From: Sudhir Dumbhare <[email protected]> Pick the patch [1] as mentioned in [2].
[1] https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-33636 Reference: https://security-tracker.debian.org/tracker/CVE-2026-33636 https://www.suse.com/security/cve/CVE-2026-33636.html Signed-off-by: Sudhir Dumbhare <[email protected]> Signed-off-by: Fabien Thomas <[email protected]> --- .../libpng/files/CVE-2026-33636.patch | 99 +++++++++++++++++++ .../libpng/libpng_1.6.42.bb | 1 + 2 files changed, 100 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch new file mode 100644 index 0000000000..3bd6aae2a4 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch @@ -0,0 +1,99 @@ +From 9ff847dfcbb54f6dee3fd4e408150ae944278391 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta <[email protected]> +Date: Sat, 21 Mar 2026 23:48:49 +0200 +Subject: [PATCH] fix(arm): Resolve out-of-bounds read/write in NEON palette + expansion + +Both `png_do_expand_palette_rgba8_neon` and +`png_do_expand_palette_rgb8_neon` advanced in fixed-size chunks without +guarding the final iteration, allowing out-of-bounds reads and writes +when the row width is not a multiple of the chunk size. + +Restrict the NEON loop to full chunks only, remove the now-unnecessary +post-loop adjustment, and undo the `*ddp` pre-adjustment before the +pointer handoff to the scalar fallback. + +CVE: CVE-2026-33636 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3] + +Reported-by: Amemoyoi <[email protected]> +Co-authored-by: Amemoyoi <[email protected]> +Signed-off-by: Cosmin Truta <[email protected]> +(cherry picked from commit aba9f18eba870d14fb52c5ba5d73451349e339c3) +Signed-off-by: Sudhir Dumbhare <[email protected]> +--- + arm/palette_neon_intrinsics.c | 29 +++++++++++++---------------- + 1 file changed, 13 insertions(+), 16 deletions(-) + +diff --git a/arm/palette_neon_intrinsics.c b/arm/palette_neon_intrinsics.c +index 92c7d6f9f..bdd15849d 100644 +--- a/arm/palette_neon_intrinsics.c ++++ b/arm/palette_neon_intrinsics.c +@@ -1,7 +1,7 @@ + + /* palette_neon_intrinsics.c - NEON optimised palette expansion functions + * +- * Copyright (c) 2018-2019 Cosmin Truta ++ * Copyright (c) 2018-2026 Cosmin Truta + * Copyright (c) 2017-2018 Arm Holdings. All rights reserved. + * Written by Richard Townsend <[email protected]>, February 2017. + * +@@ -80,7 +80,7 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info, + */ + *ddp = *ddp - ((pixels_per_chunk * sizeof(png_uint_32)) - 1); + +- for (i = 0; i < row_width; i += pixels_per_chunk) ++ for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk) + { + uint32x4_t cur; + png_bytep sp = *ssp - i, dp = *ddp - (i << 2); +@@ -90,13 +90,12 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info, + cur = vld1q_lane_u32(riffled_palette + *(sp - 0), cur, 3); + vst1q_u32((void *)dp, cur); + } +- if (i != row_width) +- { +- /* Remove the amount that wasn't processed. */ +- i -= pixels_per_chunk; +- } + +- /* Decrement output pointers. */ ++ /* Undo the pre-adjustment of *ddp before the pointer handoff, ++ * so the scalar fallback in pngrtran.c receives a dp that points ++ * to the correct position. ++ */ ++ *ddp = *ddp + (pixels_per_chunk * 4 - 1); + *ssp = *ssp - i; + *ddp = *ddp - (i << 2); + return i; +@@ -121,7 +120,7 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info, + /* Seeking this back by 8 pixels x 3 bytes. */ + *ddp = *ddp - ((pixels_per_chunk * sizeof(png_color)) - 1); + +- for (i = 0; i < row_width; i += pixels_per_chunk) ++ for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk) + { + uint8x8x3_t cur; + png_bytep sp = *ssp - i, dp = *ddp - ((i << 1) + i); +@@ -136,13 +135,11 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info, + vst3_u8((void *)dp, cur); + } + +- if (i != row_width) +- { +- /* Remove the amount that wasn't processed. */ +- i -= pixels_per_chunk; +- } +- +- /* Decrement output pointers. */ ++ /* Undo the pre-adjustment of *ddp before the pointer handoff, ++ * so the scalar fallback in pngrtran.c receives a dp that points ++ * to the correct position. ++ */ ++ *ddp = *ddp + (pixels_per_chunk * 3 - 1); + *ssp = *ssp - i; + *ddp = *ddp - ((i << 1) + i); + return i; +-- +2.44.4 + diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb index 7471315fdd..923ed79896 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb @@ -24,6 +24,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz file://CVE-2026-22695.patch \ file://CVE-2026-22801.patch \ file://CVE-2026-25646.patch \ + file://CVE-2026-33636.patch \ " SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#236493): https://lists.openembedded.org/g/openembedded-core/message/236493 Mute This Topic: https://lists.openembedded.org/mt/119164876/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
