From 928eeb76c6fcd8edbfebbfffe203bc69376f098f Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Wed, 3 Dec 2025 10:05:33 +0000
Subject: [PATCH] Import from CS git

---
 ...imp-3.0.4-CVE-2025-10920-10925-10934.patch | 140 ++++++++++++++++++
 SPECS/gimp.spec                               |  13 +-
 2 files changed, 152 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/gimp-3.0.4-CVE-2025-10920-10925-10934.patch

diff --git a/SOURCES/gimp-3.0.4-CVE-2025-10920-10925-10934.patch b/SOURCES/gimp-3.0.4-CVE-2025-10920-10925-10934.patch
new file mode 100644
index 0000000..8463167
--- /dev/null
+++ b/SOURCES/gimp-3.0.4-CVE-2025-10920-10925-10934.patch
@@ -0,0 +1,140 @@
+diff -urNp a/plug-ins/common/file-dicom.c b/plug-ins/common/file-dicom.c
+--- a/plug-ins/common/file-dicom.c	2025-11-24 10:46:53.834737210 +0100
++++ b/plug-ins/common/file-dicom.c	2025-11-25 16:39:29.616469102 +0100
+@@ -328,6 +328,7 @@ load_image (const gchar  *filename,
+   gint            bits_stored       = 0;
+   gint            high_bit          = 0;
+   guint8         *pix_buf           = NULL;
++  guint64         pixbuf_size       = 0;
+   gboolean        is_signed         = FALSE;
+   guint8          in_sequence       = 0;
+ 
+@@ -382,6 +383,7 @@ load_image (const gchar  *filename,
+       guint16  ctx_us;
+       guint8  *value;
+       guint32  tag;
++      size_t   actual_read;
+       gboolean do_toggle_endian = FALSE;
+       gboolean implicit_encoding = FALSE;
+ 
+@@ -472,15 +474,24 @@ load_image (const gchar  *filename,
+ 
+       if (element_length >= (G_MAXUINT - 6))
+         {
+-          g_message ("'%s' seems to have an incorrect value field length.",
+-                     gimp_filename_to_utf8 (filename));
+-          gimp_quit ();
++          g_set_error (error, GIMP_WIDGETS_ERROR, 0,
++                       _("'%s' has an an incorrect value for field size. Possibly corrupt image."),
++                       gimp_filename_to_utf8 (filename));
++          g_free (dicominfo);
++          fclose (DICOM);
++          return NULL;
+         }
+ 
+       /* Read contents. Allocate a bit more to make room for casts to int
+        below. */
+       value = g_new0 (guint8, element_length + 4);
+-      fread (value, 1, element_length, DICOM);
++      actual_read = fread (value, 1, element_length, DICOM);
++      if (actual_read < element_length)
++        {
++          g_warning ("Missing data: needed %u bytes, got %u. Possibly corrupt image.",
++                     element_length, (guint32) actual_read);
++          element_length = actual_read;
++        }
+ 
+       /* ignore everything inside of a sequence */
+       if (in_sequence)
+@@ -541,6 +552,7 @@ load_image (const gchar  *filename,
+       if (group_word == 0x7fe0 && element_word == 0x0010)
+         {
+           pix_buf = value;
++          pixbuf_size = element_length;
+         }
+       else
+         {
+@@ -570,26 +582,50 @@ load_image (const gchar  *filename,
+           g_free (value);
+         }
+     }
++  g_debug ("Bpp: %d, wxh: %u x %u, spp: %d\n", bpp, width, height, samples_per_pixel);
+ 
+   if ((bpp != 8) && (bpp != 16))
+     {
+-      g_message ("'%s' has a bpp of %d which GIMP cannot handle.",
+-                 gimp_filename_to_utf8 (filename), bpp);
+-      gimp_quit ();
++      g_set_error (error, GIMP_WIDGETS_ERROR, 0,
++                   _("'%s' has a bpp of %d which GIMP cannot handle."),
++                   gimp_filename_to_utf8 (filename), bpp);
++      g_free (pix_buf);
++      g_free (dicominfo);
++      fclose (DICOM);
++      return NULL;
+     }
+ 
+   if ((width > GIMP_MAX_IMAGE_SIZE) || (height > GIMP_MAX_IMAGE_SIZE))
+     {
+-      g_message ("'%s' has a larger image size (%d x %d) than GIMP can handle.",
+-                 gimp_filename_to_utf8 (filename), width, height);
+-      gimp_quit ();
++      g_set_error (error, GIMP_WIDGETS_ERROR, 0,
++                   _("'%s' has a larger image size (%d x %d) than GIMP can handle."),
++                   gimp_filename_to_utf8 (filename), width, height);
++      g_free (pix_buf);
++      g_free (dicominfo);
++      fclose (DICOM);
++      return NULL;
+     }
+ 
+   if (samples_per_pixel > 3)
+     {
+-      g_message ("'%s' has samples per pixel of %d which GIMP cannot handle.",
+-                 gimp_filename_to_utf8 (filename), samples_per_pixel);
+-      gimp_quit ();
++      g_set_error (error, GIMP_WIDGETS_ERROR, 0,
++                   _("'%s' has samples per pixel of %d which GIMP cannot handle."),
++                   gimp_filename_to_utf8 (filename), samples_per_pixel);
++      g_free (pix_buf);
++      g_free (dicominfo);
++      fclose (DICOM);
++      return NULL;
++    }
++
++  if ((guint64) width * height * (bpp >> 3) * samples_per_pixel > pixbuf_size)
++    {
++      g_set_error (error, GIMP_WIDGETS_ERROR, 0,
++                   _("'%s' has not enough pixel data. Possibly corrupt image."),
++                   gimp_filename_to_utf8 (filename));
++      g_free (pix_buf);
++      g_free (dicominfo);
++      fclose (DICOM);
++      return NULL;
+     }
+ 
+   dicominfo->width  = width;
+diff -urNp a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
+--- a/plug-ins/common/file-xwd.c	2025-11-24 10:46:53.834737210 +0100
++++ b/plug-ins/common/file-xwd.c	2025-11-25 18:20:32.452021810 +0100
+@@ -1551,9 +1551,18 @@ load_xwd_f2_d16_b16 (const gchar     *fi
+           greenval = (green * 255) / maxgreen;
+           for (blue = 0; blue <= maxblue; blue++)
+             {
++              guint32 offset = ((red << redshift) + (green << greenshift) +
++                                (blue << blueshift)) * 3;
++
++              if (offset+2 >= maxval)
++                {
++                  g_message (_("Invalid colormap offset. Possibly corrupt image."));
++                  g_free (data);
++                  g_free (ColorMap);
++                  return NULL;
++                }
+               blueval = (blue * 255) / maxblue;
+-              cm = ColorMap + ((red << redshift) + (green << greenshift)
+-                               + (blue << blueshift)) * 3;
++              cm = ColorMap + offset;
+               *(cm++) = redval;
+               *(cm++) = greenval;
+               *cm = blueval;
diff --git a/SPECS/gimp.spec b/SPECS/gimp.spec
index 9201ce1..0a0b0c6 100644
--- a/SPECS/gimp.spec
+++ b/SPECS/gimp.spec
@@ -75,7 +75,7 @@ Summary:        GNU Image Manipulation Program
 Name:           gimp
 Epoch:          2
 Version:        2.8.22
-Release:        %{?prerelprefix}26%{dotprerel}%{dotgitrev}%{?dist}.2
+Release:        %{?prerelprefix}26%{dotprerel}%{dotgitrev}%{?dist}.3
 
