CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

libpng: patch CVE-2025-64506

Browse Source 
Pick commit per NVD report.

(From OE-Core rev: f3bdbd782eed2b597927df489a7d38a22fbba5ed)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Peter Marko 2025-11-27 19:03:23 +01:00 committed by Steve Sakoman
parent b0b3210686
commit eed16ae613
2 changed files with 58 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch Normal file
View File

@ -0,0 +1,57 @@
From 2bd84c019c300b78e811743fbcddb67c9d9bf821 Mon Sep 17 00:00:00 2001
From: Cosmin Truta <ctruta@gmail.com>
Date: Fri, 7 Nov 2025 22:40:05 +0200
Subject: [PATCH] Fix a heap buffer overflow in `png_write_image_8bit`
The condition guarding the pre-transform path incorrectly allowed 8-bit
input data to enter `png_write_image_8bit` which expects 16-bit input.
This caused out-of-bounds reads when processing 8-bit grayscale+alpha
images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746),
with the `convert_to_8bit` flag set (an invalid combination that should
bypass the pre-transform path).
The second part of the condition, i.e.
colormap == 0 && convert_to_8bit != 0
failed to verify that input was 16-bit, i.e.
linear != 0
contradicting the comment "This only applies when the input is 16-bit".
The fix consists in restructuring the condition to ensure both the
`alpha` path and the `convert_to_8bit` path require linear (16-bit)
input. The corrected condition, i.e.
linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)
matches the expectation of the `png_write_image_8bit` function and
prevents treating 8-bit buffers as 16-bit data.
Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
Reported-by: weijinjinnihao <weijinjinnihao@users.noreply.github.com>
Analyzed-by: degrigis <degrigis@users.noreply.github.com>
Reviewed-by: John Bowler <jbowler@acm.org>
CVE: CVE-2025-64506
Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
pngwrite.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/pngwrite.c b/pngwrite.c
index 35a5d17b6..83148960e 100644
--- a/pngwrite.c
+++ b/pngwrite.c
@@ -2142,8 +2142,7 @@ png_image_write_main(png_voidp argument)
* before it is written. This only applies when the input is 16-bit and
* either there is an alpha channel or it is converted to 8-bit.
*/
- if ((linear != 0 && alpha != 0 ) ||
- (colormap == 0 && display->convert_to_8bit != 0))
+ if (linear != 0 && (alpha != 0 || display->convert_to_8bit != 0))
{
png_bytep row = png_voidcast(png_bytep, png_malloc(png_ptr,
png_get_rowbytes(png_ptr, info_ptr)));

1
meta/recipes-multimedia/libpng/libpng_1.6.42.bb
View File

@ -15,6 +15,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz
file://CVE-2025-64505-01.patch \ file://CVE-2025-64505-01.patch \
file://CVE-2025-64505-02.patch \ file://CVE-2025-64505-02.patch \
file://CVE-2025-64505-03.patch \ file://CVE-2025-64505-03.patch \
file://CVE-2025-64506.patch \
" "
SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450" SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"