SDL_image: xcf: fix null pointer dereference when read_xcf_hierarchy() fails (610e6)

From 610e6cb3536a6115668fe65583112b7d5cace079 Mon Sep 17 00:00:00 2001
From: Ozkan Sezer <[EMAIL REDACTED]>
Date: Tue, 7 Apr 2026 17:16:58 +0200
Subject: [PATCH] xcf: fix null pointer dereference when read_xcf_hierarchy()
 fails

read_xcf_hierarchy() can return NULL when SDL_calloc() fails or when
SDL_ReadU32BE() fails to read the width/height/bpp fields. The return
value was not checked before dereferencing hierarchy->bpp at line 755
in do_layer_surface(), leading to a null pointer dereference.

Add a NULL check immediately after the call to return early with an
error in that case.

CWE-476 (NULL Pointer Dereference)
Found by: NORAI fuzzer (libFuzzer + ASan/UBSan)
PoC: poc_sdl006_xcf_hierarchy_null.xcf

(manual backport of commit be7fee9064ed15d88e0bc573c018045daacfd01a)
---
 IMG_xcf.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/IMG_xcf.c b/IMG_xcf.c
index 0216ab94..d688b594 100644
--- a/IMG_xcf.c
+++ b/IMG_xcf.c
@@ -672,6 +672,10 @@ do_layer_surface(SDL_Surface * surface, SDL_RWops * src, xcf_header * head, xcf_
 
   SDL_RWseek (src, layer->hierarchy_file_offset, RW_SEEK_SET);
   hierarchy = read_xcf_hierarchy (src, head);
+  if (!hierarchy) {
+    fprintf (stderr, "Failed to read XCF image hierarchy");
+    return 1;
+  }
 
   if (hierarchy->bpp > 4) {  /* unsupported. */
     fprintf (stderr, "Unknown Gimp image bpp (%u)\n", (unsigned int) hierarchy->bpp);