File gimp-CVE-2026-4153.patch of Package gimp
From 98cb1371fd4e22cca75017ea3252dc32fc218712 Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Sat, 7 Mar 2026 15:55:04 -0500
Subject: [PATCH] plug-ins: fix #15970 buffer overflow in file-psp
Reported as ZDI-CAN-28874.
For psp images with bit depth 1 or 4 bits and small widths, it was
possible to overflow the buffer because these bit depths are stored
in multiples of 4 bytes per line.
Because these formats are converted to regular RGB, this means that for
small widths, more bytes are needed than expected when we are upscaling
to 8-bit.
To fix this, we compute the line size when depth < 8, and adjust
line width if that value is larger.
---
plug-ins/common/file-psp.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index 286cbed2bb7..763dd994fcd 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -2127,7 +2127,23 @@ read_layer_block (FILE *f,
if (can_handle_layer)
{
- pixel = g_malloc0 (height * width * bytespp);
+ gint line_width = width * bytespp;
+
+ if (ia->depth < 8)
+ {
+ gint min_line_width = (((width * ia->depth + 7) / 8) + (ia->depth - 1)) / 4 * 4;
+
+ /* For small widths, when depth is 1, or 4, the number of bytes
+ * used can be larger than the width * bytespp. Adjust for that. */
+ if (min_line_width > line_width)
+ {
+ IFDBG(3) g_message ("Adjusting line width from %d to %d\n",
+ line_width, min_line_width);
+ line_width = min_line_width;
+ }
+ }
+
+ pixel = g_malloc0 (height * line_width);
if (null_layer)
{
pixels = NULL;
@@ -2136,7 +2152,7 @@ read_layer_block (FILE *f,
{
pixels = g_new (guchar *, height);
for (i = 0; i < height; i++)
- pixels[i] = pixel + width * bytespp * i;
+ pixels[i] = pixel + line_width * i;
}
buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
--
GitLab
