Compare commits

..

No commits in common. "c8" and "c8-beta" have entirely different histories.
c8 ... c8-beta

14 changed files with 6 additions and 795 deletions

View File

@ -1,69 +0,0 @@
diff --git a/pngrtran.c b/pngrtran.c
index 548780030a..2f52022551 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -1781,19 +1781,51 @@ png_init_read_transformations(png_structrp png_ptr)
}
else /* if (png_ptr->trans_alpha[i] != 0xff) */
{
- png_byte v, w;
-
- v = png_ptr->gamma_to_1[palette[i].red];
- png_composite(w, v, png_ptr->trans_alpha[i], back_1.red);
- palette[i].red = png_ptr->gamma_from_1[w];
-
- v = png_ptr->gamma_to_1[palette[i].green];
- png_composite(w, v, png_ptr->trans_alpha[i], back_1.green);
- palette[i].green = png_ptr->gamma_from_1[w];
-
- v = png_ptr->gamma_to_1[palette[i].blue];
- png_composite(w, v, png_ptr->trans_alpha[i], back_1.blue);
- palette[i].blue = png_ptr->gamma_from_1[w];
+ if ((png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0)
+ {
+ /* Premultiply only:
+ * component = round((component * alpha) / 255)
+ */
+ png_uint_32 component;
+
+ component = png_ptr->gamma_to_1[palette[i].red];
+ component =
+ (component * png_ptr->trans_alpha[i] + 128) / 255;
+ palette[i].red = png_ptr->gamma_from_1[component];
+
+ component = png_ptr->gamma_to_1[palette[i].green];
+ component =
+ (component * png_ptr->trans_alpha[i] + 128) / 255;
+ palette[i].green = png_ptr->gamma_from_1[component];
+
+ component = png_ptr->gamma_to_1[palette[i].blue];
+ component =
+ (component * png_ptr->trans_alpha[i] + 128) / 255;
+ palette[i].blue = png_ptr->gamma_from_1[component];
+ }
+ else
+ {
+ /* Composite with background color:
+ * component =
+ * alpha * component + (1 - alpha) * background
+ */
+ png_byte v, w;
+
+ v = png_ptr->gamma_to_1[palette[i].red];
+ png_composite(w, v,
+ png_ptr->trans_alpha[i], back_1.red);
+ palette[i].red = png_ptr->gamma_from_1[w];
+
+ v = png_ptr->gamma_to_1[palette[i].green];
+ png_composite(w, v,
+ png_ptr->trans_alpha[i], back_1.green);
+ palette[i].green = png_ptr->gamma_from_1[w];
+
+ v = png_ptr->gamma_to_1[palette[i].blue];
+ png_composite(w, v,
+ png_ptr->trans_alpha[i], back_1.blue);
+ palette[i].blue = png_ptr->gamma_from_1[w];
+ }
}
}
else

View File

@ -1,25 +0,0 @@
diff --git a/pngread.c b/pngread.c
index 212afb7d21..92571ec335 100644
--- a/pngread.c
+++ b/pngread.c
@@ -4040,6 +4040,20 @@ png_image_finish_read(png_imagep image, png_const_colorp background,
int result;
png_image_read_control display;
+ /* Reject bit depth mismatches to avoid buffer overflows. */
+ png_uint_32 ihdr_bit_depth =
+ image->opaque->png_ptr->bit_depth;
+ int requested_linear =
+ (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
+ if (ihdr_bit_depth == 16 && !requested_linear)
+ return png_image_error(image,
+ "png_image_finish_read: "
+ "16-bit PNG must use 16-bit output format");
+ if (ihdr_bit_depth < 16 && requested_linear)
+ return png_image_error(image,
+ "png_image_finish_read: "
+ "8-bit PNG must not use 16-bit output format");
+
memset(&display, 0, (sizeof display));
display.image = image;
display.buffer = buffer;

