From de0daf4718f62a38500f13372d49b2cc2b16d863 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 28 Apr 2026 10:06:45 +0200 Subject: [PATCH] fix CVE-2026-33636: out-of-bounds R/W in the palette expansion on ARM Neon (RHEL-161307) Resolves: RHEL-161307 --- libpng-1.6-CVE-2026-33636.patch | 60 +++++++++++++++++++++++++++++++++ libpng.spec | 9 ++++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 libpng-1.6-CVE-2026-33636.patch diff --git a/libpng-1.6-CVE-2026-33636.patch b/libpng-1.6-CVE-2026-33636.patch new file mode 100644 index 0000000..25617bc --- /dev/null +++ b/libpng-1.6-CVE-2026-33636.patch @@ -0,0 +1,60 @@ +diff --git a/arm/palette_neon_intrinsics.c b/arm/palette_neon_intrinsics.c +index 3068e9b6e6..f3355bef59 100644 +--- a/arm/palette_neon_intrinsics.c ++++ b/arm/palette_neon_intrinsics.c +@@ -79,7 +79,7 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info, + */ + *ddp = *ddp - ((pixels_per_chunk * sizeof(png_uint_32)) - 1); + +- for (i = 0; i < row_width; i += pixels_per_chunk) ++ for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk) + { + uint32x4_t cur; + png_bytep sp = *ssp - i, dp = *ddp - (i << 2); +@@ -89,13 +89,12 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info, + cur = vld1q_lane_u32(riffled_palette + *(sp - 0), cur, 3); + vst1q_u32((void *)dp, cur); + } +- if (i != row_width) +- { +- /* Remove the amount that wasn't processed. */ +- i -= pixels_per_chunk; +- } + +- /* Decrement output pointers. */ ++ /* Undo the pre-adjustment of *ddp before the pointer handoff, ++ * so the scalar fallback in pngrtran.c receives a dp that points ++ * to the correct position. ++ */ ++ *ddp = *ddp + (pixels_per_chunk * 4 - 1); + *ssp = *ssp - i; + *ddp = *ddp - (i << 2); + return i; +@@ -120,7 +119,7 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info, + /* Seeking this back by 8 pixels x 3 bytes. */ + *ddp = *ddp - ((pixels_per_chunk * sizeof(png_color)) - 1); + +- for (i = 0; i < row_width; i += pixels_per_chunk) ++ for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk) + { + uint8x8x3_t cur; + png_bytep sp = *ssp - i, dp = *ddp - ((i << 1) + i); +@@ -135,13 +134,11 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info, + vst3_u8((void *)dp, cur); + } + +- if (i != row_width) +- { +- /* Remove the amount that wasn't processed. */ +- i -= pixels_per_chunk; +- } +- +- /* Decrement output pointers. */ ++ /* Undo the pre-adjustment of *ddp before the pointer handoff, ++ * so the scalar fallback in pngrtran.c receives a dp that points ++ * to the correct position. ++ */ ++ *ddp = *ddp + (pixels_per_chunk * 3 - 1); + *ssp = *ssp - i; + *ddp = *ddp - ((i << 1) + i); + return i; diff --git a/libpng.spec b/libpng.spec index 81f8780..e979e0e 100644 --- a/libpng.spec +++ b/libpng.spec @@ -4,7 +4,7 @@ Summary: A library of functions for manipulating PNG image format files Name: libpng Epoch: 2 Version: 1.6.37 -Release: 15%{?dist} +Release: 16%{?dist} License: zlib URL: http://www.libpng.org/pub/png/ @@ -34,6 +34,9 @@ Patch8: libpng-1.6-cve-2026-22801.patch # from upstream, for <1.6.55, RHEL-148328 # https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88 Patch9: libpng-1.6-cve-2026-25646.patch +# from upstream, for <1.6.56, RHEL-161307 +# https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3 +Patch10: libpng-1.6-CVE-2026-33636.patch BuildRequires: gcc BuildRequires: zlib-devel @@ -94,6 +97,7 @@ cp -p %{SOURCE1} . %patch -P 7 -p1 -b .cve-2026-22695 %patch -P 8 -p1 -b .cve-2026-22801 %patch -P 9 -p1 -b .cve-2026-25646 +%patch -P 10 -p1 -b .CVE-2026-33636 %build autoreconf -vif @@ -134,6 +138,9 @@ make check %{_bindir}/pngfix %changelog +* Mon Apr 27 2026 Michal Hlavinka - 2:1.6.37-16 +- fix CVE-2026-33636: out-of-bounds R/W in the palette expansion on ARM Neon (RHEL-161307) + * Tue Mar 03 2026 Michal Hlavinka - 2:1.6.37-15 - fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148411)