import Oracle_OSS libpng-1.6.40-8.el10_1.3

libpng-1.6-CVE-2026-33636.patch

@@ -0,0 +1,60 @@
+diff --git a/arm/palette_neon_intrinsics.c b/arm/palette_neon_intrinsics.c
+index 3068e9b6e6..f3355bef59 100644
+--- a/arm/palette_neon_intrinsics.c
++++ b/arm/palette_neon_intrinsics.c
+@@ -79,7 +79,7 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info,
+     */
+    *ddp = *ddp - ((pixels_per_chunk * sizeof(png_uint_32)) - 1);
+ 
+-   for (i = 0; i < row_width; i += pixels_per_chunk)
++   for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk)
+    {
+       uint32x4_t cur;
+       png_bytep sp = *ssp - i, dp = *ddp - (i << 2);
+@@ -89,13 +89,12 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info,
+       cur = vld1q_lane_u32(riffled_palette + *(sp - 0), cur, 3);
+       vst1q_u32((void *)dp, cur);
+    }
+-   if (i != row_width)
+-   {
+-      /* Remove the amount that wasn't processed. */
+-      i -= pixels_per_chunk;
+-   }
+ 
+-   /* Decrement output pointers. */
++   /* Undo the pre-adjustment of *ddp before the pointer handoff,
++    * so the scalar fallback in pngrtran.c receives a dp that points
++    * to the correct position.
++    */
++   *ddp = *ddp + (pixels_per_chunk * 4 - 1);
+    *ssp = *ssp - i;
+    *ddp = *ddp - (i << 2);
+    return i;
+@@ -120,7 +119,7 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info,
+    /* Seeking this back by 8 pixels x 3 bytes. */
+    *ddp = *ddp - ((pixels_per_chunk * sizeof(png_color)) - 1);
+ 
+-   for (i = 0; i < row_width; i += pixels_per_chunk)
++   for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk)
+    {
+       uint8x8x3_t cur;
+       png_bytep sp = *ssp - i, dp = *ddp - ((i << 1) + i);
+@@ -135,13 +134,11 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info,
+       vst3_u8((void *)dp, cur);
+    }
+ 
+-   if (i != row_width)
+-   {
+-      /* Remove the amount that wasn't processed. */
+-      i -= pixels_per_chunk;
+-   }
+-
+-   /* Decrement output pointers. */
++   /* Undo the pre-adjustment of *ddp before the pointer handoff,
++    * so the scalar fallback in pngrtran.c receives a dp that points
++    * to the correct position.
++    */
++   *ddp = *ddp + (pixels_per_chunk * 3 - 1);
+    *ssp = *ssp - i;
+    *ddp = *ddp - ((i << 1) + i);
+    return i;

libpng.spec

@@ -4,7 +4,7 @@ Summary:       A library of functions for manipulating PNG image format files
 Name:          libpng
 Epoch:         2
 Version:       1.6.40
-Release:       8%{?dist}.2
+Release:       8%{?dist}.3
 License:       zlib
 URL:           http://www.libpng.org/pub/png/
 
@@ -39,6 +39,9 @@ Patch9:        libpng-1.6-cve-2026-22801.patch
 # from upstream, for <1.6.55, RHEL-148325
 # https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
 Patch10:       libpng-1.6-cve-2026-25646.patch
+# from upstream, for <1.6.56, RHEL-161208
+# https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
+Patch11:       libpng-1.6-CVE-2026-33636.patch
 
 BuildRequires: gcc
 BuildRequires: zlib-devel
@@ -100,6 +103,7 @@ cp -p %{SOURCE1} .
 %patch -P 8 -p1 -b .cve-2026-22695
 %patch -P 9 -p1 -b .cve-2026-22801
 %patch -P 10 -p1 -b .cve-2026-25646
+%patch -P 11 -p1 -b .CVE-2026-33636
 
 %build
 autoreconf -vif
@@ -140,6 +144,9 @@ make check
 %{_bindir}/pngfix
 
 %changelog
+* Mon Apr 27 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.40-8.3
+- fix CVE-2026-33636: out-of-bounds R/W in the palette expansion on ARM Neon (RHEL-161208)
+
 * Sat Feb 21 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.40-8.2
 - fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148323)
 - fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-148818)