rpms/gimp
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Import from CS git

Browse Source
This commit is contained in:
eabdullin 2025-12-03 10:05:33 +00:00
parent 9b89e2e572
commit 928eeb76c6
2 changed files with 152 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
SOURCES/gimp-3.0.4-CVE-2025-10920-10925-10934.patch Normal file
View File

@ -0,0 +1,140 @@
diff -urNp a/plug-ins/common/file-dicom.c b/plug-ins/common/file-dicom.c
--- a/plug-ins/common/file-dicom.c 2025-11-24 10:46:53.834737210 +0100
+++ b/plug-ins/common/file-dicom.c 2025-11-25 16:39:29.616469102 +0100
@@ -328,6 +328,7 @@ load_image (const gchar *filename,
gint bits_stored = 0;
gint high_bit = 0;
guint8 *pix_buf = NULL;
+ guint64 pixbuf_size = 0;
gboolean is_signed = FALSE;
guint8 in_sequence = 0;
@@ -382,6 +383,7 @@ load_image (const gchar *filename,
guint16 ctx_us;
guint8 *value;
guint32 tag;
+ size_t actual_read;
gboolean do_toggle_endian = FALSE;
gboolean implicit_encoding = FALSE;
@@ -472,15 +474,24 @@ load_image (const gchar *filename,
if (element_length >= (G_MAXUINT - 6))
{
- g_message ("'%s' seems to have an incorrect value field length.",
- gimp_filename_to_utf8 (filename));
- gimp_quit ();
+ g_set_error (error, GIMP_WIDGETS_ERROR, 0,
+ _("'%s' has an an incorrect value for field size. Possibly corrupt image."),
+ gimp_filename_to_utf8 (filename));
+ g_free (dicominfo);
+ fclose (DICOM);
+ return NULL;
}
/* Read contents. Allocate a bit more to make room for casts to int
below. */
value = g_new0 (guint8, element_length + 4);
- fread (value, 1, element_length, DICOM);
+ actual_read = fread (value, 1, element_length, DICOM);
+ if (actual_read < element_length)
+ {
+ g_warning ("Missing data: needed %u bytes, got %u. Possibly corrupt image.",
+ element_length, (guint32) actual_read);
+ element_length = actual_read;
+ }
/* ignore everything inside of a sequence */
if (in_sequence)
@@ -541,6 +552,7 @@ load_image (const gchar *filename,
if (group_word == 0x7fe0 && element_word == 0x0010)
{
pix_buf = value;
+ pixbuf_size = element_length;
}
else
{
@@ -570,26 +582,50 @@ load_image (const gchar *filename,
g_free (value);
}
}
+ g_debug ("Bpp: %d, wxh: %u x %u, spp: %d\n", bpp, width, height, samples_per_pixel);
if ((bpp != 8) && (bpp != 16))
{
- g_message ("'%s' has a bpp of %d which GIMP cannot handle.",
- gimp_filename_to_utf8 (filename), bpp);
- gimp_quit ();
+ g_set_error (error, GIMP_WIDGETS_ERROR, 0,
+ _("'%s' has a bpp of %d which GIMP cannot handle."),
+ gimp_filename_to_utf8 (filename), bpp);
+ g_free (pix_buf);
+ g_free (dicominfo);
+ fclose (DICOM);
+ return NULL;
}
if ((width > GIMP_MAX_IMAGE_SIZE) || (height > GIMP_MAX_IMAGE_SIZE))
{
- g_message ("'%s' has a larger image size (%d x %d) than GIMP can handle.",
- gimp_filename_to_utf8 (filename), width, height);
- gimp_quit ();
+ g_set_error (error, GIMP_WIDGETS_ERROR, 0,
+ _("'%s' has a larger image size (%d x %d) than GIMP can handle."),
+ gimp_filename_to_utf8 (filename), width, height);
+ g_free (pix_buf);
+ g_free (dicominfo);
+ fclose (DICOM);
+ return NULL;
}
if (samples_per_pixel > 3)
{
- g_message ("'%s' has samples per pixel of %d which GIMP cannot handle.",
- gimp_filename_to_utf8 (filename), samples_per_pixel);
- gimp_quit ();
+ g_set_error (error, GIMP_WIDGETS_ERROR, 0,
+ _("'%s' has samples per pixel of %d which GIMP cannot handle."),
+ gimp_filename_to_utf8 (filename), samples_per_pixel);
+ g_free (pix_buf);
+ g_free (dicominfo);
+ fclose (DICOM);
+ return NULL;
+ }
+
+ if ((guint64) width * height * (bpp >> 3) * samples_per_pixel > pixbuf_size)
+ {
+ g_set_error (error, GIMP_WIDGETS_ERROR, 0,
+ _("'%s' has not enough pixel data. Possibly corrupt image."),
+ gimp_filename_to_utf8 (filename));
+ g_free (pix_buf);
+ g_free (dicominfo);
+ fclose (DICOM);
+ return NULL;
}
dicominfo->width = width;
diff -urNp a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
--- a/plug-ins/common/file-xwd.c 2025-11-24 10:46:53.834737210 +0100
+++ b/plug-ins/common/file-xwd.c 2025-11-25 18:20:32.452021810 +0100
@@ -1551,9 +1551,18 @@ load_xwd_f2_d16_b16 (const gchar *fi
greenval = (green * 255) / maxgreen;
for (blue = 0; blue <= maxblue; blue++)
{
+ guint32 offset = ((red << redshift) + (green << greenshift) +
+ (blue << blueshift)) * 3;
+
+ if (offset+2 >= maxval)
+ {
+ g_message (_("Invalid colormap offset. Possibly corrupt image."));
+ g_free (data);
+ g_free (ColorMap);
+ return NULL;
+ }
blueval = (blue * 255) / maxblue;
- cm = ColorMap + ((red << redshift) + (green << greenshift)
- + (blue << blueshift)) * 3;
+ cm = ColorMap + offset;
*(cm++) = redval;
*(cm++) = greenval;
*cm = blueval;

