File libraw-CVE-2018-10529.patch of Package libraw.8044

Overview Repositories Revisions Requests Users Attributes Meta

File libraw-CVE-2018-10529.patch of Package libraw.8044

Index: LibRaw-0.17.1/internal/libraw_x3f.cpp
===================================================================
--- LibRaw-0.17.1.orig/internal/libraw_x3f.cpp	2018-04-30 13:34:27.813960391 +0200
+++ LibRaw-0.17.1/internal/libraw_x3f.cpp	2018-04-30 13:49:51.695620441 +0200
@@ -425,7 +425,7 @@ unsigned x3f_get4(LibRaw_abstract_datast
 	while (_left != 0) {					\
 	int _cur = _file->_func(_buffer,1,_left);		\
 	if (_cur == 0) {					\
-		break; \
+		throw LIBRAW_EXCEPTION_IO_CORRUPT; \
 	}							\
 	_left -= _cur;						\
 	}								\
@@ -1461,10 +1461,13 @@ static void x3f_load_property_list(x3f_i
   GET_PROPERTY_TABLE(PL->property_table, PL->num_properties);
 
   PL->data_size = read_data_block(&PL->data, I, DE, 0);
+  uint32_t maxoffset = PL->data_size/sizeof(utf16_t)-2; // at least 2 chars, value + terminating 0x0000
 
   for (i=0; i<PL->num_properties; i++) {
     x3f_property_t *P = &PL->property_table.element[i];
  
+    if(P->name_offset > maxoffset || P->value_offset > maxoffset)
+    	throw LIBRAW_EXCEPTION_IO_CORRUPT;
     P->name = ((utf16_t *)PL->data + P->name_offset);
     P->value = ((utf16_t *)PL->data + P->value_offset);
   }
Index: LibRaw-0.17.1/src/libraw_cxx.cpp
===================================================================
--- LibRaw-0.17.1.orig/src/libraw_cxx.cpp	2018-04-30 13:34:27.801960214 +0200
+++ LibRaw-0.17.1/src/libraw_cxx.cpp	2018-04-30 13:34:27.813960391 +0200
@@ -4317,13 +4317,21 @@ void LibRaw::parse_x3f()
 	  // Parse property list
 	  DEH = &DE->header;
 	  x3f_property_list_t *PL = &DEH->data_subsection.property_list;
+          utf16_t *datap = (utf16_t*) PL->data;
+          uint32_t maxitems = PL->data_size/sizeof(utf16_t);
 	  if (PL->property_table.size != 0) {
 		  int i;
 		  x3f_property_t *P = PL->property_table.element;
 		  for (i=0; i<PL->num_properties; i++) {
 			  char name[100], value[100];
-			  utf2char(P[i].name,name,sizeof(name));
-			  utf2char(P[i].value,value,sizeof(value));
+                          int noffset = (P[i].name - datap);
+                          int voffset = (P[i].value - datap);
+                          if(noffset < 0 || noffset>maxitems || voffset<0 || voffset>maxitems)
+                             throw LIBRAW_EXCEPTION_IO_CORRUPT;
+                          int maxnsize = maxitems - (P[i].name - datap);
+                          int maxvsize = maxitems - (P[i].value - datap);
+                          utf2char(P[i].name, name,MIN(maxnsize,sizeof(name)));
+                          utf2char(P[i].value, value,MIN(maxvsize,sizeof(value)));
 			  if (!strcmp (name, "ISO"))
 				  imgdata.other.iso_speed = atoi(value);
 			  if (!strcmp (name, "CAMMANUF"))

Places

File libraw-CVE-2018-10529.patch of Package libraw.8044

Places