View File

@ -1,130 +0,0 @@
diff --git a/pngread.c b/pngread.c
index 92571ec335..79917daaaf 100644
--- a/pngread.c
+++ b/pngread.c
@@ -3129,6 +3129,54 @@ png_image_read_colormapped(png_voidp argument)
}
}
+/* Row reading for interlaced 16-to-8 bit depth conversion with local buffer. */
+static int
+png_image_read_direct_scaled(png_voidp argument)
+{
+ png_image_read_control *display = png_voidcast(png_image_read_control*,
+ argument);
+ png_imagep image = display->image;
+ png_structrp png_ptr = image->opaque->png_ptr;
+ png_bytep local_row = png_voidcast(png_bytep, display->local_row);
+ png_bytep first_row = png_voidcast(png_bytep, display->first_row);
+ ptrdiff_t row_bytes = display->row_bytes;
+ int passes;
+
+ /* Handle interlacing. */
+ switch (png_ptr->interlaced)
+ {
+ case PNG_INTERLACE_NONE:
+ passes = 1;
+ break;
+
+ case PNG_INTERLACE_ADAM7:
+ passes = PNG_INTERLACE_ADAM7_PASSES;
+ break;
+
+ default:
+ png_error(png_ptr, "unknown interlace type");
+ }
+
+ /* Read each pass using local_row as intermediate buffer. */
+ while (--passes >= 0)
+ {
+ png_uint_32 y = image->height;
+ png_bytep output_row = first_row;
+
+ for (; y > 0; --y)
+ {
+ /* Read into local_row (gets transformed 8-bit data). */
+ png_read_row(png_ptr, local_row, NULL);
+
+ /* Copy from local_row to user buffer. */
+ memcpy(output_row, local_row, (size_t)row_bytes);
+ output_row += row_bytes;
+ }
+ }
+
+ return 1;
+}
+
/* Just the row reading part of png_image_read. */
static int
png_image_read_composite(png_voidp argument)
@@ -3547,6 +3595,7 @@ png_image_read_direct(png_voidp argument)
int linear = (format & PNG_FORMAT_FLAG_LINEAR) != 0;
int do_local_compose = 0;
int do_local_background = 0; /* to avoid double gamma correction bug */
+ int do_local_scale = 0; /* for interlaced 16-to-8 bit conversion */
int passes = 0;
/* Add transforms to ensure the correct output format is produced then check
@@ -3680,8 +3729,16 @@ png_image_read_direct(png_voidp argument)
png_set_expand_16(png_ptr);
else /* 8-bit output */
+ {
png_set_scale_16(png_ptr);
+ /* For interlaced images, use local_row buffer to avoid overflow
+ * in png_combine_row() which writes using IHDR bit-depth.
+ */
+ if (png_ptr->interlaced != 0)
+ do_local_scale = 1;
+ }
+
change &= ~PNG_FORMAT_FLAG_LINEAR;
}
@@ -3957,6 +4014,24 @@ png_image_read_direct(png_voidp argument)
return result;
}
+ else if (do_local_scale != 0)
+ {
+ /* For interlaced 16-to-8 conversion, use an intermediate row buffer
+ * to avoid buffer overflows in png_combine_row. The local_row is sized
+ * for the transformed (8-bit) output, preventing the overflow that would
+ * occur if png_combine_row wrote 16-bit data directly to the user buffer.
+ */
+ int result;
+ png_voidp row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr));
+
+ display->local_row = row;
+ result = png_safe_execute(image, png_image_read_direct_scaled, display);
+ display->local_row = NULL;
+ png_free(png_ptr, row);
+
+ return result;
+ }
+
else
{
png_alloc_size_t row_bytes = (png_alloc_size_t)display->row_bytes;
@@ -4040,20 +4115,6 @@ png_image_finish_read(png_imagep image, png_const_colorp background,
int result;
png_image_read_control display;
- /* Reject bit depth mismatches to avoid buffer overflows. */
- png_uint_32 ihdr_bit_depth =
- image->opaque->png_ptr->bit_depth;
- int requested_linear =
- (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
- if (ihdr_bit_depth == 16 && !requested_linear)
- return png_image_error(image,
- "png_image_finish_read: "
- "16-bit PNG must use 16-bit output format");
- if (ihdr_bit_depth < 16 && requested_linear)
- return png_image_error(image,
- "png_image_finish_read: "
- "8-bit PNG must not use 16-bit output format");
-
memset(&display, 0, (sizeof display));
display.image = image;
display.buffer = buffer;

