new file mode 100644
@@ -0,0 +1,129 @@
+From f62b9dffa58b19d0292c41ba826aad79062e2be6 Mon Sep 17 00:00:00 2001
+From: zdohnal <zdohnal@redhat.com>
+Date: Mon, 10 Nov 2025 18:58:31 +0100
+Subject: [PATCH] Merge commit from fork
+
+* Fix heap-buffer overflow write in cfImageLut
+
+1. fix for CVE-2025-57812
+
+* Reject color images with 1 bit per sample
+
+2. fix for CVE-2025-57812
+
+* Reject images where the number of samples does not correspond with the color space
+
+3. fix for CVE-2025-57812
+
+* Reject images with planar color configuration
+
+4. fix for CVE-2025-57812
+
+* Reject images with vertical scanlines
+
+5. fix for CVE-2025-57812
+
+---------
+
+Co-authored-by: Till Kamppeter <till.kamppeter@gmail.com>
+
+CVE: CVE-2025-57812
+Upstream-Status: Backport [https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa]
+(cherry picked from commit b69dfacec7f176281782e2f7ac44f04bf9633cfa)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ cupsfilters/image-tiff.c | 46 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 45 insertions(+), 1 deletion(-)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index d92cce25..ff0a0fb3 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -41,6 +41,7 @@ _cfImageReadTIFF(
+ TIFF *tif; // TIFF file
+ uint32_t width, height; // Size of image
+ uint16_t photometric, // Colorspace
++ planar, // Color components in separate planes
+ compression, // Type of compression
+ orientation, // Orientation
+ resunit, // Units for resolution
+@@ -113,6 +114,15 @@ _cfImageReadTIFF(
+ return (-1);
+ }
+
++ if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) &&
++ planar == PLANARCONFIG_SEPARATE)
++ {
++ fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr);
++ TIFFClose(tif);
++ fclose(fp);
++ return (1);
++ }
++
+ if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression))
+ {
+ DEBUG_puts("DEBUG: No compression tag in the file!\n");
+@@ -127,6 +137,15 @@ _cfImageReadTIFF(
+ if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits))
+ bits = 1;
+
++ if (bits == 1 && samples > 1)
++ {
++ fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! "
++ "Samples per pixel: %d; Bits per sample: %d\n", samples, bits);
++ TIFFClose(tif);
++ fclose(fp);
++ return (1);
++ }
++
+ //
+ // Get the image orientation...
+ //
+@@ -193,6 +212,23 @@ _cfImageReadTIFF(
+ else
+ alpha = 0;
+
++ //
++ // Check whether number of samples per pixel corresponds with color space
++ //
++
++ if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) ||
++ (photometric == PHOTOMETRIC_SEPARATED && samples != 4))
++ {
++ fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! "
++ "Color space: %s; Samples per pixel: %d\n",
++ (photometric == PHOTOMETRIC_RGB ? "RGB" :
++ (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")),
++ samples);
++ TIFFClose(tif);
++ fclose(fp);
++ return (1);
++ }
++
+ //
+ // Check the size of the image...
+ //
+@@ -265,6 +301,14 @@ _cfImageReadTIFF(
+ break;
+ }
+
++ if (orientation >= ORIENTATION_LEFTTOP)
++ {
++ fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr);
++ TIFFClose(tif);
++ fclose(fp);
++ return (-1);
++ }
++
+ switch (orientation)
+ {
+ case ORIENTATION_TOPRIGHT :
+@@ -1467,7 +1511,7 @@ _cfImageReadTIFF(
+ }
+
+ if (lut)
+- cfImageLut(out, img->xsize * 3, lut);
++ cfImageLut(out, img->xsize * bpp, lut);
+
+ _cfImagePutRow(img, 0, y, img->xsize, out);
+ }
@@ -9,6 +9,7 @@ SRC_URI = " \
https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
file://0001-use-noexcept-false-instead-of-throw-from-c-17-onward.patch \
file://0001-CVE-2024-47076.patch \
+ file://CVE-2025-57812.patch \
"
SRC_URI[sha256sum] = "542f2bfbc58136a4743c11dc8c86cee03c9aca705612654e36ac34aa0d9aa601"