File gimp-CVE-2026-2048.patch of Package gimp.42860

From fa69ac5ec5692f675de5c50a6df758f7d3e45117 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Wed, 31 Dec 2025 14:45:15 +0000
Subject: [PATCH] plug-ins: Add OoB check for loading XWD

Resolves #15554
This patch adds a check for if our pointer arithmetic
exceeds the memory allocated for the dest array. If so,
we throw an error rather than access memory outside
the bounds.

(cherry picked from commit 57712677007793118388c5be6fb8231f22a2b341)
---
 plug-ins/common/file-xwd.c | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff -urp gimp-2.10.30.orig/plug-ins/common/file-xwd.c gimp-2.10.30/plug-ins/common/file-xwd.c
--- gimp-2.10.30.orig/plug-ins/common/file-xwd.c	2026-02-23 16:40:34.005625758 -0600
+++ gimp-2.10.30/plug-ins/common/file-xwd.c	2026-02-24 09:46:18.408042402 -0600
@@ -2096,6 +2096,7 @@ load_xwd_f1_d24_b1 (const gchar      *fi
   gulong           redmask, greenmask, bluemask;
   guint            redshift, greenshift, blueshift;
   gulong           g;
+  guint32          maxval;
   guchar           redmap[256], greenmap[256], bluemap[256];
   guchar           bit_reverse[256];
   guchar          *xwddata, *xwdin, *data;
@@ -2186,7 +2187,8 @@ load_xwd_f1_d24_b1 (const gchar      *fi
                                &layer_ID, &buffer);
 
   tile_height = gimp_tile_height ();
-  data = g_malloc (tile_height * width * bytes_per_pixel);
+  data        = g_malloc (tile_height * width * bytes_per_pixel);
+  maxval      = tile_height * width * bytes_per_pixel;
 
   ncols = xwdhdr->l_colormap_entries;
   if (xwdhdr->l_ncolors < ncols)
@@ -2211,6 +2213,8 @@ load_xwd_f1_d24_b1 (const gchar      *fi
 
   for (tile_start = 0; tile_start < height; tile_start += tile_height)
     {
+      guint current_dest = 0;
+
       memset (data, 0, width*tile_height*bytes_per_pixel);
 
       tile_end = tile_start + tile_height - 1;
@@ -2234,7 +2238,18 @@ load_xwd_f1_d24_b1 (const gchar      *fi
           else           /* 3 bytes per pixel */
             {
               fromright = xwdhdr->l_pixmap_depth-1-plane;
-              dest += 2 - fromright/8;
+
+              current_dest += 2 - fromright / 8;
+              if (current_dest < maxval)
+                {
+                  dest += 2 - fromright / 8;
+                }
+              else
+                {
+                  err = 1;
+                  break;
+                }
+
               outmask = (1 << (fromright % 8));
             }
 
@@ -2289,7 +2304,17 @@ load_xwd_f1_d24_b1 (const gchar      *fi
 
                   if (g & inmask)
                     *dest |= outmask;
-                  dest += bytes_per_pixel;
+
+                  current_dest += bytes_per_pixel;
+                  if (current_dest < maxval)
+                    {
+                      dest += bytes_per_pixel;
+                    }
+                  else
+                    {
+                      err = 1;
+                      break;
+                    }
 
                   inmask >>= 1;
                 }