File gimp-CVE-2025-10934.patch of Package gimp.41640

From 5c3e2122d53869599d77ef0f1bdece117b24fd7c Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Wed, 3 Sep 2025 18:37:26 -0400
Subject: [PATCH] plug-ins: fix ZDI-CAN-27823

GIMP XWD File Parsing Heap-based Buffer Overflow Remote Code Execution
Vulnerability.

Check offset in colormap is valid before writing to it.

Closes #14814

(cherry picked from commit 4eb106f2bff2d9b8e518aa455a884c6f38d70c6a)
---
 plug-ins/common/file-xwd.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff -urp gimp-2.10.30.orig/plug-ins/common/file-xwd.c gimp-2.10.30/plug-ins/common/file-xwd.c
--- gimp-2.10.30.orig/plug-ins/common/file-xwd.c	2021-12-19 14:48:34.000000000 -0600
+++ gimp-2.10.30/plug-ins/common/file-xwd.c	2025-11-14 16:22:20.303281760 -0600
@@ -1606,9 +1606,18 @@ load_xwd_f2_d16_b16 (const gchar     *fi
           greenval = (green * 255) / maxgreen;
           for (blue = 0; blue <= maxblue; blue++)
             {
+              guint32 offset = ((red << redshift) + (green << greenshift) +
+                                (blue << blueshift)) * 3;
+
+              if (offset+2 >= maxval)
+                {
+                  g_free (data);
+                  g_free (ColorMap);
+                  g_object_unref (buffer);
+                  return NULL;
+                }
               blueval = (blue * 255) / maxblue;
-              cm = ColorMap + ((red << redshift) + (green << greenshift)
-                               + (blue << blueshift)) * 3;
+              cm = ColorMap + offset;
               *(cm++) = redval;
               *(cm++) = greenval;
               *cm = blueval;
Places

File gimp-CVE-2025-10934.patch of Package gimp.41640

Places
