helium-3rd-party/poky
1
0
Fork 0
mirror of git://git.yoctoproject.org/poky synced 2026-04-02 02:49:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
poky/meta/recipes-multimedia/libpng/files/CVE-2026-25646.patch
Peter Marko d95e14f86c libpng: patch CVE-2026-25646 
Backport patch mentioned in NVD CVE report.

(From OE-Core rev: dd08ef6de714ea06d6b6255faca2ddbc66450977)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-02-27 17:45:06 +00:00

62 lines
2.2 KiB
Diff
Raw Blame History

From 01d03b8453eb30ade759cd45c707e5a1c7277d88 Mon Sep 17 00:00:00 2001
From: Cosmin Truta <ctruta@gmail.com>
Date: Fri, 6 Feb 2026 19:11:54 +0200
Subject: [PATCH] Fix a heap buffer overflow in `png_set_quantize`
The color distance hash table stored the current palette indices, but
the color-pruning loop assumed the original indices. When colors were
eliminated and indices changed, the stored indices became stale. This
caused the loop bound `max_d` to grow past the 769-element hash array.
The fix consists in storing the original indices via `palette_to_index`
to match the pruning loop's expectations.
Reported-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
Co-authored-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
CVE: CVE-2026-25646
Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
AUTHORS | 1 +
pngrtran.c | 6 +++---
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/AUTHORS b/AUTHORS
index b9c0fffcf..4094f4a57 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -15,6 +15,7 @@ Authors, for copyright and licensing purposes.
* Guy Eric Schalnat
* James Yu
* John Bowler
+ * Joshua Inscoe
* Kevin Bracey
* Magnus Holmgren
* Mandar Sahastrabuddhe
diff --git a/pngrtran.c b/pngrtran.c
index fe8f9d32c..1fce9af12 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -1,7 +1,7 @@
/* pngrtran.c - transforms the data in a row for PNG readers
*
- * Copyright (c) 2018-2024 Cosmin Truta
+ * Copyright (c) 2018-2026 Cosmin Truta
* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
* Copyright (c) 1996-1997 Andreas Dilger
* Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
@@ -647,8 +647,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
break;
t->next = hash[d];
- t->left = (png_byte)i;
- t->right = (png_byte)j;
+ t->left = png_ptr->palette_to_index[i];
+ t->right = png_ptr->palette_to_index[j];
hash[d] = t;
}
}
Reference in New Issue View Git Blame Copy Permalink