From 4c5c28c14221f6540932a0835e97aa24472c73e0 Mon Sep 17 00:00:00 2001
From: Daniel Markstedt <daniel@mindani.net>
Date: Wed, 6 May 2026 21:51:23 +0200
Subject: [PATCH] CVE-2026-44065: papd: fix off-by-two in lp_write foomatic
 translation

Reported-by: @00redbeer
Signed-off-by: Daniel Markstedt <daniel@mindani.net>
---
 etc/papd/lp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/papd/lp.c b/etc/papd/lp.c
index 59978f63f..4d1969c47 100644
--- a/etc/papd/lp.c
+++ b/etc/papd/lp.c
@@ -792,7 +792,7 @@ int lp_write(struct papfile *in, char *buf, size_t len)
      * REALLY ugly hack, remove ASAP again */
     if ((printer->p_flags & P_FOOMATIC_HACK) && (in->pf_state & PF_TRANSLATE) &&
             (buf[len - 1] != '\n')) {
-        if (len <= BUFSIZE) {
+        if (len <= BUFSIZE - 2) {
             if (!last_line_translated) {
                 tempbuf2[0] = '\n';
                 memcpy(tempbuf2 + 1, buf, len++);