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0)
		48	+ {
		49	+ /* Premultiply only:
		50	+ * component = round((component * alpha) / 255)
		51	+ */
		52	+ png_uint_32 component;
		53
		54	- v = png_ptr->gamma_to_1[palette[i].red];
		55	- png_composite(w, v, png_ptr->trans_alpha[i], back_1.red);
		56	- palette[i].red = png_ptr->gamma_from_1[w];
		57	+ component = png_ptr->gamma_to_1[palette[i].red];
		58	+ component =
		59	+ (component * png_ptr->trans_alpha[i] + 128) / 255;
		60	+ palette[i].red = png_ptr->gamma_from_1[component];
		61
		62	- v = png_ptr->gamma_to_1[palette[i].green];
		63	- png_composite(w, v, png_ptr->trans_alpha[i], back_1.green);
		64	- palette[i].green = png_ptr->gamma_from_1[w];
		65	+ component = png_ptr->gamma_to_1[palette[i].green];
		66	+ component =
		67	+ (component * png_ptr->trans_alpha[i] + 128) / 255;
		68	+ palette[i].green = png_ptr->gamma_from_1[component];
		69
		70	- v = png_ptr->gamma_to_1[palette[i].blue];
		71	- png_composite(w, v, png_ptr->trans_alpha[i], back_1.blue);
		72	- palette[i].blue = png_ptr->gamma_from_1[w];
		73	+ component = png_ptr->gamma_to_1[palette[i].blue];
		74	+ component =
		75	+ (component * png_ptr->trans_alpha[i] + 128) / 255;
		76	+ palette[i].blue = png_ptr->gamma_from_1[component];
		77	+ }
		78	+ else
		79	+ {
		80	+ /* Composite with background color:
		81	+ * component =
		82	+ * alpha * component + (1 - alpha) * background
		83	+ */
		84	+ png_byte v, w;
		85	+
		86	+ v = png_ptr->gamma_to_1[palette[i].red];
		87	+ png_composite(w, v,
		88	+ png_ptr->trans_alpha[i], back_1.red);
		89	+ palette[i].red = png_ptr->gamma_from_1[w];
		90	+
		91	+ v = png_ptr->gamma_to_1[palette[i].green];
		92	+ png_composite(w, v,
		93	+ png_ptr->trans_alpha[i], back_1.green);
		94	+ palette[i].green = png_ptr->gamma_from_1[w];
		95	+
		96	+ v = png_ptr->gamma_to_1[palette[i].blue];
		97	+ png_composite(w, v,
		98	+ png_ptr->trans_alpha[i], back_1.blue);
		99	+ palette[i].blue = png_ptr->gamma_from_1[w];
		100	+ }
		101	}
		102	}
		103	else


diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index cc35e7a725..efb8eba372 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -17,6 +17,7 @@ SRC_URI = "\
17	file://CVE-2025-64505-02.patch \	17	file://CVE-2025-64505-02.patch \
18	file://CVE-2025-64505-03.patch \	18	file://CVE-2025-64505-03.patch \
19	file://CVE-2025-64506.patch \	19	file://CVE-2025-64506.patch \
		20	file://CVE-2025-64720.patch \
20	"	21	"
21		22
22	SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"	23	SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"