From 55256210f85b79b2ef72ea2bc6c84b52cb5ff335 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Thu, 2 Apr 2026 14:02:28 +0000
Subject: [PATCH] plug-ins: Fix algorithm check for PAA import

Resolves #16151
The original implementation mixed up the variable that
needed to be used for boundary checks - it should be
"estimated_size" and not "flags". This patch fixes the issue
to prevent a buffer overflow.
---
 plug-ins/common/file-paa.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/plug-ins/common/file-paa.c b/plug-ins/common/file-paa.c
index 3028b2ecc4..a0ec9dfa2e 100644
--- a/plug-ins/common/file-paa.c
+++ b/plug-ins/common/file-paa.c
@@ -487,7 +487,6 @@ decode_lzss (guchar *raw_data,
   gint   flag        = 0;
   gint   raw_index   = 0;
   gint   data_index  = 0;
-  /*guchar pixel       = 0;*/
 
   if (estimated_size <= 0)
     return FALSE;
@@ -504,8 +503,6 @@ decode_lzss (guchar *raw_data,
         {
           guchar value = raw_data[raw_index++];
 
-          /*pixel += (gchar) value;*/
-
           uncompressed_data[data_index++] = value;
           estimated_size--;
 
@@ -523,15 +520,13 @@ decode_lzss (guchar *raw_data,
           gint offset     = index - b3;
           gint end_offset = b4 + offset;
 
-          if ((b4 + 1) > (guint32) flag)
+          if ((b4 + 1) > (guint32) estimated_size)
             return FALSE;
 
-          for (; offset <=end_offset; offset++)
+          for (; offset <= end_offset; offset++)
             {
               gint value = (gint) char_array[offset & 4095];
 
-              /*pixel += (gchar) value;*/
-
               uncompressed_data[data_index++] = (guchar) value;
               estimated_size--;