diff --unified --recursive --text --new-file --color gimp-2.10.30.old/plug-ins/common/file-xpm.c gimp-2.10.30/plug-ins/common/file-xpm.c --- gimp-2.10.30.old/plug-ins/common/file-xpm.c 2021-12-20 04:48:34.000000000 +0800 +++ gimp-2.10.30/plug-ins/common/file-xpm.c 2026-03-23 18:22:43.686807872 +0800 @@ -112,7 +112,8 @@ static guchar * parse_colors (XpmImage *xpm_image); static void parse_image (gint32 image_ID, XpmImage *xpm_image, - guchar *cmap); + guchar *cmap, + GError **error); static gboolean save_image (const gchar *filename, gint32 image_ID, gint32 drawable_ID, @@ -380,6 +381,22 @@ /* parse out the colors into a cmap */ cmap = parse_colors (&xpm_image); + if (xpm_image.width > GIMP_MAX_IMAGE_SIZE) + { + g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, + _("Unsupported or invalid image width: %d"), + xpm_image.width); + return NULL; + } + + if (xpm_image.height > GIMP_MAX_IMAGE_SIZE) + { + g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, + _("Unsupported or invalid image height: %d"), + xpm_image.height); + return NULL; + } + /* create the new image */ image_ID = gimp_image_new (xpm_image.width, xpm_image.height, @@ -389,7 +406,7 @@ gimp_image_set_filename (image_ID, filename); /* fill it */ - parse_image (image_ID, &xpm_image, cmap); + parse_image (image_ID, &xpm_image, cmap, error); /* clean up and exit */ g_free (cmap); @@ -469,7 +486,8 @@ static void parse_image (gint32 image_ID, XpmImage *xpm_image, - guchar *cmap) + guchar *cmap, + GError **error) { GeglBuffer *buffer; gint tile_height; @@ -495,7 +513,13 @@ tile_height = gimp_tile_height (); - buf = g_new (guchar, tile_height * xpm_image->width * 4); + buf = g_try_new (guchar, tile_height * xpm_image->width * 4); + if (buf == NULL) + { + g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, + "%s", _("XPM file invalid")); + return; + } src = xpm_image->data; for (i = 0; i < xpm_image->height; i += tile_height)