File gimp-CVE-2025-14422.patch of Package gimp
From 4ff2d773d58064e6130495de498e440f4a6d5edb Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sun, 23 Nov 2025 16:43:51 +0000
Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273
Resolves #15286
Adds a check to the memory allocation
in pnm_load_raw () with g_size_checked_mul ()
to see if the size would go out of bounds.
If so, we don't try to allocate and load the
image.
---
plug-ins/common/file-pnm.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c
index 32a33a4f35..9d349e967e 100644
--- a/plug-ins/common/file-pnm.c
+++ b/plug-ins/common/file-pnm.c
@@ -674,7 +674,7 @@ load_image (GFile *file,
GError **error)
{
GInputStream *input;
- GeglBuffer *buffer;
+ GeglBuffer *buffer = NULL;
GimpImage * volatile image = NULL;
GimpLayer *layer;
char buf[BUFLEN + 4]; /* buffer for random things like scanning */
@@ -708,6 +708,9 @@ load_image (GFile *file,
g_object_unref (input);
g_free (pnminfo);
+ if (buffer)
+ g_object_unref (buffer);
+
if (image)
gimp_image_delete (image);
@@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan,
const Babl *format = NULL;
gint bpc;
guchar *data, *d;
+ gsize data_size;
gushort *s;
gint x, y, i;
gint start, end, scanlines;
@@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan,
bpc = 1;
/* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */
- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc);
+ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) ||
+ ! g_size_checked_mul (&data_size, data_size, info->np) ||
+ ! g_size_checked_mul (&data_size, data_size, bpc))
+ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value."));
+
+ data = g_new (guchar, data_size);
input = pnmscanner_input (scan);
--
2.52.0
