plug-ins: fix #15812 PSD loader: heap-buffer-overflow ...

in fread_pascal_string In plug-ins/file-psd/psd-util.c, the function fread_pascal_string() allocates a buffer with g_malloc(len) and reads len bytes from the file into it. The buffer is not null-terminated, but is assumed to be in later code. This causes it to read past the end of its allocated region with a specially crafted PSD, causing a heap-buffer-overflow. Fix this by alloocating one more byte than its length and set that to '\0'.
2026-02-06 15:56:07 -05:00 · 2026-02-06 15:56:07 -05:00 · 8cf2772f56
commit 8cf2772f56
parent 84fb1b3ce5
1 changed files with 2 additions and 1 deletions
--- a/plug-ins/file-psd/psd-util.c
+++ b/plug-ins/file-psd/psd-util.c
@ -274,7 +274,8 @@ fread_pascal_string (gint32        *bytes_read,
      return NULL;
    }

-  str = g_malloc (len);
+  str = g_malloc (len + 1);
+  str[len] = '\0';
  if (psd_read (input, str, len, error) < len)
    {
      psd_set_error (error);