View File

@ -1,21 +0,0 @@
diff --git a/pngread.c b/pngread.c
index 79917daaaf..ab62edd9d8 100644
--- a/pngread.c
+++ b/pngread.c
@@ -3273,9 +3273,14 @@ png_image_read_composite(png_voidp argument)
component += (255-alpha)*png_sRGB_table[outrow[c]];
/* So 'component' is scaled by 255*65535 and is
- * therefore appropriate for the sRGB to linear
- * conversion table.
+ * therefore appropriate for the sRGB-to-linear
+ * conversion table. Clamp to the valid range
+ * as a defensive measure against an internal
+ * libpng bug where the data is sRGB rather than
+ * linear premultiplied.
*/
+ if (component > 255*65535)
+ component = 255*65535;
component = PNG_sRGB_FROM_LINEAR(component);
}

View File

@ -1,88 +0,0 @@
diff --git a/pngread.c b/pngread.c
index ab62edd9d8..f8ca2b7e31 100644
--- a/pngread.c
+++ b/pngread.c
@@ -3207,6 +3207,7 @@ png_image_read_composite(png_voidp argument)
ptrdiff_t step_row = display->row_bytes;
unsigned int channels =
(image->format & PNG_FORMAT_FLAG_COLOR) != 0 ? 3 : 1;
+ int optimize_alpha = (png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0;
int pass;
for (pass = 0; pass < passes; ++pass)
@@ -3263,25 +3264,44 @@ png_image_read_composite(png_voidp argument)
if (alpha < 255) /* else just use component */
{
- /* This is PNG_OPTIMIZED_ALPHA, the component value
- * is a linear 8-bit value. Combine this with the
- * current outrow[c] value which is sRGB encoded.
- * Arithmetic here is 16-bits to preserve the output
- * values correctly.
- */
- component *= 257*255; /* =65535 */
- component += (255-alpha)*png_sRGB_table[outrow[c]];
-
- /* So 'component' is scaled by 255*65535 and is
- * therefore appropriate for the sRGB-to-linear
- * conversion table. Clamp to the valid range
- * as a defensive measure against an internal
- * libpng bug where the data is sRGB rather than
- * linear premultiplied.
- */
- if (component > 255*65535)
- component = 255*65535;
- component = PNG_sRGB_FROM_LINEAR(component);
+ if (optimize_alpha != 0)
+ {
+ /* This is PNG_OPTIMIZED_ALPHA, the component value
+ * is a linear 8-bit value. Combine this with the
+ * current outrow[c] value which is sRGB encoded.
+ * Arithmetic here is 16-bits to preserve the output
+ * values correctly.
+ */
+ component *= 257*255; /* =65535 */
+ component += (255-alpha)*png_sRGB_table[outrow[c]];
+
+ /* Clamp to the valid range to defend against
+ * unforeseen cases where the data might be sRGB
+ * instead of linear premultiplied.
+ * (Belt-and-suspenders for GitHub Issue #764.)
+ */
+ if (component > 255*65535)
+ component = 255*65535;
+
+ /* So 'component' is scaled by 255*65535 and is
+ * therefore appropriate for the sRGB-to-linear
+ * conversion table.
+ */
+ component = PNG_sRGB_FROM_LINEAR(component);
+ }
+ else
+ {
+ /* Compositing was already done on the palette
+ * entries. The data is sRGB premultiplied on black.
+ * Composite with the background in sRGB space.
+ * This is not gamma-correct, but matches what was
+ * done to the palette.
+ */
+ png_uint_32 background = outrow[c];
+ component += ((255-alpha) * background + 127) / 255;
+ if (component > 255)
+ component = 255;
+ }
}
outrow[c] = (png_byte)component;
diff --git a/pngrtran.c b/pngrtran.c
index 2f52022551..507d11381e 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -1843,6 +1843,7 @@ png_init_read_transformations(png_structrp png_ptr)
* transformations elsewhere.
*/
png_ptr->transformations &= ~(PNG_COMPOSE | PNG_GAMMA);
+ png_ptr->flags &= ~PNG_FLAG_OPTIMIZE_ALPHA;
} /* color_type == PNG_COLOR_TYPE_PALETTE */
/* if (png_ptr->background_gamma_type!=PNG_BACKGROUND_GAMMA_UNKNOWN) */

