Fix CVE-2021-32142

Resolves: #2172140
This commit is contained in:
Debarshi Ray 2023-04-04 02:34:24 +02:00
parent 0b99ca1ba4
commit 10718171b1
2 changed files with 50 additions and 1 deletions

View File

@ -0,0 +1,40 @@
From fa329f37dca4a2c938f8abb50ee4a7ef93e64fbb Mon Sep 17 00:00:00 2001
From: Alex Tutubalin <lexa@lexa.ru>
Date: Mon, 12 Apr 2021 13:21:52 +0300
Subject: [PATCH] check for input buffer size on datastream::gets
---
src/libraw_datastream.cpp | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/libraw_datastream.cpp b/src/libraw_datastream.cpp
index 606e5de73618..7e95bc749688 100644
--- a/src/libraw_datastream.cpp
+++ b/src/libraw_datastream.cpp
@@ -286,6 +286,7 @@ INT64 LibRaw_file_datastream::tell()
char *LibRaw_file_datastream::gets(char *str, int sz)
{
+ if(sz<1) return NULL;
LR_STREAM_CHK();
std::istream is(f.get());
is.getline(str, sz);
@@ -417,6 +418,7 @@ INT64 LibRaw_buffer_datastream::tell()
char *LibRaw_buffer_datastream::gets(char *s, int sz)
{
+ if(sz<1) return NULL;
unsigned char *psrc, *pdest, *str;
str = (unsigned char *)s;
psrc = buf + streampos;
@@ -609,6 +611,7 @@ INT64 LibRaw_bigfile_datastream::tell()
char *LibRaw_bigfile_datastream::gets(char *str, int sz)
{
+ if(sz<1) return NULL;
LR_BF_CHK();
return fgets(str, sz, f);
}
--
2.39.2

View File

@ -7,7 +7,7 @@
Summary: Library for reading RAW files obtained from digital photo cameras Summary: Library for reading RAW files obtained from digital photo cameras
Name: LibRaw Name: LibRaw
Version: 0.20.2 Version: 0.20.2
Release: 5%{?dist} Release: 6%{?dist}
License: BSD and LGPLv2 License: BSD and LGPLv2
URL: http://www.libraw.org URL: http://www.libraw.org
@ -19,7 +19,12 @@ BuildRequires: autoconf automake libtool
BuildRequires: make BuildRequires: make
Source0: http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz Source0: http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz
Patch0: LibRaw-pkgconfig.patch Patch0: LibRaw-pkgconfig.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2172140
Patch1: LibRaw-check-for-input-buffer-size-on-datastream-gets.patch
Provides: bundled(dcraw) = 9.25 Provides: bundled(dcraw) = 9.25
%description %description
@ -114,6 +119,10 @@ rm -fv %{buildroot}%{_libdir}/lib*.la
%changelog %changelog
* Tue Apr 04 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.20.2-6
- Fix CVE-2021-32142
Resolves: #2172140
* Mon Dec 13 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.20.2-5 * Mon Dec 13 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.20.2-5
- CDDL is not an approved license - CDDL is not an approved license
Resolves: #2031918 Resolves: #2031918