From aa03c0f5d0a2a8ba42c719de672650a0dda939e2 Mon Sep 17 00:00:00 2001
From: Jorge Barredo Ferreira <[EMAIL REDACTED]>
Date: Tue, 7 Apr 2026 17:16:58 +0200
Subject: [PATCH] xcf: fix null pointer dereference when read_xcf_hierarchy()
fails
read_xcf_hierarchy() can return NULL when SDL_calloc() fails or when
SDL_ReadU32BE() fails to read the width/height/bpp fields. The return
value was not checked before dereferencing hierarchy->bpp at line 755
in do_layer_surface(), leading to a null pointer dereference.
Add a NULL check immediately after the call to return early with an
error in that case.
CWE-476 (NULL Pointer Dereference)
Found by: NORAI fuzzer (libFuzzer + ASan/UBSan)
PoC: poc_sdl006_xcf_hierarchy_null.xcf
(cherry picked from commit 336fb104494815984250c40f8ee6bd1325b7ba1e)
(cherry picked from commit be7fee9064ed15d88e0bc573c018045daacfd01a)
---
src/IMG_xcf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/IMG_xcf.c b/src/IMG_xcf.c
index f7680491..b5134485 100644
--- a/src/IMG_xcf.c
+++ b/src/IMG_xcf.c
@@ -666,6 +666,10 @@ do_layer_surface(SDL_Surface * surface, SDL_RWops * src, xcf_header * head, xcf_
SDL_RWseek(src, layer->hierarchy_file_offset, RW_SEEK_SET);
hierarchy = read_xcf_hierarchy(src, head);
+ if (!hierarchy) {
+ SDL_SetError("Failed to read XCF image hierarchy");
+ return 1;
+ }
if (hierarchy->bpp > 4) { /* unsupported. */
SDL_Log("Unknown Gimp image bpp (%u)\n", (unsigned int) hierarchy->bpp);