File libraw-CVE-2015-8367.patch of Package libraw.27864

Overview Repositories Revisions Requests Users Attributes Meta

File libraw-CVE-2015-8367.patch of Package libraw.27864

From 89d065424f09b788f443734d44857289489ca9e2 Mon Sep 17 00:00:00 2001
From: Alex Tutubalin <lexa@lexa.ru>
Date: Tue, 24 Nov 2015 17:53:24 +0300
Subject: [PATCH] fixed two more problems found by fuzzer

Index: internal/dcraw_common.cpp
===================================================================
--- internal/dcraw_common.cpp.orig	2015-12-03 15:17:37.971475439 +0100
+++ internal/dcraw_common.cpp	2015-12-03 15:17:37.983475634 +0100
@@ -2751,6 +2751,10 @@
       diff = diff ? -diff : 0x80;
     if (ftell(ifp) + 12 >= seg[1][1])
       diff = 0;
+#ifdef LIBRAW_LIBRARY_BUILD
+    if(pix>=raw_width*raw_height)
+      throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
     raw_image[pix] = pred[pix & 1] += diff;
     if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
   }
Index: src/libraw_cxx.cpp
===================================================================
--- src/libraw_cxx.cpp.orig	2013-08-23 04:55:48.000000000 +0200
+++ src/libraw_cxx.cpp	2015-12-03 15:20:27.314231023 +0100
@@ -1122,6 +1122,7 @@
     if(!imgdata.rawdata.raw_image && !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image) // RawSpeed failed!
       {
         // Not allocated on RawSpeed call, try call LibRaw
+        int zero_rawimage = 0;
         if(decoder_info.decoder_flags &  LIBRAW_DECODER_FLATFIELD)
           {
             imgdata.rawdata.raw_alloc = malloc(rwidth*(rheight+7)*sizeof(imgdata.rawdata.raw_image[0]));
@@ -1138,6 +1139,8 @@
             // allocate image as temporary buffer, size 
             imgdata.rawdata.raw_alloc = 0;
             imgdata.image = (ushort (*)[4]) calloc(S.iwidth*S.iheight,sizeof(*imgdata.image));
+	    imgdata.rawdata.raw_image = (ushort*) imgdata.image ;
+	    zero_rawimage = 1;
           }
         ID.input->seek(libraw_internal_data.unpacker_data.data_offset, SEEK_SET);
 
@@ -1145,6 +1148,8 @@
         if(load_raw == &LibRaw::unpacked_load_raw && !strcasecmp(imgdata.idata.make,"Nikon"))
           C.maximum=65535;
         (this->*load_raw)();
+	if(zero_rawimage)
+	  imgdata.rawdata.raw_image = 0;
         if(load_raw == &LibRaw::unpacked_load_raw && !strcasecmp(imgdata.idata.make,"Nikon"))
           C.maximum = m_save;
         if (decoder_info.decoder_flags & LIBRAW_DECODER_LEGACY)

Places

File libraw-CVE-2015-8367.patch of Package libraw.27864

Places