File gimp-CVE-2026-2271.patch of Package gimp.42671

From 0e63f096fa5f7dc3fae0a8e865fd5a05ebe45da8 Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Fri, 23 Jan 2026 11:35:50 -0500
Subject: [PATCH] plug-ins: Fix #15732 PSP File Parsing Integer Overflow...

Leading to Heap Corruption

An integer overflow vulnerability has been identified in the PSP
(Paint Shop Pro) file parser of GIMP. The issue occurs in the
read_creator_block() function, where the Creator metadata block is
processed. Specifically, a 32-bit length value read from the file is
used directly for memory allocation without proper validation.
Trigger -> when length is set to 0xFFFFFFFF

To fix this, we check that using that length doesn't exceed the end
of the creator block. If it does, we return with an error message.
---
 plug-ins/common/file-psp.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index 9004998ab6..0ce72402ab 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -1121,7 +1121,17 @@ read_creator_block (FILE      *f,
         }
       keyword = GUINT16_FROM_LE (keyword);
       length = GUINT32_FROM_LE (length);
-      switch (keyword)
+
+      if ((goffset) ftell (f) + length > (goffset) data_start + total_len)
+        {
+          /* FIXME: After string freeze is over, we should consider changing
+           * this error message to be a bit more descriptive. */
+          g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+                        _("Error reading creator keyword data"));
+          return -1;
+        }
+
+        switch (keyword)
         {
         case PSP_CRTR_FLD_TITLE:
         case PSP_CRTR_FLD_ARTIST:
-- 
2.53.0