View File

@ -1,103 +0,0 @@
diff --git a/pngread.c b/pngread.c
index 01b731d8eb..0086edf6cf 100644
--- a/pngread.c
+++ b/pngread.c
@@ -788,12 +788,11 @@ png_read_destroy(png_structrp png_ptr)
#if defined(PNG_tRNS_SUPPORTED) || \
defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED)
- if ((png_ptr->free_me & PNG_FREE_TRNS) != 0)
- {
- png_free(png_ptr, png_ptr->trans_alpha);
- png_ptr->trans_alpha = NULL;
- }
- png_ptr->free_me &= ~PNG_FREE_TRNS;
+ /* png_ptr->trans_alpha is always independently allocated (not aliased
+ * with info_ptr->trans_alpha), so free it unconditionally.
+ */
+ png_free(png_ptr, png_ptr->trans_alpha);
+ png_ptr->trans_alpha = NULL;
#endif
inflateEnd(&png_ptr->zstream);
diff --git a/pngrutil.c b/pngrutil.c
index 366379b991..a19507bf1b 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1772,10 +1772,6 @@ png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
return;
}
- /* TODO: this is a horrible side effect in the palette case because the
- * png_struct ends up with a pointer to the tRNS buffer owned by the
- * png_info. Fix this.
- */
png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
&(png_ptr->trans_color));
}
diff --git a/pngset.c b/pngset.c
index 4b78b8960c..47883684e4 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1002,25 +1002,33 @@
if (trans_alpha != NULL)
{
- /* It may not actually be necessary to set png_ptr->trans_alpha here;
- * we do it for backward compatibility with the way the png_handle_tRNS
- * function used to do the allocation.
- *
- * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively
- * relies on png_set_tRNS storing the information in png_struct
- * (otherwise it won't be there for the code in pngrtran.c).
- */
-
png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
{
- /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */
+ /* Allocate info_ptr's copy of the transparency data. */
info_ptr->trans_alpha = png_voidcast(png_bytep,
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
+
+ /* Allocate an independent copy for png_struct, so that the
+ * lifetime of png_ptr->trans_alpha is decoupled from the
+ * lifetime of info_ptr->trans_alpha. Previously these two
+ * pointers were aliased, which caused a use-after-free if
+ * png_free_data freed info_ptr->trans_alpha while
+ * png_ptr->trans_alpha was still in use by the row transform
+ * functions (e.g. png_do_expand_palette).
+ */
+ png_free(png_ptr, png_ptr->trans_alpha);
+ png_ptr->trans_alpha = png_voidcast(png_bytep,
+ png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
+ memcpy(png_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
+ }
+ else
+ {
+ png_free(png_ptr, png_ptr->trans_alpha);
+ png_ptr->trans_alpha = NULL;
}
- png_ptr->trans_alpha = info_ptr->trans_alpha;
}
if (trans_color != NULL)
diff --git a/pngwrite.c b/pngwrite.c
index 5fc77d91f7..84af1e73fb 100644
--- a/pngwrite.c
+++ b/pngwrite.c
@@ -1010,6 +1010,12 @@ png_write_destroy(png_structrp png_ptr)
png_ptr->chunk_list = NULL;
#endif
+#if defined(PNG_tRNS_SUPPORTED)
+ /* Free the independent copy of trans_alpha owned by png_struct. */
+ png_free(png_ptr, png_ptr->trans_alpha);
+ png_ptr->trans_alpha = NULL;
+#endif
+
/* The error handling and memory handling information is left intact at this
* point: the jmp_buf may still have to be freed. See png_destroy_png_struct
* for how this happens.

