[meta-gnome,scarthgap,1/7] gimp: patch CVE-2025-2760

diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch
new file mode 100644
index 0000000000..d5871958b4
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-1.patch
@@ -0,0 +1,38 @@ 
+From e4e21387f773598915a2399b348d019fd9c26ad6 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 5 Mar 2026 09:06:34 +0100
+Subject: [PATCH] CVE-2025-2760
+
+https://gitlab.gnome.org/GNOME/gimp/-/issues/12790#note_2328950
+
+Gimp stopped supporting 2.10.x series (in favor of 3.x), and they do not
+plan to fix this in the old version. This patch is taken from Debian,
+and is a backport of the fix from 3.x series.
+
+CVE: CVE-2025-2760
+Upstream-Status: Inappropriate [unsupported version. Debian ref: https://sources.debian.org/patches/gimp/2.10.34-1+deb12u8/CVE-2025-2760.patch/]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/file-dds/ddsread.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index dcb4449..da35a0b 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -934,6 +934,14 @@ load_layer (FILE            *fp,
+   if (width < 1) width = 1;
+   if (height < 1) height = 1;
+ 
++  if (width <= 0 ||height <= 0 || d->gimp_bpp <= 0 ||
++      (gsize) width > G_MAXSIZE / height           ||
++      (gsize) width * height > G_MAXSIZE / d->gimp_bpp)
++    { 
++      g_message ("Invalid dimensions in header.");
++      return 0;
++    }
++  
+   switch (d->bpp)
+     {
+     case 1:
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch
new file mode 100644
index 0000000000..196ae11376
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-2760-2.patch
@@ -0,0 +1,84 @@ 
+From f7a458d072c266a4b2ae48de9ecec1706faad170 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 5 Mar 2026 09:07:19 +0100
+Subject: [PATCH] plug-ins/dds: fix #12790 for 32-bit
+
+with 2.10 backport bits by Sylvain Beucler <beuc@debian.org>
+
+Gimp stopped supporting 2.10.x series (in favor of 3.x), and they do not
+plan to fix this in the old version. This patch is taken from Debian,
+and is a backport of the fix from 3.x series.
+
+CVE: CVE-2025-2760
+Upstream-Status: Inappropriate [unsupported version. Debian ref: https://sources.debian.org/patches/gimp/2.10.34-1+deb12u8/CVE-2025-2760-32bit-followup.patch/]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/file-dds/ddsread.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index da35a0b..e0b53f6 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -169,26 +169,33 @@ read_dds (gchar    *filename,
+   /* a lot of DDS images out there don't have this for some reason -_- */
+   if (hdr.pitch_or_linsize == 0)
+     {
++      gboolean valid = TRUE;
+       if (hdr.pixelfmt.flags & DDPF_FOURCC) /* assume linear size */
+         {
+-          hdr.pitch_or_linsize = ((hdr.width + 3) >> 2) * ((hdr.height + 3) >> 2);
++          valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, (hdr.width + 3) >> 2, (hdr.height + 3) >> 2);
+           switch (GETL32(hdr.pixelfmt.fourcc))
+             {
+             case FOURCC ('D','X','T','1'):
+             case FOURCC ('A','T','I','1'):
+             case FOURCC ('B','C','4','U'):
+             case FOURCC ('B','C','4','S'):
+-              hdr.pitch_or_linsize *= 8;
++              valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, 8);
+               break;
+             default:
+-              hdr.pitch_or_linsize *= 16;
++              valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, 16);
+               break;
+             }
+         }
+       else /* assume pitch */
+         {
+-          hdr.pitch_or_linsize = hdr.height * hdr.width * (hdr.pixelfmt.bpp >> 3);
++          valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.height, hdr.width);
++          valid &= g_uint_checked_mul(&hdr.pitch_or_linsize, hdr.pitch_or_linsize, hdr.pixelfmt.bpp >> 3);
+         }
++      if (!valid) {
++        fclose (fp);
++        g_message ("Image size is too big to handle.\n");
++        return GIMP_PDB_EXECUTION_ERROR;
++      }
+     }
+ 
+   if (hdr.pixelfmt.flags & DDPF_FOURCC)
+@@ -1217,14 +1224,19 @@ load_layer (FILE            *fp,
+     {
+       unsigned char *dst;
+ 
+-      dst = g_malloc (width * height * d->gimp_bpp);
+-      memset (dst, 0, width * height * d->gimp_bpp);
++      dst = g_malloc ((gsize) width * height * d->gimp_bpp);
++      memset (dst, 0, (gsize) width * height * d->gimp_bpp);
+ 
+       if (d->gimp_bpp == 4)
+         {
+-          for (y = 0; y < height; ++y)
++          guchar *dst_line;
++
++          dst_line = dst;
++          for (y = 0; y < height; ++y) {
+             for (x = 0; x < width; ++x)
+-              dst[y * (width * 4) + (x * 4) + 3] = 255;
++              dst_line[(x * 4) + 3] = 255;
++            dst_line += width * 4;
++          }
+         }
+ 
+       dxt_decompress (dst, buf, format, size, width, height, d->gimp_bpp,
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
index 95a6dfd7c8..afb1cd69e5 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
@@ -51,6 +51,8 @@  SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
            file://CVE-2025-14425.patch \
            file://CVE-2025-5473.patch \
            file://CVE-2025-15059.patch \
+           file://CVE-2025-2760-1.patch \
+           file://CVE-2025-2760-2.patch \
            "
 SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"