File gimp-CVE-2026-2239.patch of Package gimp

From 8cf2772f5631719ae0e4e701bd7ef793b1f59cfa Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Fri, 6 Feb 2026 15:56:07 -0500
Subject: [PATCH] plug-ins: fix #15812 PSD loader: heap-buffer-overflow ...

in fread_pascal_string

In plug-ins/file-psd/psd-util.c, the function fread_pascal_string()
allocates a buffer with g_malloc(len) and reads len bytes from the file
into it. The buffer is not null-terminated, but is assumed to be in
later code.
This causes it to read past the end of its allocated region with a
specially crafted PSD, causing a heap-buffer-overflow.

Fix this by alloocating one more byte than its length and set that
to '\0'.
---
 plug-ins/file-psd/psd-util.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/plug-ins/file-psd/psd-util.c b/plug-ins/file-psd/psd-util.c
index e0cca2b4db..734155c57a 100644
--- a/plug-ins/file-psd/psd-util.c
+++ b/plug-ins/file-psd/psd-util.c
@@ -274,7 +274,8 @@ fread_pascal_string (gint32        *bytes_read,
       return NULL;
     }
 
-  str = g_malloc (len);
+  str = g_malloc (len + 1);
+  str[len] = '\0';
   if (psd_read (input, str, len, error) < len)
     {
       psd_set_error (error);
-- 
2.53.0