From e615cc8e3b70da5f10289935cde3d2c26adf3b55 Mon Sep 17 00:00:00 2001
From: Ozkan Sezer <[EMAIL REDACTED]>
Date: Mon, 6 Apr 2026 19:30:53 +0200
Subject: [PATCH] Fix heap-buffer-overflow READ in XCF do_layer_surface
(CWE-122)
Add bounds check for tile buffer access in do_layer_surface.
(manual backport of commits 5b0d414cae and 1aedddcbd2.)
---
IMG_xcf.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/IMG_xcf.c b/IMG_xcf.c
index 5ed99741..d4a740fe 100644
--- a/IMG_xcf.c
+++ b/IMG_xcf.c
@@ -706,6 +706,16 @@ do_layer_surface(SDL_Surface * surface, SDL_RWops * src, xcf_header * head, xcf_
p8 = tile;
p = (Uint32 *) p8;
+
+ /* Bounds check: reject layer if tile data exceeds buffer */
+ if ((Uint64)ox * oy * hierarchy->bpp > (Uint64)(hierarchy->width * hierarchy->height * hierarchy->bpp)) {
+ fprintf (stderr, "Gimp image invalid tile");
+ free_xcf_tile(tile);
+ free_xcf_level(level);
+ free_xcf_hierarchy(hierarchy);
+ return 1;
+ }
+
for (y=ty; y < ty+oy; y++) {
if ((y >= (Uint32)surface->h) || ((tx+ox) > (Uint32)surface->w)) {
break;