gimp: add additional patch for CVE-2026-0797

There is an additional patch for CVE-2026-0797, which is not mentioned
in the CVE advisory, nor in the related issue nor in the related PR, however
both the change, and the commit message shows that this is a continuation
of the original fix, which was incomplete.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>

meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-0797-2.patch

@@ -0,0 +1,62 @@
+From 48cf2ffa1630af389fe12653f7e57529c2744664 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sat, 27 Dec 2025 05:24:03 +0000
+Subject: [PATCH] plug-ins: Additional fread () checks in ICO plug-in
+
+From: Alx Sa <cmyk.student@gmail.com>
+
+A continuation of c54bf22a that adds checks to the
+initial header loading as well, to prevent reading
+beyond the file size.
+
+CVE: CVE-2026-0797
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/905ce4b48782c5e71c79714b7ba7f6ebe4d0329d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/file-ico/ico-load.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
+index 7eb9cb7..5068b10 100644
+--- a/plug-ins/file-ico/ico-load.c
++++ b/plug-ins/file-ico/ico-load.c
+@@ -437,16 +437,20 @@ ico_read_icon (FILE    *fp,
+   palette = NULL;
+ 
+   data.header_size = header_size;
+-  ico_read_int32 (fp, &data.width, 1);
+-  ico_read_int32 (fp, &data.height, 1);
+-  ico_read_int16 (fp, &data.planes, 1);
+-  ico_read_int16 (fp, &data.bpp, 1);
+-  ico_read_int32 (fp, &data.compression, 1);
+-  ico_read_int32 (fp, &data.image_size, 1);
+-  ico_read_int32 (fp, &data.x_res, 1);
+-  ico_read_int32 (fp, &data.y_res, 1);
+-  ico_read_int32 (fp, &data.used_clrs, 1);
+-  ico_read_int32 (fp, &data.important_clrs, 1);
++  if (ico_read_int32 (fp, &data.width, 1)   != 4     ||
++      ico_read_int32 (fp, &data.height, 1)  != 4     ||
++      ico_read_int16 (fp, &data.planes, 1)  != 2     ||
++      ico_read_int16 (fp, &data.bpp, 1) != 2         ||
++      ico_read_int32 (fp, &data.compression, 1) != 4 ||
++      ico_read_int32 (fp, &data.image_size, 1) != 4  ||
++      ico_read_int32 (fp, &data.x_res, 1) != 4       ||
++      ico_read_int32 (fp, &data.y_res, 1) != 4       ||
++      ico_read_int32 (fp, &data.used_clrs, 1) != 4   ||
++      ico_read_int32 (fp, &data.important_clrs, 1) != 4)
++    {
++      D(("skipping image: invalid header\n"));
++      return FALSE;
++    }
+ 
+   D(("  header size %i, "
+      "w %i, h %i, planes %i, size %i, bpp %i, used %i, imp %i.\n",
+@@ -509,7 +513,7 @@ ico_read_icon (FILE    *fp,
+ 
+   /* Read in and_map. It's padded out to 32 bits per line: */
+   and_map = ico_alloc_map (w, h, 1, &length);
+-  if (! ico_read_int8 (fp, and_map, length) != length)
++  if (ico_read_int8 (fp, and_map, length) != length)
+     {
+       D(("skipping image: too large\n"));
+       return FALSE;

meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb

@@ -54,7 +54,8 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
            file://CVE-2025-2760-1.patch \
            file://CVE-2025-2760-2.patch \
            file://CVE-2025-2761.patch \
-           file://CVE-2026-0797.patch \
+           file://CVE-2026-0797-1.patch \
+           file://CVE-2026-0797-2.patch \
            file://CVE-2026-2044.patch \
            file://CVE-2026-2045.patch \
            file://CVE-2026-2048.patch \