fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148338)

fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-148852) fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-146659) Resolves: RHEL-146659
2026-03-05 11:40:20 +01:00 · 2026-03-05 11:40:20 +01:00 · 438bfb2f0d
commit 438bfb2f0d
parent e445577251
4 changed files with 96 additions and 1 deletions
--- a/libpng-1.6-cve-2026-22695.patch
+++ b/libpng-1.6-cve-2026-22695.patch
@ -0,0 +1,25 @@
+diff --git a/pngread.c b/pngread.c
+index e3426292b1..9d86b01dc0 100644
+--- a/pngread.c
+++ b/pngread.c
+@@ -3138,9 +3138,11 @@ png_image_read_direct_scaled(png_voidp argument)
+        argument);
+    png_imagep image = display->image;
+    png_structrp png_ptr = image->opaque->png_ptr;
+   png_inforp info_ptr = image->opaque->info_ptr;
+    png_bytep local_row = png_voidcast(png_bytep, display->local_row);
+    png_bytep first_row = png_voidcast(png_bytep, display->first_row);
+    ptrdiff_t row_bytes = display->row_bytes;
+   size_t copy_bytes = png_get_rowbytes(png_ptr, info_ptr);
+    int passes;
+ 
+    /* Handle interlacing. */
+@@ -3170,7 +3172,7 @@ png_image_read_direct_scaled(png_voidp argument)
+          png_read_row(png_ptr, local_row, NULL);
+ 
+          /* Copy from local_row to user buffer. */
+-         memcpy(output_row, local_row, (size_t)row_bytes);
+         memcpy(output_row, local_row, copy_bytes);
+          output_row += row_bytes;
+       }
+    }
--- a/libpng-1.6-cve-2026-22801.patch
+++ b/libpng-1.6-cve-2026-22801.patch
@ -0,0 +1,38 @@
+diff --git a/pngwrite.c b/pngwrite.c
+index 08066bcc42..a95b846c8e 100644
+@@ -1678,7 +1678,7 @@ png_write_image_16bit(png_voidp argument)
+       }
+ 
+       png_write_row(png_ptr, png_voidcast(png_const_bytep, display->local_row));
+-      input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
+      input_row += display->row_bytes / 2;
+    }
+ 
+    return 1;
+@@ -1804,7 +1804,7 @@ png_write_image_8bit(png_voidp argument)
+ 
+          png_write_row(png_ptr, png_voidcast(png_const_bytep,
+              display->local_row));
+-         input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
+         input_row += display->row_bytes / 2;
+       } /* while y */
+    }
+ 
+@@ -1829,7 +1829,7 @@ png_write_image_8bit(png_voidp argument)
+          }
+ 
+          png_write_row(png_ptr, output_row);
+-         input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
+         input_row += display->row_bytes / 2;
+       }
+    }
+ 
+@@ -2148,7 +2148,7 @@ png_image_write_main(png_voidp argument)
+       ptrdiff_t row_bytes = display->row_stride;
+ 
+       if (linear != 0)
+-         row_bytes *= (sizeof (png_uint_16));
+         row_bytes *= 2;
+ 
+       if (row_bytes < 0)
+          row += (image->height-1) * (-row_bytes);
--- a/libpng-1.6-cve-2026-25646.patch
+++ b/libpng-1.6-cve-2026-25646.patch
@ -0,0 +1,15 @@
+diff --git a/pngrtran.c b/pngrtran.c
+index fe8f9d32c9..1fce9af121 100644
+--- a/pngrtran.c
+++ b/pngrtran.c
+@@ -708,8 +708,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+                          break;
+ 
+                      t->next = hash[d];
+-                     t->left = (png_byte)i;
+-                     t->right = (png_byte)j;
+                     t->left = png_ptr->palette_to_index[i];
+                     t->right = png_ptr->palette_to_index[j];
+                      hash[d] = t;
+                   }
+                }
--- a/libpng.spec
+++ b/libpng.spec
@ -2,7 +2,7 @@ Summary:       A library of functions for manipulating PNG image format files
 Name:          libpng
 Epoch:         2
 Version:       1.6.34
-Release:       9%{?dist}
+Release:       10%{?dist}
 License:       zlib
 Group:         System Environment/Libraries
 URL:           http://www.libpng.org/pub/png/
@ -28,6 +28,15 @@ Patch6:        libpng-1.6-CVE-2025-65018_p2of2.patch
 Patch7:        libpng-1.6-CVE-2025-66293_p1of2.patch
 # https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a
 Patch8:        libpng-1.6-CVE-2025-66293_p2of2.patch
+# from upstream, for <1.6.54, RHEL-148852
+# https://github.com/pnggroup/libpng/commit/e4f7ad4ea2
+Patch9:        libpng-1.6-cve-2026-22695.patch
+# from upstream, for <1.6.54, RHEL-146659
+# https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072
+Patch10:       libpng-1.6-cve-2026-22801.patch
+# from upstream, for <1.6.55, RHEL-148338
+# https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
+Patch11:       libpng-1.6-cve-2026-25646.patch

 BuildRequires: zlib-devel
 BuildRequires: autoconf automake libtool
@ -88,6 +97,9 @@ cp -p %{SOURCE1} .
 %patch -P 6 -p1 -b .CVE-2025-65018_p2of2
 %patch -P 7 -p1 -b .CVE-2025-66293_p1of2
 %patch -P 8 -p1 -b .CVE-2025-66293_p2of2
+%patch -P 9 -p1 -b .cve-2026-22695
+%patch -P 10 -p1 -b .cve-2026-22801
+%patch -P 11 -p1 -b .cve-2026-25646

 %build
 autoreconf -vif
@ -129,6 +141,11 @@ make check
 %{_bindir}/pngfix

 %changelog
+* Thu Mar 05 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.34-10
+- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148338)
+- fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-148852)
+- fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-146659)
+
 * Tue Dec 16 2025 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.34-9
 - CVE-2025-64720: buffer overflow (RHEL-131452)
 - CVE-2025-65018: heap buffer overflow (RHEL-131465)