From 3587652aaf09a489abfec0a50d6d62f5dace2f2a Mon Sep 17 00:00:00 2001
From: Michal Hlavinka <mhlavink@redhat.com>
Date: Tue, 3 Mar 2026 11:15:29 +0100
Subject: [PATCH] fix CVE-2026-25646: heap buffer overflow in png_set_quantize
 (RHEL-148411)

Resolves: RHEL-148411
---
 libpng-1.6-cve-2026-25646.patch | 15 +++++++++++++++
 libpng.spec                     |  9 ++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 libpng-1.6-cve-2026-25646.patch

diff --git a/libpng-1.6-cve-2026-25646.patch b/libpng-1.6-cve-2026-25646.patch
new file mode 100644
index 0000000..1c86961
--- /dev/null
+++ b/libpng-1.6-cve-2026-25646.patch
@@ -0,0 +1,15 @@
+diff --git a/pngrtran.c b/pngrtran.c
+index fe8f9d32c9..1fce9af121 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -708,8 +708,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+                          break;
+ 
+                      t->next = hash[d];
+-                     t->left = (png_byte)i;
+-                     t->right = (png_byte)j;
++                     t->left = png_ptr->palette_to_index[i];
++                     t->right = png_ptr->palette_to_index[j];
+                      hash[d] = t;
+                   }
+                }
diff --git a/libpng.spec b/libpng.spec
index 506213f..81f8780 100644
--- a/libpng.spec
+++ b/libpng.spec
@@ -4,7 +4,7 @@ Summary:       A library of functions for manipulating PNG image format files
 Name:          libpng
 Epoch:         2
 Version:       1.6.37
-Release:       14%{?dist}
+Release:       15%{?dist}
 License:       zlib
 URL:           http://www.libpng.org/pub/png/
 
@@ -31,6 +31,9 @@ Patch7:        libpng-1.6-cve-2026-22695.patch
 # from upstream, for <1.6.54, RHEL-149000
 # https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072
 Patch8:        libpng-1.6-cve-2026-22801.patch
+# from upstream, for <1.6.55, RHEL-148328
+# https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
+Patch9:        libpng-1.6-cve-2026-25646.patch
 
 BuildRequires: gcc
 BuildRequires: zlib-devel
@@ -90,6 +93,7 @@ cp -p %{SOURCE1} .
 %patch -P 6 -p1 -b .CVE-2025-66293_p2of2
 %patch -P 7 -p1 -b .cve-2026-22695
 %patch -P 8 -p1 -b .cve-2026-22801
+%patch -P 9 -p1 -b .cve-2026-25646
 
 %build
 autoreconf -vif
@@ -130,6 +134,9 @@ make check
 %{_bindir}/pngfix
 
 %changelog
+* Tue Mar 03 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-15
+- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148411)
+
 * Thu Feb 19 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-14
 - fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-147356)
 - fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-149000)