File gimp-CVE-2026-4154.patch of Package gimp
From 2e7ed91793792d9e980b2df4c829e9aa60459253 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Fri, 6 Mar 2026 13:54:44 +0000
Subject: [PATCH] plug-in: Resolve ZDI-CAN-28901 for file-xpm
Resolves #15971
It was possible to set a XPM image to have a width and/or height
that is larger than what GIMP can create an image for. In addition to
causing gimp_image_new () to fail, it can also lead to buffer overflow
when allocating space to read in the image.
This patch adds a GError parameter to parse_image (), then uses it to
pass up an error for either oversized images or buffer overflows.
---
plug-ins/common/file-xpm.c | 32 ++++++++++++++++++++++++++++----
1 file changed, 28 insertions(+), 4 deletions(-)
diff --git a/plug-ins/common/file-xpm.c b/plug-ins/common/file-xpm.c
index ba02961f1c0..71a0b19e8d3 100644
--- a/plug-ins/common/file-xpm.c
+++ b/plug-ins/common/file-xpm.c
@@ -125,7 +125,8 @@ static GimpImage * load_image (GFile *file,
static guchar * parse_colors (XpmImage *xpm_image);
static void parse_image (GimpImage *image,
XpmImage *xpm_image,
- guchar *cmap);
+ guchar *cmap,
+ GError **error);
static gboolean export_image (GFile *file,
GimpImage *image,
GimpDrawable *drawable,
@@ -385,12 +386,28 @@ load_image (GFile *file,
cmap = parse_colors (&xpm_image);
+ if (xpm_image.width > GIMP_MAX_IMAGE_SIZE)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("Unsupported or invalid image width: %d"),
+ xpm_image.width);
+ return NULL;
+ }
+
+ if (xpm_image.height > GIMP_MAX_IMAGE_SIZE)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("Unsupported or invalid image height: %d"),
+ xpm_image.height);
+ return NULL;
+ }
+
image = gimp_image_new (xpm_image.width,
xpm_image.height,
GIMP_RGB);
/* fill it */
- parse_image (image, &xpm_image, cmap);
+ parse_image (image, &xpm_image, cmap, error);
g_free (cmap);
@@ -472,7 +489,8 @@ parse_colors (XpmImage *xpm_image)
static void
parse_image (GimpImage *image,
XpmImage *xpm_image,
- guchar *cmap)
+ guchar *cmap,
+ GError **error)
{
GeglBuffer *buffer;
gint tile_height;
@@ -498,7 +516,13 @@ parse_image (GimpImage *image,
tile_height = gimp_tile_height ();
- buf = g_new (guchar, tile_height * xpm_image->width * 4);
+ buf = g_try_new (guchar, tile_height * xpm_image->width * 4);
+ if (buf == NULL)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ "%s", _("XPM file invalid"));
+ return;
+ }
src = xpm_image->data;
for (i = 0; i < xpm_image->height; i += tile_height)
--
GitLab
