From e1bfd87195e4fe60a92df70cde65464d032dd3c1 Mon Sep 17 00:00:00 2001 From: Alx Sa Date: Sat, 23 Sep 2023 02:16:24 +0000 Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22097) Resolves #10071. When reading RLE compressed data, a buffer was allocated to 127 bytes. However, it can potentially be used to read 128 bytes, leading to a off-by-one vulnerability. This patch allocates 128 bytes to the buffer to prevent this from occurring. --- plug-ins/common/file-psp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c index c8b166471e..582a10c300 100644 --- a/plug-ins/common/file-psp.c +++ b/plug-ins/common/file-psp.c @@ -1649,7 +1649,7 @@ read_channel_data (FILE *f, else endq = q + line_width * height; - buf = g_malloc (127); + buf = g_malloc (128); while (q < endq) { fread (&runcount, 1, 1, f);