File gimp-CVE-2026-2239.patch of Package gimp.42671

From 8cf2772f5631719ae0e4e701bd7ef793b1f59cfa Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Fri, 6 Feb 2026 15:56:07 -0500
Subject: [PATCH] plug-ins: fix #15812 PSD loader: heap-buffer-overflow ...

in fread_pascal_string

In plug-ins/file-psd/psd-util.c, the function fread_pascal_string()
allocates a buffer with g_malloc(len) and reads len bytes from the file
into it. The buffer is not null-terminated, but is assumed to be in
later code.
This causes it to read past the end of its allocated region with a
specially crafted PSD, causing a heap-buffer-overflow.

Fix this by alloocating one more byte than its length and set that
to '\0'.
---
 plug-ins/file-psd/psd-util.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff -urp gimp-2.10.30.orig/plug-ins/file-psd/psd-util.c gimp-2.10.30/plug-ins/file-psd/psd-util.c
--- gimp-2.10.30.orig/plug-ins/file-psd/psd-util.c	2021-12-19 14:48:34.000000000 -0600
+++ gimp-2.10.30/plug-ins/file-psd/psd-util.c	2026-02-11 10:19:16.971603808 -0600
@@ -227,7 +227,8 @@ fread_pascal_string (gint32   *bytes_rea
       return NULL;
     }
 
-  str = g_malloc (len);
+  str = g_malloc (len + 1);
+  str[len] = '\0';
   if (fread (str, len, 1, f) < 1)
     {
       psd_set_error (feof (f), errno, error);