35 lines
1.1 KiB
Diff
35 lines
1.1 KiB
Diff
From 5203f996b5eb018fd08e8e99e42b28f42ef27533 Mon Sep 17 00:00:00 2001
|
|
From: Alx Sa <cmyk.student@gmail.com>
|
|
Date: Sat, 23 Sep 2023 02:16:24 +0000
|
|
Subject: plug-ins: Fix PSP vulnerability (ZDI-CAN-22097)
|
|
|
|
Resolves #10071.
|
|
|
|
When reading RLE compressed data, a buffer was allocated to 127 bytes.
|
|
However, it can potentially be used to read 128 bytes, leading to a
|
|
off-by-one vulnerability. This patch allocates 128 bytes to the buffer
|
|
to prevent this from occurring.
|
|
|
|
Origin:
|
|
https://gitlab.gnome.org/GNOME/gimp/-/commit/e1bfd87195e4fe60a92df70cde65464d032dd3c1
|
|
---
|
|
plug-ins/common/file-psp.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
|
|
index 33c6a2b607..f3aa00fdc0 100644
|
|
--- a/plug-ins/common/file-psp.c
|
|
+++ b/plug-ins/common/file-psp.c
|
|
@@ -1235,7 +1235,7 @@ read_channel_data (FILE *f,
|
|
|
|
q = pixels[0] + offset;
|
|
endq = q + npixels * bytespp;
|
|
- buf = g_malloc (127);
|
|
+ buf = g_malloc (128);
|
|
while (q < endq)
|
|
{
|
|
fread (&runcount, 1, 1, f);
|
|
--
|
|
2.30.2
|
|
|