34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
|
From b992bc60103d8c3bbd2aa46293c9f0e4f350114c Mon Sep 17 00:00:00 2001
|
||
|
|
From: Masahiro Matsuya <mmatsuya@redhat.com>
|
||
|
|
Date: Thu, 25 Jan 2024 13:38:12 +0900
|
||
|
|
Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22097)
|
||
|
|
|
||
|
|
When reading RLE compressed data, a buffer was allocated to 127 bytes.
|
||
|
|
However, it can potentially be used to read 128 bytes, leading to a
|
||
|
|
off-by-one vulnerability. This patch allocates 128 bytes to the buffer
|
||
|
|
to prevent this from occurring.
|
||
|
|
Fixes CVE-2023-44444
|
||
|
|
|
||
|
|
upstream commit: e1bfd87195e4fe60a92df70cde65464d032dd3c1
|
||
|
|
|
||
|
|
---
|
||
|
|
plug-ins/common/file-psp.c | 2 +-
|
||
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
|
||
|
|
index 7c3d04b..f5c5d94 100644
|
||
|
|
--- a/plug-ins/common/file-psp.c
|
||
|
|
+++ b/plug-ins/common/file-psp.c
|
||
|
|
@@ -1196,7 +1196,7 @@ read_channel_data (FILE *f,
|
||
|
|
|
||
|
|
q = pixels[0] + offset;
|
||
|
|
endq = q + npixels * bytespp;
|
||
|
|
- buf = g_malloc (127);
|
||
|
|
+ buf = g_malloc (128);
|
||
|
|
while (q < endq)
|
||
|
|
{
|
||
|
|
fread (&runcount, 1, 1, f);
|
||
|
|
--
|
||
|
|
2.43.0
|
||
|
|
|