From b5bcba4095f725e89d3d993759166a792fb771ee Mon Sep 17 00:00:00 2001 From: gcw_5Q40SBlf Date: Mon, 2 Feb 2026 21:30:18 +0800 Subject: [PATCH] =?UTF-8?q?new:=20=E6=96=B0=E5=BB=BA=E6=96=87=E4=BB=B6=20C?= =?UTF-8?q?VE-2025-28164.patch?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: gcw_5Q40SBlf --- CVE-2025-28164.patch | 50 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 CVE-2025-28164.patch diff --git a/CVE-2025-28164.patch b/CVE-2025-28164.patch new file mode 100644 index 000000000..df3e95459 --- /dev/null +++ b/CVE-2025-28164.patch @@ -0,0 +1,50 @@ +diff --git a/pngerror.c b/pngerror.c +index 1babf9f..829611b 100644 +--- a/pngerror.c ++++ b/pngerror.c +@@ -936,23 +936,36 @@ png_safe_warning(png_structp png_nonconst_ptr, png_const_charp warning_message) + int /* PRIVATE */ + png_safe_execute(png_imagep image, int (*function)(png_voidp), png_voidp arg) + { +- png_voidp saved_error_buf = image->opaque->error_buf; ++ const png_voidp saved_error_buf = image->opaque->error_buf; + jmp_buf safe_jmpbuf; +- int result; + + /* Safely execute function(arg), with png_error returning back here. */ + if (setjmp(safe_jmpbuf) == 0) + { ++ int result; /*bool*/ + image->opaque->error_buf = safe_jmpbuf; + result = function(arg); + image->opaque->error_buf = saved_error_buf; +- return result; ++ ++ if (result) ++ return 1; /*true*/ + } + +- /* On png_error, return via longjmp, pop the jmpbuf, and free the image. */ ++ /* The function failed either because of a caught png_error and a regular ++ * return of false above or because of an uncaught png_error from the ++ * function itself. Ensure that the error_buf is always set back to the ++ * value saved above: ++ */ + image->opaque->error_buf = saved_error_buf; +- png_image_free(image); +- return 0; ++ ++ /* On the final false return, when about to return control to the caller, the ++ * image is freed (png_image_free does this check but it is duplicated here ++ * for clarity: ++ */ ++ if (saved_error_buf == NULL) ++ png_image_free(image); ++ ++ return 0; /*false*/ + } + #endif /* SIMPLIFIED READ || SIMPLIFIED_WRITE */ + #endif /* READ || WRITE */ +-- +2.1.4 +