File gimp-CVE-2026-0797-1.patch of Package gimp.42549

From c54bf22acb04b83ae38ed50add58f300e898dd81 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Fri, 26 Dec 2025 15:49:45 +0000
Subject: [PATCH] plug-ins: Add more fread () checks in ICO loading

Resolves #15555

This patch adds some guards for ico_read_int8 (),
which was used for loading palettes and maps
without verifying that it returned the same number
of bytes as what it tried to read in.
---
 plug-ins/file-ico/ico-load.c | 33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
index 818cf23cd3..68637cbd74 100644
--- a/plug-ins/file-ico/ico-load.c
+++ b/plug-ins/file-ico/ico-load.c
@@ -69,7 +69,9 @@ ico_read_int32 (FILE    *fp,
   total = count;
   if (count > 0)
     {
-      ico_read_int8 (fp, (guint8 *) data, count * 4);
+      if (ico_read_int8 (fp, (guint8 *) data, count * 4) != (count * 4))
+        return FALSE;
+
       for (i = 0; i < count; i++)
         data[i] = GUINT32_FROM_LE (data[i]);
     }
@@ -88,7 +90,9 @@ ico_read_int16 (FILE    *fp,
   total = count;
   if (count > 0)
     {
-      ico_read_int8 (fp, (guint8 *) data, count * 2);
+      if (ico_read_int8 (fp, (guint8 *) data, count * 2) != (count * 2))
+        return FALSE;
+
       for (i = 0; i < count; i++)
         data[i] = GUINT16_FROM_LE (data[i]);
     }
@@ -109,8 +113,8 @@ ico_read_int8 (FILE   *fp,
   while (count > 0)
     {
       bytes = fread ((gchar *) data, sizeof (gchar), count, fp);
-      if (bytes <= 0) /* something bad happened */
-        break;
+      if (bytes != count) /* something bad happened */
+        return -1;
 
       count -= bytes;
       data += bytes;
@@ -489,16 +493,31 @@ ico_read_icon (FILE    *fp,
          data.used_clrs, data.bpp));
 
       palette = g_new0 (guint32, data.used_clrs);
-      ico_read_int8 (fp, (guint8 *) palette, data.used_clrs * 4);
+      if (ico_read_int8 (fp,
+                         (guint8 *) palette,
+                         data.used_clrs * 4) != (data.used_clrs * 4))
+        {
+          D(("skipping image: too large\n"));
+          return FALSE;
+        }
+
     }
 
   xor_map = ico_alloc_map (w, h, data.bpp, &length);
-  ico_read_int8 (fp, xor_map, length);
+  if (ico_read_int8 (fp, xor_map, length) != length)
+    {
+      D(("skipping image: too large\n"));
+      return FALSE;
+    }
   D(("  length of xor_map: %i\n", length));
 
   /* Read in and_map. It's padded out to 32 bits per line: */
   and_map = ico_alloc_map (w, h, 1, &length);
-  ico_read_int8 (fp, and_map, length);
+  if (! ico_read_int8 (fp, and_map, length) != length)
+    {
+      D(("skipping image: too large\n"));
+      return FALSE;
+    }
   D(("  length of and_map: %i\n", length));
 
   dest_vec = (guint32 *) buf;
-- 
GitLab