File libpng16-CVE-2025-65018.patch of Package libpng16.41903

From 218612ddd6b17944e21eda56caf8b4bf7779d1ea Mon Sep 17 00:00:00 2001
From: Cosmin Truta <ctruta@gmail.com>
Date: Wed, 19 Nov 2025 21:45:13 +0200
Subject: [PATCH] Rearchitect the fix to the buffer overflow in
 `png_image_finish_read`

Undo the fix from commit 16b5e3823918840aae65c0a6da57c78a5a496a4d.
That fix turned out to be unnecessarily limiting. It rejected all
16-to-8 bit transformations, although the vulnerability only affects
interlaced PNGs where `png_combine_row` writes using IHDR bit-depth
before the transformation completes.

The proper solution is to add an intermediate `local_row` buffer,
specifically for the slow but necessary step of 16-to-8 bit conversion
of interlaced images. (The processing of non-interlaced images remains
intact, using the fast path.) We added the flag `do_local_scale` and
the function `png_image_read_direct_scaled`, following the pattern that
involves `do_local_compose`.

In conclusion:
- The 16-to-8 bit transformations of interlaced images are now safe,
  as they use an intermediate buffer.
- The 16-to-8 bit transformations of non-interlaced images remain safe,
  as the fast path remains unchanged.
- All our regression tests are now passing.
Index: libpng-1.6.34/pngread.c
===================================================================
--- libpng-1.6.34.orig/pngread.c
+++ libpng-1.6.34/pngread.c
@@ -3254,6 +3254,54 @@ png_image_read_colormapped(png_voidp arg
    }
 }
 
+/* Row reading for interlaced 16-to-8 bit depth conversion with local buffer. */
+static int
+png_image_read_direct_scaled(png_voidp argument)
+{
+   png_image_read_control *display = png_voidcast(png_image_read_control*,
+       argument);
+   png_imagep image = display->image;
+   png_structrp png_ptr = image->opaque->png_ptr;
+   png_bytep local_row = png_voidcast(png_bytep, display->local_row);
+   png_bytep first_row = png_voidcast(png_bytep, display->first_row);
+   ptrdiff_t row_bytes = display->row_bytes;
+   int passes;
+
+   /* Handle interlacing. */
+   switch (png_ptr->interlaced)
+   {
+      case PNG_INTERLACE_NONE:
+         passes = 1;
+         break;
+
+      case PNG_INTERLACE_ADAM7:
+         passes = PNG_INTERLACE_ADAM7_PASSES;
+         break;
+
+      default:
+         png_error(png_ptr, "unknown interlace type");
+   }
+
+   /* Read each pass using local_row as intermediate buffer. */
+   while (--passes >= 0)
+   {
+      png_uint_32 y = image->height;
+      png_bytep output_row = first_row;
+
+      for (; y > 0; --y)
+      {
+         /* Read into local_row (gets transformed 8-bit data). */
+         png_read_row(png_ptr, local_row, NULL);
+
+         /* Copy from local_row to user buffer. */
+         memcpy(output_row, local_row, (size_t)row_bytes);
+         output_row += row_bytes;
+      }
+   }
+
+   return 1;
+}
+
 /* Just the row reading part of png_image_read. */
 static int
 png_image_read_composite(png_voidp argument)
@@ -3675,6 +3723,7 @@ png_image_read_direct(png_voidp argument
    int linear = (format & PNG_FORMAT_FLAG_LINEAR) != 0;
    int do_local_compose = 0;
    int do_local_background = 0; /* to avoid double gamma correction bug */
+   int do_local_scale = 0; /* for interlaced 16-to-8 bit conversion */
    int passes = 0;
 
    /* Add transforms to ensure the correct output format is produced then check
@@ -3801,8 +3850,16 @@ png_image_read_direct(png_voidp argument
             png_set_expand_16(png_ptr);
 
          else /* 8-bit output */
+         {
             png_set_scale_16(png_ptr);
 
+            /* For interlaced images, use local_row buffer to avoid overflow
+             * in png_combine_row() which writes using IHDR bit-depth.
+             */
+            if (png_ptr->interlaced != 0)
+               do_local_scale = 1;
+         }
+
          change &= ~PNG_FORMAT_FLAG_LINEAR;
       }
 
@@ -4075,6 +4132,24 @@ png_image_read_direct(png_voidp argument
       display->local_row = NULL;
       png_free(png_ptr, row);
 
+      return result;
+   }
+
+   else if (do_local_scale != 0)
+   {
+      /* For interlaced 16-to-8 conversion, use an intermediate row buffer
+       * to avoid buffer overflows in png_combine_row. The local_row is sized
+       * for the transformed (8-bit) output, preventing the overflow that would
+       * occur if png_combine_row wrote 16-bit data directly to the user buffer.
+       */
+      int result;
+      png_voidp row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr));
+
+      display->local_row = row;
+      result = png_safe_execute(image, png_image_read_direct_scaled, display);
+      display->local_row = NULL;
+      png_free(png_ptr, row);
+
       return result;
    }