gimp/SOURCES/gimp-CVE-2025-48798.patch

diff -urNp a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
--- a/app/xcf/xcf-load.c	2025-06-14 14:52:18.545874780 +0200
+++ b/app/xcf/xcf-load.c	2025-06-14 14:59:52.471067194 +0200
@@ -97,7 +97,8 @@ static gboolean        xcf_load_layer_pr
                                                guint32      *group_layer_flags);
 static gboolean        xcf_load_channel_props (XcfInfo      *info,
                                                GimpImage    *image,
-                                               GimpChannel **channel);
+                                               GimpChannel **channel,
+                                               gboolean      is_mask);
 static gboolean        xcf_load_prop          (XcfInfo      *info,
                                                PropType     *prop_type,
                                                guint32      *prop_size);
@@ -987,7 +988,8 @@ xcf_load_layer_props (XcfInfo    *info,
 static gboolean
 xcf_load_channel_props (XcfInfo      *info,
                         GimpImage    *image,
-                        GimpChannel **channel)
+                        GimpChannel **channel,
+                        gboolean      is_mask)
 {
   PropType prop_type;
   guint32  prop_size;
@@ -1010,6 +1012,36 @@ xcf_load_channel_props (XcfInfo      *in
           {
             GimpChannel *mask;
 
+            if (is_mask)
+              {
+                /* PROP_SELECTION is not valid for masks, and we have to avoid
+                 * overwriting the channel.
+                 */
+                continue;
+              }
+
+            if (*channel == gimp_image_get_mask (image))
+              {
+                /* PROP_SELECTION was already seen once for this
+                 * channel. Let's silently ignore the second identical
+                 * property to avoid a double free.
+                 */
+                continue;
+              }
+            else if (gimp_image_get_mask (image) != NULL &&
+                     ! gimp_channel_is_empty (gimp_image_get_mask (image)))
+              {
+                /* This would happen when PROP_SELECTION was already set
+                 * on a previous channel. This is a minor case of data
+                 * loss (we don't know which selection was the right one
+                 * and we drop the non-first ones), and also means it's
+                 * a broken XCF, though it's not a major bug either. So
+                 * let's go with a stderr print.
+                 */
+                g_printerr ("PROP_SELECTION property was set on 2 channels (skipping)\n");
+                continue;
+              }
+
             /* We're going to delete *channel, Don't leave its pointer
              * in @info. See bug #767873.
              */
@@ -1317,7 +1349,7 @@ xcf_load_channel (XcfInfo   *info,
     return NULL;
 
   /* read in the channel properties */
-  if (!xcf_load_channel_props (info, image, &channel))
+  if (!xcf_load_channel_props (info, image, &channel, FALSE))
     goto error;
 
   xcf_progress_update (info);
@@ -1379,7 +1411,7 @@ xcf_load_layer_mask (XcfInfo   *info,
 
   /* read in the layer_mask properties */
   channel = GIMP_CHANNEL (layer_mask);
-  if (!xcf_load_channel_props (info, image, &channel))
+  if (!xcf_load_channel_props (info, image, &channel, TRUE))
     goto error;
 
   xcf_progress_update (info);