File libpng16-CVE-2026-25646.patch of Package libpng16.42674

From 01d03b8453eb30ade759cd45c707e5a1c7277d88 Mon Sep 17 00:00:00 2001
From: Cosmin Truta <ctruta@gmail.com>
Date: Fri, 6 Feb 2026 19:11:54 +0200
Subject: [PATCH] Fix a heap buffer overflow in `png_set_quantize`

The color distance hash table stored the current palette indices, but
the color-pruning loop assumed the original indices. When colors were
eliminated and indices changed, the stored indices became stale. This
caused the loop bound `max_d` to grow past the 769-element hash array.

The fix consists in storing the original indices via `palette_to_index`
to match the pruning loop's expectations.

Reported-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
Co-authored-by: Joshua Inscoe <pwnalone@users.noreply.github.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
---
 AUTHORS    | 1 +
 pngrtran.c | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

Index: libpng-1.6.8/pngrtran.c
===================================================================
--- libpng-1.6.8.orig/pngrtran.c
+++ libpng-1.6.8/pngrtran.c
@@ -624,8 +624,8 @@ png_set_quantize(png_structrp png_ptr, p
                          break;
 
                      t->next = hash[d];
-                     t->left = (png_byte)i;
-                     t->right = (png_byte)j;
+                     t->left = png_ptr->palette_to_index[i];
+                     t->right = png_ptr->palette_to_index[j];
                      hash[d] = t;
                   }
                }