plug-ins: fix #15970 buffer overflow in file-psp

Reported as ZDI-CAN-28874. For psp images with bit depth 1 or 4 bits and small widths, it was possible to overflow the buffer because these bit depths are stored in multiples of 4 bytes per line. Because these formats are converted to regular RGB, this means that for small widths, more bytes are needed than expected when we are upscaling to 8-bit. To fix this, we compute the line size when depth < 8, and adjust line width if that value is larger.
2026-03-07 15:55:04 -05:00 · 2026-03-07 15:55:04 -05:00 · 98cb1371fd
commit 98cb1371fd
parent 3a16f12080
1 changed files with 18 additions and 2 deletions
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@ -2127,7 +2127,23 @@ read_layer_block (FILE      *f,

      if (can_handle_layer)
        {
-          pixel = g_malloc0 (height * width * bytespp);
+          gint line_width = width * bytespp;
+
+          if (ia->depth < 8)
+            {
+              gint min_line_width = (((width * ia->depth + 7) / 8) + (ia->depth - 1)) / 4 * 4;
+
+              /* For small widths, when depth is 1, or 4, the number of bytes
+               * used can be larger than the width * bytespp. Adjust for that. */
+              if (min_line_width > line_width)
+                {
+                  IFDBG(3) g_message ("Adjusting line width from %d to %d\n",
+                                      line_width, min_line_width);
+                  line_width = min_line_width;
+                }
+            }
+
+          pixel = g_malloc0 (height * line_width);
          if (null_layer)
            {
              pixels = NULL;
@ -2136,7 +2152,7 @@ read_layer_block (FILE      *f,
            {
              pixels = g_new (guchar *, height);
              for (i = 0; i < height; i++)
-                pixels[i] = pixel + width * bytespp * i;
+                pixels[i] = pixel + line_width * i;
            }

          buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));