gimp/SOURCES/gimp-3.0.4-CVE-2025-10920-10925-10934.patch

diff -urNp a/plug-ins/common/file-dicom.c b/plug-ins/common/file-dicom.c
--- a/plug-ins/common/file-dicom.c	2025-11-24 10:46:53.834737210 +0100
+++ b/plug-ins/common/file-dicom.c	2025-11-25 16:39:29.616469102 +0100
@@ -328,6 +328,7 @@ load_image (const gchar  *filename,
   gint            bits_stored       = 0;
   gint            high_bit          = 0;
   guint8         *pix_buf           = NULL;
+  guint64         pixbuf_size       = 0;
   gboolean        is_signed         = FALSE;
   guint8          in_sequence       = 0;
 
@@ -382,6 +383,7 @@ load_image (const gchar  *filename,
       guint16  ctx_us;
       guint8  *value;
       guint32  tag;
+      size_t   actual_read;
       gboolean do_toggle_endian = FALSE;
       gboolean implicit_encoding = FALSE;
 
@@ -472,15 +474,24 @@ load_image (const gchar  *filename,
 
       if (element_length >= (G_MAXUINT - 6))
         {
-          g_message ("'%s' seems to have an incorrect value field length.",
-                     gimp_filename_to_utf8 (filename));
-          gimp_quit ();
+          g_set_error (error, GIMP_WIDGETS_ERROR, 0,
+                       _("'%s' has an an incorrect value for field size. Possibly corrupt image."),
+                       gimp_filename_to_utf8 (filename));
+          g_free (dicominfo);
+          fclose (DICOM);
+          return NULL;
         }
 
       /* Read contents. Allocate a bit more to make room for casts to int
        below. */
       value = g_new0 (guint8, element_length + 4);
-      fread (value, 1, element_length, DICOM);
+      actual_read = fread (value, 1, element_length, DICOM);
+      if (actual_read < element_length)
+        {
+          g_warning ("Missing data: needed %u bytes, got %u. Possibly corrupt image.",
+                     element_length, (guint32) actual_read);
+          element_length = actual_read;
+        }
 
       /* ignore everything inside of a sequence */
       if (in_sequence)
@@ -541,6 +552,7 @@ load_image (const gchar  *filename,
       if (group_word == 0x7fe0 && element_word == 0x0010)
         {
           pix_buf = value;
+          pixbuf_size = element_length;
         }
       else
         {
@@ -570,26 +582,50 @@ load_image (const gchar  *filename,
           g_free (value);
         }
     }
+  g_debug ("Bpp: %d, wxh: %u x %u, spp: %d\n", bpp, width, height, samples_per_pixel);
 
   if ((bpp != 8) && (bpp != 16))
     {
-      g_message ("'%s' has a bpp of %d which GIMP cannot handle.",
-                 gimp_filename_to_utf8 (filename), bpp);
-      gimp_quit ();
+      g_set_error (error, GIMP_WIDGETS_ERROR, 0,
+                   _("'%s' has a bpp of %d which GIMP cannot handle."),
+                   gimp_filename_to_utf8 (filename), bpp);
+      g_free (pix_buf);
+      g_free (dicominfo);
+      fclose (DICOM);
+      return NULL;
     }
 
   if ((width > GIMP_MAX_IMAGE_SIZE) || (height > GIMP_MAX_IMAGE_SIZE))
     {
-      g_message ("'%s' has a larger image size (%d x %d) than GIMP can handle.",
-                 gimp_filename_to_utf8 (filename), width, height);
-      gimp_quit ();
+      g_set_error (error, GIMP_WIDGETS_ERROR, 0,
+                   _("'%s' has a larger image size (%d x %d) than GIMP can handle."),
+                   gimp_filename_to_utf8 (filename), width, height);
+      g_free (pix_buf);
+      g_free (dicominfo);
+      fclose (DICOM);
+      return NULL;
     }
 
   if (samples_per_pixel > 3)
     {
-      g_message ("'%s' has samples per pixel of %d which GIMP cannot handle.",
-                 gimp_filename_to_utf8 (filename), samples_per_pixel);
-      gimp_quit ();
+      g_set_error (error, GIMP_WIDGETS_ERROR, 0,
+                   _("'%s' has samples per pixel of %d which GIMP cannot handle."),
+                   gimp_filename_to_utf8 (filename), samples_per_pixel);
+      g_free (pix_buf);
+      g_free (dicominfo);
+      fclose (DICOM);
+      return NULL;
+    }
+
+  if ((guint64) width * height * (bpp >> 3) * samples_per_pixel > pixbuf_size)
+    {
+      g_set_error (error, GIMP_WIDGETS_ERROR, 0,
+                   _("'%s' has not enough pixel data. Possibly corrupt image."),
+                   gimp_filename_to_utf8 (filename));
+      g_free (pix_buf);
+      g_free (dicominfo);
+      fclose (DICOM);
+      return NULL;
     }
 
   dicominfo->width  = width;
diff -urNp a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
--- a/plug-ins/common/file-xwd.c	2025-11-24 10:46:53.834737210 +0100
+++ b/plug-ins/common/file-xwd.c	2025-11-25 18:20:32.452021810 +0100
@@ -1551,9 +1551,18 @@ load_xwd_f2_d16_b16 (const gchar     *fi
           greenval = (green * 255) / maxgreen;
           for (blue = 0; blue <= maxblue; blue++)
             {
+              guint32 offset = ((red << redshift) + (green << greenshift) +
+                                (blue << blueshift)) * 3;
+
+              if (offset+2 >= maxval)
+                {
+                  g_message (_("Invalid colormap offset. Possibly corrupt image."));
+                  g_free (data);
+                  g_free (ColorMap);
+                  return NULL;
+                }
               blueval = (blue * 255) / maxblue;
-              cm = ColorMap + ((red << redshift) + (green << greenshift)
-                               + (blue << blueshift)) * 3;
+              cm = ColorMap + offset;
               *(cm++) = redval;
               *(cm++) = greenval;
               *cm = blueval;