View File

@ -1,27 +0,0 @@
diff --git a/pngset.c b/pngset.c
index 47883684e4..dccc6498d7 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1006,9 +1006,13 @@
if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
{
- /* Allocate info_ptr's copy of the transparency data. */
+ /* Allocate info_ptr's copy of the transparency data.
+ * Initialize all entries to fully opaque (0xff), then overwrite
+ * the first num_trans entries with the actual values.
+ */
info_ptr->trans_alpha = png_voidcast(png_bytep,
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
+ memset(info_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
/* Allocate an independent copy for png_struct, so that the
@@ -1024,6 +1028,7 @@
png_free(png_ptr, png_ptr->trans_alpha);
png_ptr->trans_alpha = png_voidcast(png_bytep,
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
+ memset(png_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
memcpy(png_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
}
else

View File

@ -1,122 +0,0 @@
diff -up libpng-1.6.40/pngread.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngread.c
--- libpng-1.6.40/pngread.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.486981492 +0200
+++ libpng-1.6.40/pngread.c 2026-05-13 17:57:13.493075382 +0200
@@ -959,12 +959,11 @@ png_read_destroy(png_structrp png_ptr)
png_ptr->quantize_index = NULL;
#endif
- if ((png_ptr->free_me & PNG_FREE_PLTE) != 0)
- {
- png_zfree(png_ptr, png_ptr->palette);
- png_ptr->palette = NULL;
- }
- png_ptr->free_me &= ~PNG_FREE_PLTE;
+ /* png_ptr->palette is always independently allocated (not aliased
+ * with info_ptr->palette), so free it unconditionally.
+ */
+ png_free(png_ptr, png_ptr->palette);
+ png_ptr->palette = NULL;
#if defined(PNG_tRNS_SUPPORTED) || \
defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED)
diff -up libpng-1.6.40/pngrtran.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngrtran.c
--- libpng-1.6.40/pngrtran.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.483146844 +0200
+++ libpng-1.6.40/pngrtran.c 2026-05-13 17:57:13.493827754 +0200
@@ -745,7 +745,13 @@ png_set_quantize(png_structrp png_ptr, p
}
if (png_ptr->palette == NULL)
{
- png_ptr->palette = palette;
+ /* Allocate an owned copy rather than aliasing the caller's pointer,
+ * so that png_read_destroy can free png_ptr->palette unconditionally.
+ */
+ png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
+ memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
+ (sizeof (png_color)));
}
png_ptr->num_palette = (png_uint_16)num_palette;
diff -up libpng-1.6.40/pngrutil.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngrutil.c
--- libpng-1.6.40/pngrutil.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.487752910 +0200
+++ libpng-1.6.40/pngrutil.c 2026-05-13 18:02:45.747406991 +0200
@@ -1048,14 +1048,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
}
#endif
- /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
- * own copy of the palette. This has the side effect that when png_start_row
- * is called (this happens after any call to png_read_update_info) the
- * info_ptr palette gets changed. This is extremely unexpected and
- * confusing.
- *
- * Fix this by not sharing the palette in this way.
- */
png_set_PLTE(png_ptr, info_ptr, palette, num);
/* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
diff -up libpng-1.6.40/pngset.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngset.c
--- libpng-1.6.40/pngset.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.490982521 +0200
+++ libpng-1.6.40/pngset.c 2026-05-13 17:57:13.495080620 +0200
@@ -595,28 +595,38 @@ png_set_PLTE(png_structrp png_ptr, png_i
png_error(png_ptr, "Invalid palette");
}
- /* It may not actually be necessary to set png_ptr->palette here;
- * we do it for backward compatibility with the way the png_handle_tRNS
- * function used to do the allocation.
- *
- * 1.6.0: the above statement appears to be incorrect; something has to set
- * the palette inside png_struct on read.
- */
png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
* of num_palette entries, in case of an invalid PNG file or incorrect
* call to png_set_PLTE() with too-large sample values.
+ *
+ * Allocate independent buffers for info_ptr and png_ptr so that the
+ * lifetime of png_ptr->palette is decoupled from the lifetime of
+ * info_ptr->palette. Previously, these two pointers were aliased,
+ * which caused a use-after-free vulnerability if png_free_data freed
+ * info_ptr->palette while png_ptr->palette was still in use by the
+ * row transform functions (e.g. png_do_expand_palette).
+ *
+ * Both buffers are allocated with png_calloc to zero-fill, because
+ * the ARM NEON palette riffle reads all 256 entries unconditionally,
+ * regardless of num_palette.
*/
+ png_free(png_ptr, png_ptr->palette);
png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
+ info_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
+ png_ptr->num_palette = info_ptr->num_palette = (png_uint_16)num_palette;
if (num_palette > 0)
+ {
+ memcpy(info_ptr->palette, palette, (unsigned int)num_palette *
+ (sizeof (png_color)));
memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
(sizeof (png_color)));
+ }
- info_ptr->palette = png_ptr->palette;
- info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette;
info_ptr->free_me |= PNG_FREE_PLTE;
info_ptr->valid |= PNG_INFO_PLTE;
diff -up libpng-1.6.40/pngwrite.c.CVE-2026-33416_p3of5 libpng-1.6.40/pngwrite.c
--- libpng-1.6.40/pngwrite.c.CVE-2026-33416_p3of5 2026-05-13 17:57:13.488545337 +0200
+++ libpng-1.6.40/pngwrite.c 2026-05-13 17:57:13.495368957 +0200
@@ -982,6 +982,10 @@ png_write_destroy(png_structrp png_ptr)
png_ptr->trans_alpha = NULL;
#endif
+ /* Free the independent copy of the palette owned by png_struct. */
+ png_free(png_ptr, png_ptr->palette);
+ png_ptr->palette = NULL;
+
/* The error handling and memory handling information is left intact at this
* point: the jmp_buf may still have to be freed. See png_destroy_png_struct
* for how this happens.

