File gimp-CVE-2026-2272.patch of Package gimp.42671

From 058ada8f3ffc0a42b7dd1561a8817c8cc83b7d2a Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Mon, 12 Jan 2026 12:17:00 +0000
Subject: [PATCH] plug-ins: Add overflow checks for ICO loading

As pointed out by Dhiraj, it is possible to set width and
height values in the ICO header that will overflow a 32 bit
integer when loaded in. This patch adds checks using
g_size_check_mul () and g_try_new () to catch these
overflows and prevent them from crashing the plug-in.
---
 plug-ins/file-ico/ico-load.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff -urp gimp-2.10.30.orig/plug-ins/file-ico/ico-load.c gimp-2.10.30/plug-ins/file-ico/ico-load.c
--- gimp-2.10.30.orig/plug-ins/file-ico/ico-load.c	2021-12-19 14:48:34.000000000 -0600
+++ gimp-2.10.30/plug-ins/file-ico/ico-load.c	2026-02-11 10:16:09.881617453 -0600
@@ -418,6 +418,7 @@ ico_read_icon (FILE    *fp,
                gint    *height)
 {
   IcoFileDataHeader   data;
+  gsize               data_size;
   gint                length;
   gint                x, y, w, h;
   guchar             *xor_map, *and_map;
@@ -463,7 +464,9 @@ ico_read_icon (FILE    *fp,
       return FALSE;
     }
 
-  if (data.width * data.height * 2 > maxsize)
+  if (! g_size_checked_mul (&data_size, data.width, data.height) ||
+      ! g_size_checked_mul (&data_size, data_size, 2)            ||
+      data_size > maxsize)
     {
       D(("skipping image: too large\n"));
       return FALSE;
@@ -710,7 +713,14 @@ ico_load_image (const gchar  *filename,
   gimp_image_set_filename (image, filename);
 
   maxsize = max_width * max_height * 4;
-  buf = g_new (guchar, max_width * max_height * 4);
+  buf     = g_try_new (guchar, maxsize);
+  if (! buf)
+    {
+      g_free (info);
+      fclose (fp);
+      return NULL;
+    }
+
   for (i = 0; i < icon_count; i++)
     {
       ico_load_layer (fp, image, i, buf, maxsize, info+i);