gimp: patch CVE-2025-14425

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14425 Backport the patch referenced by the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-12-31 13:38:06 +00:00 · 2025-12-29 15:52:56 +01:00 · 2025-12-29 15:52:56 +01:00 · ae5da4edb3
commit ae5da4edb3
parent e938242bbc
2 changed files with 80 additions and 0 deletions
--- a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch
@ -0,0 +1,79 @@
+From 042e27792026460badbe49664c02fe181e95cb2b Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Wed, 12 Nov 2025 13:25:44 +0000
+Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images
+
+From: Alx Sa <cmyk.student@gmail.com>
+
+Resolves #15285
+Per the report, it's possible to exceed the size of the pixel buffer
+with a high precision_scaled value, as we size it to the width * bpp.
+This patch includes precision_scaled in the allocation calculation.
+It also adds a g_size_checked_mul () check to ensure there's no
+overflow, and moves the pixel and buffer memory freeing to occur
+in the out section so that it always runs even on failure.
+
+CVE: CVE-2025-14425
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/cd1c88a0364ad1444c06536731972a99bd8643fd]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/common/file-jp2-load.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c
+index 064b616..604313a 100644
+--- a/plug-ins/common/file-jp2-load.c
+++ b/plug-ins/common/file-jp2-load.c
+@@ -1045,14 +1045,15 @@ load_image (GimpProcedure     *procedure,
+   GimpColorProfile    *profile    = NULL;
+   GimpImage           *gimp_image = NULL;
+   GimpLayer           *layer;
+  GeglBuffer          *buffer     = NULL;
+  guchar              *pixels     = NULL;
+  gsize                pixels_size;
+   GimpImageType        image_type;
+   GimpImageBaseType    base_type;
+   gint                 width;
+   gint                 height;
+   gint                 num_components;
+-  GeglBuffer          *buffer;
+   gint                 i, j, k, it;
+-  guchar              *pixels;
+   const Babl          *file_format;
+   gint                 bpp;
+   GimpPrecision        image_precision;
+@@ -1318,7 +1319,15 @@ load_image (GimpProcedure     *procedure,
+   bpp = babl_format_get_bytes_per_pixel (file_format);
+ 
+   buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
+-  pixels = g_new0 (guchar, width * bpp);
+
+  if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8))))
+    {
+      g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
+                   _("Defined row size is too large in JP2 image '%s'."),
+                   gimp_file_get_utf8_name (file));
+      goto out;
+    }
+  pixels = g_new0 (guchar, pixels_size);
+ 
+   for (i = 0; i < height; i++)
+     {
+@@ -1344,13 +1353,13 @@ load_image (GimpProcedure     *procedure,
+         gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0,
+                          file_format, pixels, GEGL_AUTO_ROWSTRIDE);
+     }
+-
+-  g_free (pixels);
+-
+-  g_object_unref (buffer);
+   gimp_progress_update (1.0);
+ 
+  out:
+  if (pixels)
+    g_free (pixels);
+  if (buffer)
+    g_object_unref (buffer);
+   if (profile)
+     g_object_unref (profile);
+   if (image)
--- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb
@ -64,6 +64,7 @@ SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \
           file://CVE-2025-14422.patch \
           file://CVE-2025-14423.patch \
           file://CVE-2025-14424.patch \
+           file://CVE-2025-14425.patch \
           "
 SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b"