Michael Vetter
8a8cfef6d6
+ gimp-CVE-2025-14422.patch (bsc#1255293 CVE-2025-14422) + gimp-CVE-2025-14423.patch (bsc#1255294 CVE-2025-14423) + gimp-CVE-2025-14424.patch (bsc#1255295 CVE-2025-14424) + gimp-CVE-2025-14425.patch (bsc#1255296 CVE-2025-14425) OBS-URL: https://build.opensuse.org/package/show/graphics/gimp?expand=0&rev=100
70 lines
2.6 KiB
Diff
70 lines
2.6 KiB
Diff
From cd1c88a0364ad1444c06536731972a99bd8643fd Mon Sep 17 00:00:00 2001
|
|
From: Alx Sa <cmyk.student@gmail.com>
|
|
Date: Wed, 12 Nov 2025 13:25:44 +0000
|
|
Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images
|
|
|
|
Resolves #15285
|
|
Per the report, it's possible to exceed the size of the pixel buffer
|
|
with a high precision_scaled value, as we size it to the width * bpp.
|
|
This patch includes precision_scaled in the allocation calculation.
|
|
It also adds a g_size_checked_mul () check to ensure there's no
|
|
overflow, and moves the pixel and buffer memory freeing to occur
|
|
in the out section so that it always runs even on failure.
|
|
---
|
|
diff -urp gimp-3.0.6.orig/plug-ins/common/file-jp2-load.c gimp-3.0.6/plug-ins/common/file-jp2-load.c
|
|
--- gimp-3.0.6.orig/plug-ins/common/file-jp2-load.c 2025-10-05 12:14:02.000000000 -0500
|
|
+++ gimp-3.0.6/plug-ins/common/file-jp2-load.c 2026-01-16 13:01:30.366333187 -0600
|
|
@@ -1045,14 +1045,15 @@ load_image (GimpProcedure *procedure
|
|
GimpColorProfile *profile = NULL;
|
|
GimpImage *gimp_image = NULL;
|
|
GimpLayer *layer;
|
|
+ GeglBuffer *buffer = NULL;
|
|
+ guchar *pixels = NULL;
|
|
+ gsize pixels_size;
|
|
GimpImageType image_type;
|
|
GimpImageBaseType base_type;
|
|
gint width;
|
|
gint height;
|
|
gint num_components;
|
|
- GeglBuffer *buffer;
|
|
gint i, j, k, it;
|
|
- guchar *pixels;
|
|
const Babl *file_format;
|
|
gint bpp;
|
|
GimpPrecision image_precision;
|
|
@@ -1318,7 +1319,15 @@ load_image (GimpProcedure *procedure
|
|
bpp = babl_format_get_bytes_per_pixel (file_format);
|
|
|
|
buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
|
|
- pixels = g_new0 (guchar, width * bpp);
|
|
+
|
|
+ if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8))))
|
|
+ {
|
|
+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
|
|
+ _("Defined row size is too large in JP2 image '%s'."),
|
|
+ gimp_file_get_utf8_name (file));
|
|
+ goto out;
|
|
+ }
|
|
+ pixels = g_new0 (guchar, pixels_size);
|
|
|
|
for (i = 0; i < height; i++)
|
|
{
|
|
@@ -1344,13 +1353,13 @@ load_image (GimpProcedure *procedure
|
|
gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0,
|
|
file_format, pixels, GEGL_AUTO_ROWSTRIDE);
|
|
}
|
|
-
|
|
- g_free (pixels);
|
|
-
|
|
- g_object_unref (buffer);
|
|
gimp_progress_update (1.0);
|
|
|
|
out:
|
|
+ if (pixels)
|
|
+ g_free (pixels);
|
|
+ if (buffer)
|
|
+ g_object_unref (buffer);
|
|
if (profile)
|
|
g_object_unref (profile);
|
|
if (image)
|