File gimp-CVE-2025-6035.patch of Package gimp.39680
diff --git a/plug-ins/common/despeckle.c b/plug-ins/common/despeckle.c
index 8113343..36b8fc7 100644
--- a/plug-ins/common/despeckle.c
+++ b/plug-ins/common/despeckle.c
@@ -89,7 +89,7 @@ static void run (const gchar *name,
gint *nreturn_vals,
GimpParam **return_vals);
-static void despeckle (void);
+static gboolean despeckle (void);
static void despeckle_median (guchar *src,
guchar *dst,
gint width,
@@ -250,7 +250,8 @@ run (const gchar *name,
if (gimp_drawable_is_rgb (drawable_ID) ||
gimp_drawable_is_gray (drawable_ID))
{
- despeckle ();
+ if (! despeckle ())
+ return;
if (run_mode != GIMP_RUN_NONINTERACTIVE)
gimp_displays_flush ();
@@ -317,7 +318,7 @@ pixel_copy (guchar *dest,
* accordingly.
*/
-static void
+static gboolean
despeckle (void)
{
GeglBuffer *src_buffer;
@@ -328,10 +329,11 @@ despeckle (void)
gint img_bpp;
gint x, y;
gint width, height;
+ gsize bufsize = 0;
if (! gimp_drawable_mask_intersect (drawable_ID,
&x, &y, &width, &height))
- return;
+ return TRUE;
if (gimp_drawable_is_rgb (drawable_ID))
{
@@ -353,8 +355,21 @@ despeckle (void)
src_buffer = gimp_drawable_get_buffer (drawable_ID);
dest_buffer = gimp_drawable_get_shadow_buffer (drawable_ID);
- src = g_new (guchar, width * height * img_bpp);
- dst = g_new (guchar, width * height * img_bpp);
+ if (! g_size_checked_mul (&bufsize, width, height) ||
+ ! g_size_checked_mul (&bufsize, bufsize, img_bpp))
+ {
+ return FALSE;
+ }
+
+ src = g_try_malloc (bufsize);
+ dst = g_try_malloc (bufsize);
+
+ if (src == NULL || dst == NULL)
+ {
+ g_free (src);
+
+ return FALSE;
+ }
gegl_buffer_get (src_buffer, GEGL_RECTANGLE (x, y, width, height), 1.0,
format, src,
@@ -374,6 +389,8 @@ despeckle (void)
g_free (dst);
g_free (src);
+
+ return TRUE;
}
static gboolean
@@ -515,6 +532,7 @@ static void
preview_update (GtkWidget *widget)
{
GimpPreview *preview = GIMP_PREVIEW (widget);
+ gsize bufsize = 0;
GeglBuffer *src_buffer;
const Babl *format;
guchar *dst;
@@ -549,8 +567,18 @@ preview_update (GtkWidget *widget)
src_buffer = gimp_drawable_get_buffer (drawable_ID);
- dst = g_new (guchar, width * height * img_bpp);
- src = g_new (guchar, width * height * img_bpp);
+ if (! g_size_checked_mul (&bufsize, width, height) ||
+ ! g_size_checked_mul (&bufsize, bufsize, img_bpp))
+ return;
+
+ src = g_try_malloc (bufsize);
+ dst = g_try_malloc (bufsize);
+
+ if (src == NULL || dst == NULL)
+ {
+ g_free (src);
+ return;
+ }
gegl_buffer_get (src_buffer, GEGL_RECTANGLE (x1, y1, width, height), 1.0,
format, src,
