From f2fb98cb690414f0741aa6a46759616e18d6e186 Mon Sep 17 00:00:00 2001
From: Jehan <jehan@girinstud.io>
Date: Wed, 4 Aug 2021 00:29:56 +0200
Subject: [PATCH] Issue #6610: crashes on free select for images of certain
 dimensions.

g_alloca() is unadvised. Even though it might be more efficient in some
specific cases, it is pretty subject to stack overflow when a lot of
memory is requested.

Let's allocate dynamic memory instead. To avoid doing it too much, let's
just reuse the same pointer especially since region of interest will
usually be the same size when iterating a buffer, except for border
ones (which would usually be smaller, so we can use the same allocated
buffer again). I still make size checks, just in case.
---
 app/core/gimpscanconvert.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/core/gimpscanconvert.c b/app/core/gimpscanconvert.c
index 3aaedf4700..2235080b9a 100644
--- a/app/core/gimpscanconvert.c
+++ b/app/core/gimpscanconvert.c
@@ -497,6 +497,8 @@ gimp_scan_convert_render_full (GimpScanConvert *sc,
                                gdouble          value)
 {
   const Babl         *format;
+  guchar             *shared_buf      = NULL;
+  gsize               shared_buf_size = 0;
   GeglBufferIterator *iter;
   GeglRectangle      *roi;
   cairo_t            *cr;
@@ -545,7 +547,13 @@ gimp_scan_convert_render_full (GimpScanConvert *sc,
        */
       if (roi->width * bpp != stride)
         {
-          tmp_buf = g_alloca (stride * roi->height);
+          if (shared_buf_size < stride * roi->height)
+            {
+              shared_buf_size = stride * roi->height;
+              g_free (shared_buf);
+              shared_buf = g_malloc (shared_buf_size);
+            }
+          tmp_buf = shared_buf;
 
           if (! replace)
             {
@@ -634,4 +642,6 @@ gimp_scan_convert_render_full (GimpScanConvert *sc,
             }
         }
     }
+
+  g_free (shared_buf);
 }