From 8e6f377d2f3e8b0681c5d55fbd8aad653f44edff Mon Sep 17 00:00:00 2001
From: Michal Hlavinka <mhlavink@redhat.com>
Date: Fri, 20 Feb 2026 14:02:03 +0100
Subject: [PATCH] fix CVE-2026-25646: heap buffer overflow in png_set_quantize
 (RHEL-148412)

Resolves: RHEL-148412
---
 libpng-1.6-cve-2026-25646.patch | 15 +++++++++++++++
 libpng15.spec                   | 13 ++++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 libpng-1.6-cve-2026-25646.patch

diff --git a/libpng-1.6-cve-2026-25646.patch b/libpng-1.6-cve-2026-25646.patch
new file mode 100644
index 0000000..1c86961
--- /dev/null
+++ b/libpng-1.6-cve-2026-25646.patch
@@ -0,0 +1,15 @@
+diff --git a/pngrtran.c b/pngrtran.c
+index fe8f9d32c9..1fce9af121 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -708,8 +708,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+                          break;
+ 
+                      t->next = hash[d];
+-                     t->left = (png_byte)i;
+-                     t->right = (png_byte)j;
++                     t->left = png_ptr->palette_to_index[i];
++                     t->right = png_ptr->palette_to_index[j];
+                      hash[d] = t;
+                   }
+                }
diff --git a/libpng15.spec b/libpng15.spec
index 0a255d1..af583ce 100644
--- a/libpng15.spec
+++ b/libpng15.spec
@@ -1,7 +1,7 @@
 Summary: Old version of libpng, needed to run old binaries
 Name: libpng15
 Version: 1.5.30
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: zlib
 URL: http://www.libpng.org/pub/png/
 
@@ -13,6 +13,9 @@ Source1: pngusr.dfa
 
 Patch0: libpng15-CVE-2013-6954.patch
 Patch1: libpng15-CVE-2018-13785.patch
+# from upstream, for <= 1.6.54, RHEL-148412
+# https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
+Patch2: libpng-1.6-cve-2026-25646.patch
 
 BuildRequires: gcc
 BuildRequires: zlib-devel
@@ -27,8 +30,9 @@ version of libpng.
 %prep
 %setup -q -n libpng-%{version}
 
-%patch0 -p1
-%patch1 -p1
+%patch -P 0 -p1
+%patch -P 1 -p1
+%patch -P 2 -p1 -b .cve-2026-25646
 
 # Provide pngusr.dfa for build.
 cp -p %{SOURCE1} .
@@ -54,6 +58,9 @@ rm -rf $RPM_BUILD_ROOT%{_bindir}/*
 %{_libdir}/libpng15.so.*
 
 %changelog
+* Fri Feb 20 2026 Michal Hlavinka <mhlavink@redhat.com> - 1.5.30-15
+- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148412)
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.30-14
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688