View File

@ -1,26 +0,0 @@
diff --git a/pngrtran.c b/pngrtran.c
index fd736ab672..978dac5888 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -2070,6 +2070,21 @@ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr)
{
png_debug(1, "in png_read_transform_info");
+ if (png_ptr->transformations != 0)
+ {
+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
+ info_ptr->palette != NULL && png_ptr->palette != NULL)
+ {
+ /* Sync info_ptr->palette with png_ptr->palette.
+ * The function png_init_read_transformations may have modified
+ * png_ptr->palette in place (e.g. for gamma correction or for
+ * background compositing).
+ */
+ memcpy(info_ptr->palette, png_ptr->palette,
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
+ }
+ }
+
#ifdef PNG_READ_EXPAND_SUPPORTED
if ((png_ptr->transformations & PNG_EXPAND) != 0)
{

View File

@ -1,32 +0,0 @@
diff --git a/pngrtran.c b/pngrtran.c
index 1b04cafa56..0ac8df749e 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -2070,19 +2070,15 @@ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr)
{
png_debug(1, "in png_read_transform_info");
- if (png_ptr->transformations != 0)
+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
+ info_ptr->palette != NULL && png_ptr->palette != NULL)
{
- if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
- info_ptr->palette != NULL && png_ptr->palette != NULL)
- {
- /* Sync info_ptr->palette with png_ptr->palette.
- * The function png_init_read_transformations may have modified
- * png_ptr->palette in place (e.g. for gamma correction or for
- * background compositing).
- */
- memcpy(info_ptr->palette, png_ptr->palette,
- PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
- }
+ /* Sync info_ptr->palette with png_ptr->palette, which may
+ * have been modified by png_init_read_transformations
+ * (e.g. for gamma correction or background compositing).
+ */
+ memcpy(info_ptr->palette, png_ptr->palette,
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
}
#ifdef PNG_READ_EXPAND_SUPPORTED