13
SPECS/gimp.spec
View File

@ -75,7 +75,7 @@ Summary: GNU Image Manipulation Program
Name: gimp
Epoch: 2
Version: 2.8.22
Release: %{?prerelprefix}26%{dotprerel}%{dotgitrev}%{?dist}.2
Release: %{?prerelprefix}26%{dotprerel}%{dotgitrev}%{?dist}.3
# Compute some version related macros.
# Ugly, need to get quoting percent signs straight.
@ -220,6 +220,7 @@ Patch16: gimp-2.8.22-fix-fclose-leak.patch
Patch17: gimp-CVE-2025-48797.patch
Patch18: gimp-CVE-2025-48798.patch
Patch19: gimp-CVE-2025-5473.patch
Patch20: gimp-3.0.4-CVE-2025-10920-10925-10934.patch
# use external help browser directly if help browser plug-in is not built
Patch100: gimp-2.8.6-external-help-browser.patch
@ -324,6 +325,7 @@ EOF
%patch17 -p1 -b .CVE-2025-48797
%patch18 -p1 -b .CVE-2025-48798
%patch19 -p1 -b .CVE-2025-5473
%patch20 -p1 -b .CVE-2025-10920-10925-10934
%if ! %{with helpbrowser}
%patch100 -p1 -b .external-help-browser
@ -663,6 +665,15 @@ make check
%endif
%changelog
* Mon Nov 24 2025 Josef Ridky <jridky@redhat.com> - 2:2.8.22-26.3
- fix CVE-2025-10920
- fix CVE-2025-10921
- fix CVE-2025-10922
- fix CVE-2025-10923
- fix CVE-2025-10924
- fix CVE-2025-10925
- fix CVE-2025-10934
* Sat Jun 14 2025 Josef Ridky <jridky@redhat.com> - 2:2.8.22-26.2
- fix CVE-2025-5473 (RHEL-95696)