File libraw-CVE-2018-10529.patch of Package libraw

Overview Repositories Revisions Requests Users Attributes Meta

File libraw-CVE-2018-10529.patch of Package libraw (Revision 02d88ab2d49faa80a0195b2948e42aea)

Currently displaying revision 02d88ab2d49faa80a0195b2948e42aea , Show latest

Index: LibRaw-0.18.9/internal/libraw_x3f.cpp
===================================================================
--- LibRaw-0.18.9.orig/internal/libraw_x3f.cpp	2018-04-24 16:23:24.000000000 +0200
+++ LibRaw-0.18.9/internal/libraw_x3f.cpp	2018-04-30 11:35:17.477351409 +0200
@@ -121,8 +121,6 @@ typedef struct x3f_property_s {
   /* Computed */
   utf16_t *name;		/* 0x0000 terminated UTF 16 */
   utf16_t *value;               /* 0x0000 terminated UTF 16 */
-  char *name_utf8;		/* converted to UTF 8 */
-  char *value_utf8;          /* converted to UTF 8 */
 } x3f_property_t;
 
 typedef struct x3f_property_table_s {
@@ -516,7 +514,6 @@ unsigned x3f_get4(LibRaw_abstract_datast
 		int _cur = _file->_func(_buffer,1,_left);	\
 		if (_cur == 0) {							\
 			throw LIBRAW_EXCEPTION_IO_CORRUPT;		\
-			exit(1);								\
 		}											\
 		_left -= _cur;								\
 	}												\
@@ -912,11 +909,6 @@ static void free_camf_entry(camf_entry_t
 			if (PL)
 			{
 				int i;
-
-				for (i = 0; i < PL->property_table.size; i++) {
-					FREE(PL->property_table.element[i].name_utf8);
-					FREE(PL->property_table.element[i].value_utf8);
-				}
 			}
 			FREE(PL->property_table.element);
 			FREE(PL->data);
@@ -1624,14 +1616,14 @@ static void x3f_load_property_list(x3f_i
 
 	if (!PL->data_size)
 		PL->data_size = read_data_block(&PL->data, I, DE, 0);
+	uint32_t maxoffset = PL->data_size/sizeof(utf16_t)-2; // at least 2 chars, value + terminating 0x0000
 
 	for (i=0; i<PL->num_properties; i++) {
 		x3f_property_t *P = &PL->property_table.element[i];
-
+		if(P->name_offset > maxoffset || P->value_offset > maxoffset)
+			throw LIBRAW_EXCEPTION_IO_CORRUPT;
 		P->name = ((utf16_t *)PL->data + P->name_offset);
 		P->value = ((utf16_t *)PL->data + P->value_offset);
-		P->name_utf8 = 0;// utf16le_to_utf8(P->name);
-		P->value_utf8 = 0;//utf16le_to_utf8(P->value);
 	}
 }
 
Index: LibRaw-0.18.9/src/libraw_cxx.cpp
===================================================================
--- LibRaw-0.18.9.orig/src/libraw_cxx.cpp	2018-04-30 11:35:17.477351409 +0200
+++ LibRaw-0.18.9/src/libraw_cxx.cpp	2018-04-30 11:38:21.568048079 +0200
@@ -5551,13 +5551,21 @@ void LibRaw::parse_x3f()
 	  // Parse property list
 	  DEH = &DE->header;
 	  x3f_property_list_t *PL = &DEH->data_subsection.property_list;
+          utf16_t *datap = (utf16_t*) PL->data;
+          uint32_t maxitems = PL->data_size/sizeof(utf16_t);
 	  if (PL->property_table.size != 0) {
 		  int i;
 		  x3f_property_t *P = PL->property_table.element;
 		  for (i=0; i<PL->num_properties; i++) {
 			  char name[100], value[100];
-			  utf2char(P[i].name,name,sizeof(name));
-			  utf2char(P[i].value,value,sizeof(value));
+                          int noffset = (P[i].name - datap);
+                          int voffset = (P[i].value - datap);
+                          if(noffset < 0 || noffset>maxitems || voffset<0 || voffset>maxitems)
+                             throw LIBRAW_EXCEPTION_IO_CORRUPT;
+                          int maxnsize = maxitems - (P[i].name - datap);
+                          int maxvsize = maxitems - (P[i].value - datap);
+                          utf2char(P[i].name, name,MIN(maxnsize,sizeof(name)));
+                          utf2char(P[i].value, value,MIN(maxvsize,sizeof(value)));
 			  if (!strcmp (name, "ISO"))
 				  imgdata.other.iso_speed = atoi(value);
 			  if (!strcmp (name, "CAMMANUF"))

Places

File libraw-CVE-2018-10529.patch of Package libraw (Revision 02d88ab2d49faa80a0195b2948e42aea)

Places