gimp/SOURCES/gimp-CVE-2026-4152.patch
2026-06-24 01:32:16 -04:00

56 lines
1.6 KiB
Diff

From f64c9c23ba3c37dc7b875a9fb477c23953b4666e Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Thu, 12 Mar 2026 13:48:45 +0000
Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28863
Resolves #15969
It is possible to set the number of color components
in the JPEG 2000 file separate from the color space,
and OpenJPEG reports that value as-is. This can result
in a buffer overflow if the num_components variable is
larger than the number of channels in the color space.
This patch adds a check to make sure num_components
is within range. If it's larger, then we clamp it to the maximum
value for that color model.
---
plug-ins/common/file-jp2-load.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c
index cb420f9cb37..5c99a093d49 100644
--- a/plug-ins/common/file-jp2-load.c
+++ b/plug-ins/common/file-jp2-load.c
@@ -1563,16 +1563,22 @@ load_image (GimpProcedure *procedure,
base_type = GIMP_GRAY;
image_type = GIMP_GRAY_IMAGE;
- if (num_components == 2)
- image_type = GIMP_GRAYA_IMAGE;
+ if (num_components >= 2)
+ {
+ image_type = GIMP_GRAYA_IMAGE;
+ num_components = 2;
+ }
}
else if (image->color_space == OPJ_CLRSPC_SRGB)
{
base_type = GIMP_RGB;
image_type = GIMP_RGB_IMAGE;
- if (num_components == 4)
- image_type = GIMP_RGBA_IMAGE;
+ if (num_components >= 4)
+ {
+ image_type = GIMP_RGBA_IMAGE;
+ num_components = 4;
+ }
}
else
{
--
GitLab