diff --git a/external/libpng/0001-fix-Avoid-integer-overflows-in-function-png_xy_from_.patch.1 b/external/libpng/0001-fix-Avoid-integer-overflows-in-function-png_xy_from_.patch.1
new file mode 100644
index 000000000000..90b4d385fadd
--- /dev/null
+++ b/external/libpng/0001-fix-Avoid-integer-overflows-in-function-png_xy_from_.patch.1
@@ -0,0 +1,99 @@
+From 65470ac86c9d479e18c58c181170163925b5f9a1 Mon Sep 17 00:00:00 2001
+From: John Bowler <jbowler@acm.org>
+Date: Sat, 12 Oct 2024 14:55:03 -0700
+Subject: [PATCH] fix: Avoid integer overflows in function `png_xy_from_XYZ`
+
+This is a cherry-picked of commit f45531cc141dc20dc7a4046bbe92270b1e799a5d
+from branch 'libpng18'.
+
+Reviewed-by: Cosmin Truta <ctruta@gmail.com>
+Signed-off-by: John Bowler <jbowler@acm.org>
+Signed-off-by: Cosmin Truta <ctruta@gmail.com>
+---
+ png.c | 40 ++++++++++++++++++++++++----------------
+ 1 file changed, 24 insertions(+), 16 deletions(-)
+
+diff --git a/png.c b/png.c
+index 8cd0179a8..d99e2643b 100644
+--- a/png.c
++++ b/png.c
+@@ -1272,7 +1272,7 @@ png_safe_add(png_int_32 *addend0_and_result, png_int_32 addend1,
+ static int
+ png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
+ {
+-   png_int_32 d, dred, dgreen, dwhite, whiteX, whiteY;
++   png_int_32 d, dred, dgreen, dblue, dwhite, whiteX, whiteY;
+ 
+    /* 'd' in each of the blocks below is just X+Y+Z for each component,
+     * x, y and z are X,Y,Z/(X+Y+Z).
+@@ -1280,44 +1280,52 @@ png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
+    d = XYZ->red_X;
+    if (png_safe_add(&d, XYZ->red_Y, XYZ->red_Z))
+       return 1;
+-   if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
++   dred = d;
++   if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, dred) == 0)
+       return 1;
+-   if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
++   if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, dred) == 0)
+       return 1;
+-   dred = d;
+-   whiteX = XYZ->red_X;
+-   whiteY = XYZ->red_Y;
+ 
+    d = XYZ->green_X;
+    if (png_safe_add(&d, XYZ->green_Y, XYZ->green_Z))
+       return 1;
+-   if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
++   dgreen = d;
++   if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, dgreen) == 0)
+       return 1;
+-   if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
++   if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, dgreen) == 0)
+       return 1;
+-   dgreen = d;
+-   whiteX += XYZ->green_X;
+-   whiteY += XYZ->green_Y;
+ 
+    d = XYZ->blue_X;
+    if (png_safe_add(&d, XYZ->blue_Y, XYZ->blue_Z))
+       return 1;
+-   if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
++   dblue = d;
++   if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, dblue) == 0)
+       return 1;
+-   if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
++   if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, dblue) == 0)
+       return 1;
+-   whiteX += XYZ->blue_X;
+-   whiteY += XYZ->blue_Y;
+ 
+    /* The reference white is simply the sum of the end-point (X,Y,Z) vectors so
+     * the fillowing calculates (X+Y+Z) of the reference white (media white,
+     * encoding white) itself:
+     */
++   d = dblue;
+    if (png_safe_add(&d, dred, dgreen))
+       return 1;
+-
+    dwhite = d;
+ 
++   /* Find the white X,Y values from the sum of the red, green and blue X,Y
++    * values.
++    */
++   d = XYZ->red_X;
++   if (png_safe_add(&d, XYZ->green_X, XYZ->blue_X))
++      return 1;
++   whiteX = d;
++
++   d = XYZ->red_Y;
++   if (png_safe_add(&d, XYZ->green_Y, XYZ->blue_Y))
++      return 1;
++   whiteY = d;
++
+    if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
+       return 1;
+    if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
+-- 
+2.46.1
+
diff --git a/external/libpng/0001-libpng16-fix-Correct-the-function-png_fp_sub-in-png.patch.1 b/external/libpng/0001-libpng16-fix-Correct-the-function-png_fp_sub-in-png.patch.1
new file mode 100644
index 000000000000..59a8ccc32c6d
--- /dev/null
+++ b/external/libpng/0001-libpng16-fix-Correct-the-function-png_fp_sub-in-png.patch.1
@@ -0,0 +1,35 @@
+From f14d5fcd1efec749d0137162efbee6013757494b Mon Sep 17 00:00:00 2001
+From: John Bowler <jbowler@acm.org>
+Date: Thu, 10 Oct 2024 08:40:41 -0700
+Subject: [PATCH] [libpng16] fix: Correct the function `png_fp_sub` in png.c
+
+The code erroneously evaluated `addend0+addend1` in the case where
+`addend1` is less than zero.  The function is meant to subtract the
+second argument from the first.
+
+This is a cherry-pick of commit 79fd6d1edc8fe8c41ed58c6318bd57761d8f007e
+from branch 'libpng18'.
+
+Reviewed-by: Cosmin Truta <ctruta@gmail.com>
+Signed-off-by: John Bowler <jbowler@acm.org>
+Signed-off-by: Cosmin Truta <ctruta@gmail.com>
+---
+ png.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/png.c b/png.c
+index 8a1e2a451..240db5ab9 100644
+--- a/png.c
++++ b/png.c
+@@ -1241,7 +1241,7 @@ png_fp_sub(png_int_32 addend0, png_int_32 addend1, int *error)
+    else if (addend1 < 0)
+    {
+       if (0x7fffffff + addend1 >= addend0)
+-         return addend0+addend1;
++         return addend0-addend1;
+    }
+    else
+       return addend0;
+-- 
+2.46.1
+
diff --git a/external/libpng/UnpackedTarball_libpng.mk b/external/libpng/UnpackedTarball_libpng.mk
index af17418daa6f..461b40931708 100644
--- a/external/libpng/UnpackedTarball_libpng.mk
+++ b/external/libpng/UnpackedTarball_libpng.mk
@@ -17,6 +17,8 @@ $(eval $(call gb_UnpackedTarball_add_files,libpng,.,\
 
 $(eval $(call gb_UnpackedTarball_add_patches,libpng,\
 	external/libpng/0001-ACES-AP0-adjusted-fixes.patch.1 \
+	external/libpng/0001-libpng16-fix-Correct-the-function-png_fp_sub-in-png.patch.1 \
+	external/libpng/0001-fix-Avoid-integer-overflows-in-function-png_xy_from_.patch.1 \
 ))
 
 # vim: set noet sw=4 ts=4: