From e1bfd87195e4fe60a92df70cde65464d032dd3c1 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 23 Sep 2023 02:16:24 +0000
Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22097)

Resolves #10071.

When reading RLE compressed data, a buffer was allocated to 127 bytes.
However, it can potentially be used to read 128 bytes, leading to a
off-by-one vulnerability. This patch allocates 128 bytes to the buffer
to prevent this from occurring.
---
 plug-ins/common/file-psp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index c8b166471e..582a10c300 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -1649,7 +1649,7 @@ read_channel_data (FILE        *f,
         else
           endq = q + line_width * height;
 
-        buf = g_malloc (127);
+        buf = g_malloc (128);
         while (q < endq)
           {
             fread (&runcount, 1, 1, f);
-- 
2.31.1