File libpng12-CVE-2025-64505.patch of Package libpng12

Overview Repositories Revisions Requests Users Attributes Meta

File libpng12-CVE-2025-64505.patch of Package libpng12

From 6a528eb5fd0dd7f6de1c39d30de0e41473431c37 Mon Sep 17 00:00:00 2001
From: Cosmin Truta <ctruta@gmail.com>
Date: Sat, 8 Nov 2025 23:58:26 +0200
Subject: [PATCH] Fix a buffer overflow in `png_do_quantize`

Allocate the quantize_index array to PNG_MAX_PALETTE_LENGTH (256 bytes)
instead of num_palette bytes. This approach matches the allocation
pattern for `palette[]`, `trans_alpha[]` and `riffled_palette[]` which
were similarly oversized in libpng 1.2.1 to prevent buffer overflows
from malformed PNG files with out-of-range palette indices.

Out-of-range palette indices `index >= num_palette` will now read
identity-mapped values from the `quantize_index` array (where index N
maps to palette entry N). This prevents undefined behavior while
avoiding runtime bounds checking overhead in the performance-critical
pixel processing loop.

Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
Analyzed-by: degrigis <degrigis@users.noreply.github.com>
---
 pngrtran.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Index: libpng-1.2.59/pngrtran.c
===================================================================
--- libpng-1.2.59.orig/pngrtran.c
+++ libpng-1.2.59/pngrtran.c
@@ -176,8 +176,8 @@ png_set_dither(png_structp png_ptr, png_
       int i;
 
       png_ptr->dither_index = (png_bytep)png_malloc(png_ptr,
-         (png_uint_32)(num_palette * png_sizeof(png_byte)));
-      for (i = 0; i < num_palette; i++)
+         (png_uint_32)(PNG_MAX_PALETTE_LENGTH * png_sizeof(png_byte)));
+      for (i = 0; i < PNG_MAX_PALETTE_LENGTH; i++)
          png_ptr->dither_index[i] = (png_byte)i;
    }

Places

File libpng12-CVE-2025-64505.patch of Package libpng12

Places