Overview

File gimp-CVE-2025-2760.patch of Package gimp.40409

commit c17b324910204a47828d6fbb542bdcefbd66bcc1
Author: Jacob Boerema <jgboerema@gmail.com>
Date:   Thu Jun 12 13:23:59 2025 -0400

    plug-ins/dds: fix #12790 for 32-bit
    
    On 32-bit systems the computed linear size can overflow, causing a
    crash.
    Use a function that checks for overflow when multiplying and return
    an error if that fails.
    As extra security also update the loop to compute the base offset after
    each line of data, and convert to gsize first when computing the
    size for g_malloc and memset.

--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -1208,14 +1208,22 @@
     {
       unsigned char *dst;
 
-      dst = g_malloc (width * height * d->gimp_bpp);
-      memset (dst, 0, width * height * d->gimp_bpp);
+      dst = g_malloc ((gsize) width * height * d->gimp_bpp);
+      memset (dst, 0, (gsize) width * height * d->gimp_bpp);
 
       if (d->gimp_bpp == 4)
         {
+          guchar *dst_line;
+
+          dst_line = dst;
           for (y = 0; y < height; ++y)
-            for (x = 0; x < width; ++x)
-              dst[y * (width * 4) + (x * 4) + 3] = 255;
+            {
+              for (x = 0; x < width; ++x)
+                {
+                  dst_line[(x * 4) + 3] = 255;
+	        }
+              dst_line += width * 4;
+            }
         }
 
       dxt_decompress (dst, buf, format, size, width, height, d->gimp_bpp,
openSUSE Build Service is sponsored by
Places