gimp: patch CVE-2026-2048

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-2048

Pick the patch from the relevant upstream issue[1];

[1]: https://gitlab.gnome.org/GNOME/gimp/-/issues/15554

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>

meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2048.patch

@@ -0,0 +1,84 @@
+From f8c00176788240744218e43664cba1cec4092822 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Wed, 31 Dec 2025 14:45:15 +0000
+Subject: [PATCH] plug-ins: Add OoB check for loading XWD
+
+Resolves #15554
+This patch adds a check for if our pointer arithmetic
+exceeds the memory allocated for the dest array. If so,
+we throw an error rather than access memory outside
+the bounds.
+
+CVE: CVE-2026-2048
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/57712677007793118388c5be6fb8231f22a2b341]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/common/file-xwd.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
+index 8ab11c0..c84d70e 100644
+--- a/plug-ins/common/file-xwd.c
++++ b/plug-ins/common/file-xwd.c
+@@ -2103,6 +2103,7 @@ load_xwd_f1_d24_b1 (const gchar      *filename,
+   gulong           redmask, greenmask, bluemask;
+   guint            redshift, greenshift, blueshift;
+   gulong           g;
++  guint32          maxval;
+   guchar           redmap[256], greenmap[256], bluemap[256];
+   guchar           bit_reverse[256];
+   guchar          *xwddata, *xwdin, *data;
+@@ -2194,6 +2195,7 @@ load_xwd_f1_d24_b1 (const gchar      *filename,
+ 
+   tile_height = gimp_tile_height ();
+   data = g_malloc (tile_height * width * bytes_per_pixel);
++  maxval = tile_height * width * bytes_per_pixel;
+ 
+   ncols = xwdhdr->l_colormap_entries;
+   if (xwdhdr->l_ncolors < ncols)
+@@ -2218,6 +2220,8 @@ load_xwd_f1_d24_b1 (const gchar      *filename,
+ 
+   for (tile_start = 0; tile_start < height; tile_start += tile_height)
+     {
++      guint current_dest = 0;
++
+       memset (data, 0, width*tile_height*bytes_per_pixel);
+ 
+       tile_end = tile_start + tile_height - 1;
+@@ -2241,7 +2245,16 @@ load_xwd_f1_d24_b1 (const gchar      *filename,
+           else           /* 3 bytes per pixel */
+             {
+               fromright = xwdhdr->l_pixmap_depth-1-plane;
+-              dest += 2 - fromright/8;
++              current_dest += 2 - fromright / 8;
++              if (current_dest < maxval)
++                {
++                  dest += 2 - fromright / 8;
++                }
++              else
++                {
++                  err = 1;
++                  break;
++                }
+               outmask = (1 << (fromright % 8));
+             }
+ 
+@@ -2296,7 +2309,17 @@ load_xwd_f1_d24_b1 (const gchar      *filename,
+ 
+                   if (g & inmask)
+                     *dest |= outmask;
+-                  dest += bytes_per_pixel;
++
++                  current_dest += bytes_per_pixel;
++                  if (current_dest < maxval)
++                    {
++                      dest += bytes_per_pixel;
++                    }
++                  else
++                    {
++                      err = 1;
++                      break;
++                    }
+ 
+                   inmask >>= 1;
+                 }

meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb

@@ -57,6 +57,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
            file://CVE-2026-0797.patch \
            file://CVE-2026-2044.patch \
            file://CVE-2026-2045.patch \
+           file://CVE-2026-2048.patch \
            "
 SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"