File gimp-CVE-2025-14422.patch of Package gimp.42322
From 4ff2d773d58064e6130495de498e440f4a6d5edb Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sun, 23 Nov 2025 16:43:51 +0000
Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273
Resolves #15286
Adds a check to the memory allocation
in pnm_load_raw () with g_size_checked_mul ()
to see if the size would go out of bounds.
If so, we don't try to allocate and load the
image.
---
plug-ins/common/file-pnm.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff -urp gimp-2.10.30.orig/plug-ins/common/file-pnm.c gimp-2.10.30/plug-ins/common/file-pnm.c
--- gimp-2.10.30.orig/plug-ins/common/file-pnm.c 2021-12-19 14:48:34.000000000 -0600
+++ gimp-2.10.30/plug-ins/common/file-pnm.c 2026-01-16 13:49:58.140532569 -0600
@@ -554,7 +554,7 @@ load_image (GFile *file,
GError **error)
{
GInputStream *input;
- GeglBuffer *buffer;
+ GeglBuffer *buffer = NULL;
gint32 volatile image_ID = -1;
gint32 layer_ID;
char buf[BUFLEN + 4]; /* buffer for random things like scanning */
@@ -584,6 +584,9 @@ load_image (GFile *file,
g_object_unref (input);
g_free (pnminfo);
+ if (buffer)
+ g_object_unref (buffer);
+
if (image_ID != -1)
gimp_image_delete (image_ID);
@@ -819,6 +822,7 @@ pnm_load_raw (PNMScanner *scan,
GInputStream *input;
gint bpc;
guchar *data, *d;
+ gsize data_size;
gushort *s;
gint x, y, i;
gint start, end, scanlines;
@@ -829,7 +833,12 @@ pnm_load_raw (PNMScanner *scan,
bpc = 1;
/* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */
- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc);
+ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) ||
+ ! g_size_checked_mul (&data_size, data_size, info->np) ||
+ ! g_size_checked_mul (&data_size, data_size, bpc))
+ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value."));
+
+ data = g_new (guchar, data_size);
input = pnmscanner_input (scan);
