From b992bc60103d8c3bbd2aa46293c9f0e4f350114c Mon Sep 17 00:00:00 2001
From: Masahiro Matsuya <mmatsuya@redhat.com>
Date: Thu, 25 Jan 2024 13:38:12 +0900
Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22097)

When reading RLE compressed data, a buffer was allocated to 127 bytes.
However, it can potentially be used to read 128 bytes, leading to a
off-by-one vulnerability. This patch allocates 128 bytes to the buffer
to prevent this from occurring.
Fixes CVE-2023-44444

upstream commit: e1bfd87195e4fe60a92df70cde65464d032dd3c1

---
 plug-ins/common/file-psp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index 7c3d04b..f5c5d94 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -1196,7 +1196,7 @@ read_channel_data (FILE       *f,
 
         q = pixels[0] + offset;
         endq = q + npixels * bytespp;
-        buf = g_malloc (127);
+        buf = g_malloc (128);
         while (q < endq)
           {
             fread (&runcount, 1, 1, f);
-- 
2.43.0