From bfaefe1bcdf8731c8e343b3bbcb15e2a445ea318 Mon Sep 17 00:00:00 2001
From: Jorge Barredo Ferreira <[EMAIL REDACTED]>
Date: Mon, 6 Apr 2026 19:30:06 +0200
Subject: [PATCH] Fix heap underflow WRITE in XCF read_string (CWE-787)
When string length is 0, data[-1] writes before heap allocation.
Guard tmp == 0 before the null-terminator write.
(cherry picked from commit becd2b6fb242ba9ac60c66a4f3f77d1849aa2a02)
---
src/IMG_xcf.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/IMG_xcf.c b/src/IMG_xcf.c
index a2db70dc..ae6a1150 100644
--- a/src/IMG_xcf.c
+++ b/src/IMG_xcf.c
@@ -237,6 +237,13 @@ static char *read_string(SDL_IOStream *src)
char *data = NULL;
if (SDL_ReadU32BE(src, &tmp)) {
+ if (tmp == 0) {
+ data = (char *) SDL_malloc(1);
+ if (data) {
+ data[0] = 0;
+ }
+ return data;
+ }
remaining = SDL_GetIOSize(src) - SDL_TellIO(src);
if (tmp <= remaining) {
data = (char *)SDL_malloc(tmp);