32 lines
1001 B
Diff
32 lines
1001 B
Diff
|
From e1bfd87195e4fe60a92df70cde65464d032dd3c1 Mon Sep 17 00:00:00 2001
|
||
|
From: Alx Sa <cmyk.student@gmail.com>
|
||
|
Date: Sat, 23 Sep 2023 02:16:24 +0000
|
||
|
Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22097)
|
||
|
|
||
|
Resolves #10071.
|
||
|
|
||
|
When reading RLE compressed data, a buffer was allocated to 127 bytes.
|
||
|
However, it can potentially be used to read 128 bytes, leading to a
|
||
|
off-by-one vulnerability. This patch allocates 128 bytes to the buffer
|
||
|
to prevent this from occurring.
|
||
|
---
|
||
|
plug-ins/common/file-psp.c | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
|
||
|
index c8b166471e..582a10c300 100644
|
||
|
--- a/plug-ins/common/file-psp.c
|
||
|
+++ b/plug-ins/common/file-psp.c
|
||
|
@@ -1649,7 +1649,7 @@ read_channel_data (FILE *f,
|
||
|
else
|
||
|
endq = q + line_width * height;
|
||
|
|
||
|
- buf = g_malloc (127);
|
||
|
+ buf = g_malloc (128);
|
||
|
while (q < endq)
|
||
|
{
|
||
|
fread (&runcount, 1, 1, f);
|
||
|
--
|
||
|
2.31.1
|
||
|
|