Overview

File gimp-CVE-2026-0797-2.patch of Package gimp.42549

From 905ce4b48782c5e71c79714b7ba7f6ebe4d0329d Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 27 Dec 2025 05:24:03 +0000
Subject: [PATCH] plug-ins: Additional fread () checks in ICO plug-in

A continuation of c54bf22a that adds checks to the
initial header loading as well, to prevent reading
beyond the file size.
---
 plug-ins/file-ico/ico-load.c | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
index 68637cbd74..3cb3e033ec 100644
--- a/plug-ins/file-ico/ico-load.c
+++ b/plug-ins/file-ico/ico-load.c
@@ -441,16 +441,20 @@ ico_read_icon (FILE    *fp,
   palette = NULL;
 
   data.header_size = header_size;
-  ico_read_int32 (fp, &data.width, 1);
-  ico_read_int32 (fp, &data.height, 1);
-  ico_read_int16 (fp, &data.planes, 1);
-  ico_read_int16 (fp, &data.bpp, 1);
-  ico_read_int32 (fp, &data.compression, 1);
-  ico_read_int32 (fp, &data.image_size, 1);
-  ico_read_int32 (fp, &data.x_res, 1);
-  ico_read_int32 (fp, &data.y_res, 1);
-  ico_read_int32 (fp, &data.used_clrs, 1);
-  ico_read_int32 (fp, &data.important_clrs, 1);
+  if (ico_read_int32 (fp, &data.width, 1)   != 4     ||
+      ico_read_int32 (fp, &data.height, 1)  != 4     ||
+      ico_read_int16 (fp, &data.planes, 1)  != 2     ||
+      ico_read_int16 (fp, &data.bpp, 1) != 2         ||
+      ico_read_int32 (fp, &data.compression, 1) != 4 ||
+      ico_read_int32 (fp, &data.image_size, 1) != 4  ||
+      ico_read_int32 (fp, &data.x_res, 1) != 4       ||
+      ico_read_int32 (fp, &data.y_res, 1) != 4       ||
+      ico_read_int32 (fp, &data.used_clrs, 1) != 4   ||
+      ico_read_int32 (fp, &data.important_clrs, 1) != 4)
+    {
+      D(("skipping image: invalid header\n"));
+      return FALSE;
+    }
 
   D(("  header size %i, "
      "w %i, h %i, planes %i, size %i, bpp %i, used %i, imp %i.\n",
@@ -513,7 +517,7 @@ ico_read_icon (FILE    *fp,
 
   /* Read in and_map. It's padded out to 32 bits per line: */
   and_map = ico_alloc_map (w, h, 1, &length);
-  if (! ico_read_int8 (fp, and_map, length) != length)
+  if (ico_read_int8 (fp, and_map, length) != length)
     {
       D(("skipping image: too large\n"));
       return FALSE;
-- 
2.52.0
openSUSE Build Service is sponsored by
Places