From d2f152e1855fc3dc90f26b3e46cbefdcf44dbca6 Mon Sep 17 00:00:00 2001
From: Michal Hlavinka <mhlavink@redhat.com>
Date: Fri, 20 Feb 2026 14:02:03 +0100
Subject: [PATCH] fix CVE-2026-25646: heap buffer overflow in png_set_quantize
 (RHEL-148340)

Resolves: RHEL-148340
---
 libpng-1.6-cve-2026-25646.patch | 15 +++++++++++++++
 libpng15.spec                   | 13 ++++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 libpng-1.6-cve-2026-25646.patch

diff --git a/libpng-1.6-cve-2026-25646.patch b/libpng-1.6-cve-2026-25646.patch
new file mode 100644
index 0000000..1c86961
--- /dev/null
+++ b/libpng-1.6-cve-2026-25646.patch
@@ -0,0 +1,15 @@
+diff --git a/pngrtran.c b/pngrtran.c
+index fe8f9d32c9..1fce9af121 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -708,8 +708,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+                          break;
+ 
+                      t->next = hash[d];
+-                     t->left = (png_byte)i;
+-                     t->right = (png_byte)j;
++                     t->left = png_ptr->palette_to_index[i];
++                     t->right = png_ptr->palette_to_index[j];
+                      hash[d] = t;
+                   }
+                }
diff --git a/libpng15.spec b/libpng15.spec
index f1f047d..7d7c770 100644
--- a/libpng15.spec
+++ b/libpng15.spec
@@ -1,7 +1,7 @@
 Summary: Old version of libpng, needed to run old binaries
 Name: libpng15
 Version: 1.5.30
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: zlib
 URL: http://www.libpng.org/pub/png/
 
@@ -13,6 +13,9 @@ Source1: pngusr.dfa
 
 Patch0: libpng15-CVE-2013-6954.patch
 Patch1: libpng15-CVE-2018-13785.patch
+# from upstream, for <= 1.6.54, RHEL-148340
+# https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
+Patch2: libpng-1.6-cve-2026-25646.patch
 
 BuildRequires: gcc
 BuildRequires: zlib-devel
@@ -26,8 +29,9 @@ version of libpng.
 %prep
 %setup -q -n libpng-%{version}
 
-%patch0 -p1
-%patch1 -p1
+%patch -P 0 -p1
+%patch -P 1 -p1
+%patch -P 2 -p1 -b .cve-2026-25646
 
 # Provide pngusr.dfa for build.
 cp -p %{SOURCE1} .
@@ -53,6 +57,9 @@ rm -rf $RPM_BUILD_ROOT%{_bindir}/*
 %{_libdir}/libpng15.so.*
 
 %changelog
+* Thu Mar 12 2026 Michal Hlavinka <mhlavink@redhat.com> - 1.5.30-8
+- fix CVE-2026-25646: heap buffer overflow in png_set_quantize (RHEL-148340)
+
 * Thu Jun 06 2019 Nikola Forró <nforro@redhat.com> - 1.5.30-7
 - New package for RHEL 8.1.0
   resolves: #1687581