mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-25 10:59:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

libpng: patch CVE-2026-22695

Browse Source 
Pick commit per [1].
This CVE is regression of fix for CVE-2025-65018.

[1] https://security-tracker.debian.org/tracker/CVE-2026-22695

(From OE-Core rev: cdfeb4e55f856b1020caf58f380d3a1e7eb5cd97)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Peter Marko
2026-01-15 01:25:23 +01:00
committed by Richard Purdie
parent 2541663fd1
commit f824456616
2 changed files with 78 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch Normal file
View File

@@ -0,0 +1,77 @@
From e4f7ad4ea2a471776c81dda4846b7691925d9786 Mon Sep 17 00:00:00 2001
From: Cosmin Truta <ctruta@gmail.com>
Date: Fri, 9 Jan 2026 20:51:53 +0200
Subject: [PATCH] Fix a heap buffer over-read in `png_image_read_direct_scaled`
Fix a regression from commit 218612ddd6b17944e21eda56caf8b4bf7779d1ea.
The function `png_image_read_direct_scaled`, introduced by the fix for
CVE-2025-65018, copies transformed row data from an intermediate buffer
(`local_row`) to the user's output buffer. The copy incorrectly used
`row_bytes` (the caller's stride) as the size parameter to memcpy, even
though `local_row` is only `png_get_rowbytes()` bytes long.
This causes a heap buffer over-read when:
1. The caller provides a padded stride (e.g., for memory alignment):
memcpy reads past the end of `local_row` by `stride - row_width`
bytes.
2. The caller provides a negative stride (for bottom-up layouts):
casting ptrdiff_t to size_t produces ~2^64, causing memcpy to
attempt reading exabytes, resulting in an immediate crash.
The fix consists in using the size of the row buffer for the copy and
using the stride for pointer advancement only.
Reported-by: Petr Simecek <simecek@users.noreply.github.com>
Analyzed-by: Stanislav Fort
Analyzed-by: Pavel Kohout
Co-authored-by: Petr Simecek <simecek@users.noreply.github.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
CVE: CVE-2026-22695
Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/e4f7ad4ea2a471776c81dda4846b7691925d9786]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
AUTHORS | 1 +
pngread.c | 4 +++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/AUTHORS b/AUTHORS
index 26b7bb50f..b9c0fffcf 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -23,6 +23,7 @@ Authors, for copyright and licensing purposes.
* Mike Klein
* Pascal Massimino
* Paul Schmidt
+ * Petr Simecek
* Philippe Antoine
* Qiang Zhou
* Sam Bushell
diff --git a/pngread.c b/pngread.c
index e3426292b..9d86b01dc 100644
--- a/pngread.c
+++ b/pngread.c
@@ -3270,9 +3270,11 @@ png_image_read_direct_scaled(png_voidp argument)
argument);
png_imagep image = display->image;
png_structrp png_ptr = image->opaque->png_ptr;
+ png_inforp info_ptr = image->opaque->info_ptr;
png_bytep local_row = png_voidcast(png_bytep, display->local_row);
png_bytep first_row = png_voidcast(png_bytep, display->first_row);
ptrdiff_t row_bytes = display->row_bytes;
+ size_t copy_bytes = png_get_rowbytes(png_ptr, info_ptr);
int passes;
/* Handle interlacing. */
@@ -3302,7 +3304,7 @@ png_image_read_direct_scaled(png_voidp argument)
png_read_row(png_ptr, local_row, NULL);
/* Copy from local_row to user buffer. */
- memcpy(output_row, local_row, (size_t)row_bytes);
+ memcpy(output_row, local_row, copy_bytes);
output_row += row_bytes;
}
}

1
meta/recipes-multimedia/libpng/libpng_1.6.42.bb
View File

@@ -21,6 +21,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz
file://CVE-2025-65018-02.patch \
file://CVE-2025-66293-01.patch \
file://CVE-2025-66293-02.patch \
file://CVE-2026-22695.patch \
"
SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"