View File

@ -1,25 +0,0 @@
diff --git a/pngread.c b/pngread.c
index e3426292b1..9d86b01dc0 100644
--- a/pngread.c
+++ b/pngread.c
@@ -3138,9 +3138,11 @@ png_image_read_direct_scaled(png_voidp argument)
argument);
png_imagep image = display->image;
png_structrp png_ptr = image->opaque->png_ptr;
+ png_inforp info_ptr = image->opaque->info_ptr;
png_bytep local_row = png_voidcast(png_bytep, display->local_row);
png_bytep first_row = png_voidcast(png_bytep, display->first_row);
ptrdiff_t row_bytes = display->row_bytes;
+ size_t copy_bytes = png_get_rowbytes(png_ptr, info_ptr);
int passes;
/* Handle interlacing. */
@@ -3170,7 +3172,7 @@ png_image_read_direct_scaled(png_voidp argument)
png_read_row(png_ptr, local_row, NULL);
/* Copy from local_row to user buffer. */
- memcpy(output_row, local_row, (size_t)row_bytes);
+ memcpy(output_row, local_row, copy_bytes);
output_row += row_bytes;
}
}

View File

@ -1,38 +0,0 @@
diff --git a/pngwrite.c b/pngwrite.c
index 08066bcc42..a95b846c8e 100644
@@ -1678,7 +1678,7 @@ png_write_image_16bit(png_voidp argument)
}
png_write_row(png_ptr, png_voidcast(png_const_bytep, display->local_row));
- input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
+ input_row += display->row_bytes / 2;
}
return 1;
@@ -1804,7 +1804,7 @@ png_write_image_8bit(png_voidp argument)
png_write_row(png_ptr, png_voidcast(png_const_bytep,
display->local_row));
- input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
+ input_row += display->row_bytes / 2;
} /* while y */
}
@@ -1829,7 +1829,7 @@ png_write_image_8bit(png_voidp argument)
}
png_write_row(png_ptr, output_row);
- input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16));
+ input_row += display->row_bytes / 2;
}
}
@@ -2148,7 +2148,7 @@ png_image_write_main(png_voidp argument)
ptrdiff_t row_bytes = display->row_stride;
if (linear != 0)
- row_bytes *= (sizeof (png_uint_16));
+ row_bytes *= 2;
if (row_bytes < 0)
row += (image->height-1) * (-row_bytes);

View File

@ -1,15 +0,0 @@
diff --git a/pngrtran.c b/pngrtran.c
index fe8f9d32c9..1fce9af121 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -708,8 +708,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
break;
t->next = hash[d];
- t->left = (png_byte)i;
- t->right = (png_byte)j;
+ t->left = png_ptr->palette_to_index[i];
+ t->right = png_ptr->palette_to_index[j];
hash[d] = t;
}
}

