From: Peter Marko <[email protected]> Pick commit per NVD report.
Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Steve Sakoman <[email protected]> --- .../libpng/files/CVE-2025-64506.patch | 57 +++++++++++++++++++ .../libpng/libpng_1.6.39.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch new file mode 100644 index 0000000000..696f459971 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch @@ -0,0 +1,57 @@ +From 2bd84c019c300b78e811743fbcddb67c9d9bf821 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta <[email protected]> +Date: Fri, 7 Nov 2025 22:40:05 +0200 +Subject: [PATCH] Fix a heap buffer overflow in `png_write_image_8bit` + +The condition guarding the pre-transform path incorrectly allowed 8-bit +input data to enter `png_write_image_8bit` which expects 16-bit input. +This caused out-of-bounds reads when processing 8-bit grayscale+alpha +images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746), +with the `convert_to_8bit` flag set (an invalid combination that should +bypass the pre-transform path). + +The second part of the condition, i.e. + + colormap == 0 && convert_to_8bit != 0 + +failed to verify that input was 16-bit, i.e. + + linear != 0 + +contradicting the comment "This only applies when the input is 16-bit". + +The fix consists in restructuring the condition to ensure both the +`alpha` path and the `convert_to_8bit` path require linear (16-bit) +input. The corrected condition, i.e. + + linear != 0 && (alpha != 0 || display->convert_to_8bit != 0) + +matches the expectation of the `png_write_image_8bit` function and +prevents treating 8-bit buffers as 16-bit data. + +Reported-by: Samsung-PENTEST <[email protected]> +Reported-by: weijinjinnihao <[email protected]> +Analyzed-by: degrigis <[email protected]> +Reviewed-by: John Bowler <[email protected]> + +CVE: CVE-2025-64506 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821] +Signed-off-by: Peter Marko <[email protected]> +--- + pngwrite.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/pngwrite.c b/pngwrite.c +index 35a5d17b6..83148960e 100644 +--- a/pngwrite.c ++++ b/pngwrite.c +@@ -2129,8 +2129,7 @@ png_image_write_main(png_voidp argument) + * before it is written. This only applies when the input is 16-bit and + * either there is an alpha channel or it is converted to 8-bit. + */ +- if ((linear != 0 && alpha != 0 ) || +- (colormap == 0 && display->convert_to_8bit != 0)) ++ if (linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)) + { + png_bytep row = png_voidcast(png_bytep, png_malloc(png_ptr, + png_get_rowbytes(png_ptr, info_ptr))); diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index 62e3e81b4f..cc35e7a725 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb @@ -16,6 +16,7 @@ SRC_URI = "\ file://CVE-2025-64505-01.patch \ file://CVE-2025-64505-02.patch \ file://CVE-2025-64505-03.patch \ + file://CVE-2025-64506.patch \ " SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#227162): https://lists.openembedded.org/g/openembedded-core/message/227162 Mute This Topic: https://lists.openembedded.org/mt/116577535/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