 # Compute some version related macros.
 # Ugly, need to get quoting percent signs straight.
@@ -220,6 +220,7 @@ Patch16: gimp-2.8.22-fix-fclose-leak.patch
 Patch17: gimp-CVE-2025-48797.patch
 Patch18: gimp-CVE-2025-48798.patch
 Patch19: gimp-CVE-2025-5473.patch
+Patch20: gimp-3.0.4-CVE-2025-10920-10925-10934.patch
 
 # use external help browser directly if help browser plug-in is not built
 Patch100:       gimp-2.8.6-external-help-browser.patch
@@ -324,6 +325,7 @@ EOF
 %patch17 -p1 -b .CVE-2025-48797
 %patch18 -p1 -b .CVE-2025-48798
 %patch19 -p1 -b .CVE-2025-5473
+%patch20 -p1 -b .CVE-2025-10920-10925-10934
 
 %if ! %{with helpbrowser}
 %patch100 -p1 -b .external-help-browser
@@ -663,6 +665,15 @@ make check
 %endif
 
 %changelog
+* Mon Nov 24 2025 Josef Ridky <jridky@redhat.com> - 2:2.8.22-26.3
+- fix CVE-2025-10920
+- fix CVE-2025-10921
+- fix CVE-2025-10922
+- fix CVE-2025-10923
+- fix CVE-2025-10924
+- fix CVE-2025-10925
+- fix CVE-2025-10934
+
 * Sat Jun 14 2025 Josef Ridky <jridky@redhat.com> - 2:2.8.22-26.2
 - fix CVE-2025-5473 (RHEL-95696)