View File

@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files
Name: libpng Name: libpng
Epoch: 2 Epoch: 2
Version: 1.6.34 Version: 1.6.34
Release: 11%{?dist} Release: 5%{?dist}
License: zlib License: zlib
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.libpng.org/pub/png/ URL: http://www.libpng.org/pub/png/
@ -15,40 +15,7 @@ Patch0: libpng-multilib.patch
Patch1: libpng-fix-arm-neon.patch Patch1: libpng-fix-arm-neon.patch
Patch2: libpng-CVE-2018-13785.patch Patch2: libpng-CVE-2018-13785.patch
Patch3: libpng-coverity.patch Patch3: libpng-coverity.patch
# from upstream, for <1.6.51, RHEL-131422
# https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643
Patch4: libpng-1.6-CVE-2025-64720.patch
# from upstream, for <1.6.51, RHEL-131435
# https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d
Patch5: libpng-1.6-CVE-2025-65018_p1of2.patch
# https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
Patch6: libpng-1.6-CVE-2025-65018_p2of2.patch
# from upstream, for <1.6.52, RHEL-133212
# https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1
Patch7: libpng-1.6-CVE-2025-66293_p1of2.patch
# https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a
Patch8: libpng-1.6-CVE-2025-66293_p2of2.patch
# from upstream, for <1.6.54, RHEL-148852
# https://github.com/pnggroup/libpng/commit/e4f7ad4ea2
Patch9: libpng-1.6-cve-2026-22695.patch
# from upstream, for <1.6.54, RHEL-146659
# https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072
Patch10: libpng-1.6-cve-2026-22801.patch
# from upstream, for <1.6.55, RHEL-148338
# https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
Patch11: libpng-1.6-cve-2026-25646.patch
# from upstream, for <1.6.56 (fix), for <1.6.58 (regression fix), RHEL-161436
# https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
Patch13: libpng-1.6-CVE-2026-33416_p1of5.patch
# https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
Patch14: libpng-1.6-CVE-2026-33416_p2of5.patch
# https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
Patch15: libpng-1.6-CVE-2026-33416_p3of5.patch
# https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
Patch16: libpng-1.6-CVE-2026-33416_p4of5.patch
# regression fix for 7ea9eea8 (part 3)
# https://github.com/pnggroup/libpng/commit/d4c4e49eb5c8981075ec2cd946428758c0cda6ac
Patch17: libpng-1.6-CVE-2026-33416_p5of5.patch
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: autoconf automake libtool BuildRequires: autoconf automake libtool
@ -100,23 +67,10 @@ The libpng-tools package contains tools used by the authors of libpng.
# Provide pngusr.dfa for build. # Provide pngusr.dfa for build.
cp -p %{SOURCE1} . cp -p %{SOURCE1} .
%patch -P 0 -p1 %patch0 -p1
%patch -P 1 -p1 -b .arm %patch1 -p1 -b .arm
%patch -P 2 -p1 -b .CVE-2018-13785 %patch2 -p1 -b .CVE-2018-13785
%patch -P 3 -p1 -b .coverity %patch3 -p1 -b .coverity
%patch -P 4 -p1 -b .CVE-2025-64720
%patch -P 5 -p1 -b .CVE-2025-65018_p1of2
%patch -P 6 -p1 -b .CVE-2025-65018_p2of2
%patch -P 7 -p1 -b .CVE-2025-66293_p1of2
%patch -P 8 -p1 -b .CVE-2025-66293_p2of2
%patch -P 9 -p1 -b .cve-2026-22695
%patch -P 10 -p1 -b .cve-2026-22801
%patch -P 11 -p1 -b .cve-2026-25646
%patch -P 13 -p1 -b .CVE-2026-33416_p1of5
%patch -P 14 -p1 -b .CVE-2026-33416_p2of5
%patch -P 15 -p1 -b .CVE-2026-33416_p3of5
%patch -P 16 -p1 -b .CVE-2026-33416_p4of5
%patch -P 17 -p1 -b .CVE-2026-33416_p5of5
%build %build
autoreconf -vif autoreconf -vif
@ -158,28 +112,6 @@ make check
%{_bindir}/pngfix %{_bindir}/pngfix
%changelog %changelog
* Wed May 13 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.37-11
- fix CVE-2026-33416: use-after-free via pointer aliasing in png_set_tRNS and png_set_PLTE (RHEL-161344)
* Thu Mar 05 2026 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.34-10
- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148338)
- fix CVE-2026-22695: heap buffer over-read in png_image_finish_read (RHEL-148852)
- fix CVE-2026-22801: heap buffer over-read in png_image_write_*bit (RHEL-146659)
* Tue Dec 16 2025 Michal Hlavinka <mhlavink@redhat.com> - 2:1.6.34-9
- CVE-2025-64720: buffer overflow (RHEL-131452)
- CVE-2025-65018: heap buffer overflow (RHEL-131465)
- CVE-2025-66293: out-of-bounds read in png_image_read_composite (RHEL-133226)
* Thu Nov 28 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-8
- Remove redundant fix for CVE-2017-12652
* Tue Nov 26 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-7
- Add upstream test suite and enable it in gating
* Fri Nov 22 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.34-6
- Fix CVE-2017-12652 (#1744871)
* Mon Oct 15 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-5 * Mon Oct 15 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-5
- Fix important Covscan defects (#1602588) - Fix important Covscan defects (#1602588)