From e0bd82f290d42af4018b0ab3f4367ae0435a207f Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Thu, 19 Mar 2026 12:05:47 +0000
Subject: [PATCH] plug-ins: Protect against too-large FITS images

Resolves #16051
As reported by mzfr, it is possible to crash the FITS plug-in
if a large enough image is read in. This patch implements their
suggestions of using g_try_malloc () over malloc () (and checking
if it returns NULL), as well as verifying the width & height are
within GIMP's image range.
---
 plug-ins/file-fits/fits.c | 40 +++++++++++++++++++++++++++++++++++----
 1 file changed, 36 insertions(+), 4 deletions(-)

diff --git a/plug-ins/file-fits/fits.c b/plug-ins/file-fits/fits.c
index 898df77d64..938d54e4eb 100644
--- a/plug-ins/file-fits/fits.c
+++ b/plug-ins/file-fits/fits.c
@@ -474,12 +474,35 @@ load_image (GFile        *file,
                                     NULL);
         }
 
-      /* If RGB FITS image, we need to read in the whole image so we can convert
-       * the planes format to RGB */
+      if (width  <= 0                  ||
+          height <= 0                  ||
+          width  > GIMP_MAX_IMAGE_SIZE ||
+          height > GIMP_MAX_IMAGE_SIZE)
+        {
+          g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
+                       _("'%s' has a larger image size (%d x %d) "
+                         "than GIMP can handle."),
+                       gimp_file_get_utf8_name (file), width, height);
+          fits_close_file (ifp, &status);
+          return NULL;
+        }
+
+      /* If RGB FITS image, we need to read in the whole image so we can
+       * convert the planes format to RGB */
       if (hdu.naxis == 2)
-        pixels = (gdouble *) malloc (width * sizeof (gdouble) * channels);
+        pixels =
+          (gdouble *) g_try_malloc (width * sizeof (gdouble) * channels);
       else
-        pixels = (gdouble *) malloc (width * height * sizeof (gdouble) * channels);
+        pixels =
+          (gdouble *) g_try_malloc (width * height * sizeof (gdouble) * channels);
+
+      if (pixels == NULL)
+        {
+          g_set_error (error, G_FILE_ERROR, 0,
+                       "Memory could not be allocated.");
+          fits_close_file (ifp, &status);
+          return NULL;
+        }
 
       if (! image)
         {
@@ -552,6 +575,15 @@ load_image (GFile        *file,
 
               temp = (gdouble *) malloc (width * height * sizeof (gdouble) * channels);
 
+              if (temp == NULL)
+                {
+                  g_set_error (error, G_FILE_ERROR, 0,
+                               "Memory could not be allocated.");
+                  fits_close_file (ifp, &status);
+                  g_object_unref (buffer);
+                  return image;
+                }
+
               if (datamin < datamax)
                 {
                   for (gint ii = 0; ii < total_size; ii++)