gimp: patch CVE-2025-14425

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14425 Backport the patch referenced by the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-01-11 15:11:26 +00:00 · 2025-12-29 15:52:56 +01:00
parent b16c1a543a
commit 49732c90c0
2 changed files with 80 additions and 0 deletions
--- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch
@@ -0,0 +1,79 @@
 From 042e27792026460badbe49664c02fe181e95cb2b Mon Sep 17 00:00:00 2001
 From: Gyorgy Sarvari <skandigraun@gmail.com>
 Date: Wed, 12 Nov 2025 13:25:44 +0000
 Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images
 From: Alx Sa <cmyk.student@gmail.com>
 Resolves #15285
 Per the report, it's possible to exceed the size of the pixel buffer
 with a high precision_scaled value, as we size it to the width * bpp.
 This patch includes precision_scaled in the allocation calculation.
 It also adds a g_size_checked_mul () check to ensure there's no
 overflow, and moves the pixel and buffer memory freeing to occur
 in the out section so that it always runs even on failure.
 CVE: CVE-2025-14425
 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/cd1c88a0364ad1444c06536731972a99bd8643fd]
 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
 ---
 plug-ins/common/file-jp2-load.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)
 diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c
 index 064b616..604313a 100644
 --- a/plug-ins/common/file-jp2-load.c
 +++ b/plug-ins/common/file-jp2-load.c
@@ -1045,14 +1045,15 @@ load_image (GimpProcedure     *procedure,
   GimpColorProfile    *profile    = NULL;
   GimpImage           *gimp_image = NULL;
   GimpLayer           *layer;
 +  GeglBuffer          *buffer     = NULL;
 +  guchar              *pixels     = NULL;
 +  gsize                pixels_size;
   GimpImageType        image_type;
   GimpImageBaseType    base_type;
   gint                 width;
   gint                 height;
   gint                 num_components;
 -  GeglBuffer          *buffer;
   gint                 i, j, k, it;
 -  guchar              *pixels;
   const Babl          *file_format;
   gint                 bpp;
   GimpPrecision        image_precision;
@@ -1318,7 +1319,15 @@ load_image (GimpProcedure     *procedure,
   bpp = babl_format_get_bytes_per_pixel (file_format);
   buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
 -  pixels = g_new0 (guchar, width * bpp);
 +
 +  if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8))))
 +    {
 +      g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
 +                   _("Defined row size is too large in JP2 image '%s'."),
 +                   gimp_file_get_utf8_name (file));
 +      goto out;
 +    }
 +  pixels = g_new0 (guchar, pixels_size);
   for (i = 0; i < height; i++)
     {
@@ -1344,13 +1353,13 @@ load_image (GimpProcedure     *procedure,
         gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0,
                          file_format, pixels, GEGL_AUTO_ROWSTRIDE);
     }
 -
 -  g_free (pixels);
 -
 -  g_object_unref (buffer);
   gimp_progress_update (1.0);
  out:
 +  if (pixels)
 +    g_free (pixels);
 +  if (buffer)
 +    g_object_unref (buffer);
   if (profile)
     g_object_unref (profile);
   if (image)
--- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
@@ -64,6 +64,7 @@ SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
           file://CVE-2025-14422.patch \
           file://CVE-2025-14423.patch \
           file://CVE-2025-14424.patch \
           file://CVE-2025-14425.patch \
           "
 SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"