File gimp-CVE-2025-10924.patch of Package gimp
From 53b18653bca9404efeab953e75960b1cf7dedbed Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Wed, 3 Sep 2025 22:10:34 +0000
Subject: [PATCH] plug-ins: Fix ZDI-CAN-27836
ZDI-CAN-27836: GIMP FF File Parsing Integer Overflow
Remote Code Execution Vulnerability
This patch increases the row_size data type to gsize and checks if it
would overflow based on the width given. It also makes sure the image
size does not exceed GIMP's image size limits.
---
plug-ins/common/file-farbfeld.c | 31 ++++++++++++++++++++++++-------
1 file changed, 24 insertions(+), 7 deletions(-)
diff --git a/plug-ins/common/file-farbfeld.c b/plug-ins/common/file-farbfeld.c
index f610fa439a..921e4e35cc 100644
--- a/plug-ins/common/file-farbfeld.c
+++ b/plug-ins/common/file-farbfeld.c
@@ -261,7 +261,7 @@ load_image (GFile *file,
guchar magic_number[8];
guint32 width;
guint32 height;
- guint32 row_size;
+ gsize row_size;
const Babl *format = babl_format ("R'G'B'A u16");
FILE *fp;
@@ -282,13 +282,24 @@ load_image (GFile *file,
{
g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
_("Failed to read Farbfeld header"));
+ fclose (fp);
return NULL;
}
/* Header information is stored in Big-Endian format */
width = GUINT32_FROM_BE (width);
height = GUINT32_FROM_BE (height);
- row_size = width * sizeof (guint16) * 4;
+
+ if (width > GIMP_MAX_IMAGE_SIZE ||
+ height > GIMP_MAX_IMAGE_SIZE ||
+ ! g_size_checked_mul (&row_size, width, (sizeof (guint16) * 4)))
+ {
+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
+ _("Image dimensions too large: width %d x height %d"),
+ width, height);
+ fclose (fp);
+ return NULL;
+ }
image = gimp_image_new_with_precision (width, height, GIMP_RGB,
GIMP_PRECISION_U16_NON_LINEAR);
@@ -298,12 +309,19 @@ load_image (GFile *file,
gimp_image_get_default_new_layer_mode (image));
gimp_image_insert_layer (image, layer, NULL, 0);
- buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
+ pixels = g_try_malloc (row_size);
+ if (pixels == NULL)
+ {
+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
+ _("There was not enough memory to complete the "
+ "operation."));
+ fclose (fp);
+ return NULL;
+ }
+ buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
for (gint i = 0; i < height; i++)
{
- pixels = g_malloc (row_size);
-
if (! fread (pixels, row_size, 1, fp))
{
g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
@@ -318,9 +336,8 @@ load_image (GFile *file,
gegl_buffer_set (buffer,
GEGL_RECTANGLE (0, i, width, 1), 0,
format, pixels, GEGL_AUTO_ROWSTRIDE);
-
- g_free (pixels);
}
+ g_free (pixels);
fclose (fp);
g_object_unref (buffer);
--
GitLab
