Backport fix for CVE-2026-24660 from upstream

This is backported from the upstream commit [1] to fit the 0.19-stable branch. [1] Commit ac151a829b8d3e4c https://github.com/LibRaw/LibRaw/commit/ac151a829b8d3e4c Resolves: RHEL-165412
2026-04-30 15:24:20 +02:00 · 2026-04-30 15:24:20 +02:00 · d4db20eb65
commit d4db20eb65
parent c191d916a5
2 changed files with 341 additions and 1 deletions
--- a/LibRaw-CVE-2026-24660-TALOS-2026-2359.patch
+++ b/LibRaw-CVE-2026-24660-TALOS-2026-2359.patch
@ -0,0 +1,334 @@
+From 92492c81b2fd2b600f357b32a1e03bff85db65b9 Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <debarshir@gnome.org>
+Date: Thu, 30 Apr 2026 14:27:27 +0200
+Subject: [PATCH] X3F decoder: implemented hard single allocation limit
+
+... via LIBRAW_X3F_ALLOC_LIMIT_MB define; allocation size calculation
+converted to 64 bit arithm; fix for TALOS-2026-2359.
+
+(backported from commit ac151a829b8d3e4c74fa3aefa8a029c3cc3f857f)
+---
+ internal/libraw_x3f.cpp | 101 ++++++++++++++++++++++++----------------
+ libraw/libraw_const.h   |   6 +++
+ 2 files changed, 67 insertions(+), 40 deletions(-)
+
+diff --git a/internal/libraw_x3f.cpp b/internal/libraw_x3f.cpp
+index 2976eaf70929..8b159dda18c9 100644
+--- a/internal/libraw_x3f.cpp
+++ b/internal/libraw_x3f.cpp
+@@ -474,6 +474,36 @@ x3f_return_t x3f_delete(x3f_t *x3f);
+ /* Reading and writing - assuming little endian in the file              */
+ /* --------------------------------------------------------------------- */
+ 
+static void *x3f_limited_malloc(UINT64 sz)
+{
+  if (sz > LIBRAW_X3F_ALLOC_LIMIT_MB * 1024ULL * 1024ULL)
+    throw LIBRAW_EXCEPTION_TOOBIG;
+  void *ret = malloc(sz);
+  if (!ret)
+    throw LIBRAW_EXCEPTION_ALLOC;
+  return ret;
+}
+
+static void *x3f_limited_calloc(UINT64 n, UINT64 sz)
+{
+  if (sz * n > LIBRAW_X3F_ALLOC_LIMIT_MB * 1024ULL * 1024ULL)
+    throw LIBRAW_EXCEPTION_TOOBIG;
+  void *ret = calloc(n, sz);
+  if (!ret)
+    throw LIBRAW_EXCEPTION_ALLOC;
+  return ret;
+}
+
+static void *x3f_limited_realloc(void *ptr, UINT64 sz)
+{
+  if (sz > LIBRAW_X3F_ALLOC_LIMIT_MB * 1024ULL * 1024ULL)
+    throw LIBRAW_EXCEPTION_TOOBIG;
+  void *ret = realloc(ptr, sz);
+  if (!ret)
+    throw LIBRAW_EXCEPTION_ALLOC;
+  return ret;
+}
+
+ static int x3f_get1(LibRaw_abstract_datastream *f)
+ {
+ 	/* Little endian file */
+@@ -536,7 +566,7 @@ union {int32_t i; float f;} _tmp;		\
+ 	do {											\
+ 	int _i;											\
+ 	(_T).size = (_NUM);								\
+-	(_T).element = (_TYPE *)realloc((_T).element,	\
+	(_T).element = (_TYPE *)x3f_limited_realloc((_T).element,	\
+ 	(_NUM)*sizeof((_T).element[0]));				\
+ 	for (_i = 0; _i < (_T).size; _i++)				\
+ 	_GETX((_T).element[_i]);						\
+@@ -546,7 +576,7 @@ union {int32_t i; float f;} _tmp;		\
+ 	do {											\
+ 	int _i;											\
+ 	(_T).size = (_NUM);								\
+-	(_T).element = (x3f_property_t *)realloc((_T).element,	\
+	(_T).element = (x3f_property_t *)x3f_limited_realloc((_T).element,	\
+ 	(_NUM)*sizeof((_T).element[0]));				\
+ 	for (_i = 0; _i < (_T).size; _i++) {			\
+ 	GET4((_T).element[_i].name_offset);				\
+@@ -560,7 +590,7 @@ union {int32_t i; float f;} _tmp;		\
+ 	(_T).element = NULL;							\
+ 	for (_i = 0; ; _i++) {							\
+ 	(_T).size = _i + 1;								\
+-	(_T).element = (x3f_true_huffman_element_t *)realloc((_T).element,	\
+	(_T).element = (x3f_true_huffman_element_t *)x3f_limited_realloc((_T).element,	\
+ 	(_i + 1)*sizeof((_T).element[0]));				\
+ 	GET1((_T).element[_i].code_size);				\
+ 	GET1((_T).element[_i].code);					\
+@@ -583,7 +613,7 @@ static void new_huffman_tree(x3f_hufftree_t *HTP, int bits)
+ 
+   HTP->free_node_index = 0;
+   HTP->nodes = (x3f_huffnode_t *)
+-    calloc(1, HUF_TREE_MAX_NODES(leaves)*sizeof(x3f_huffnode_t));
+    x3f_limited_calloc(1, HUF_TREE_MAX_NODES(leaves)*sizeof(x3f_huffnode_t));
+ }
+ 
+ /* --------------------------------------------------------------------- */
+@@ -608,7 +638,7 @@ static void cleanup_true(x3f_true_t **TRUP)
+ 
+ static x3f_true_t *new_true(x3f_true_t **TRUP)
+ {
+-  x3f_true_t *TRU = (x3f_true_t *)calloc(1, sizeof(x3f_true_t));
+  x3f_true_t *TRU = (x3f_true_t *)x3f_limited_calloc(1, sizeof(x3f_true_t));
+ 
+   cleanup_true(TRUP);
+ 
+@@ -639,7 +669,7 @@ static void cleanup_quattro(x3f_quattro_t **QP)
+ 
+ static x3f_quattro_t *new_quattro(x3f_quattro_t **QP)
+ {
+-  x3f_quattro_t *Q = (x3f_quattro_t *)calloc(1, sizeof(x3f_quattro_t));
+  x3f_quattro_t *Q = (x3f_quattro_t *)x3f_limited_calloc(1, sizeof(x3f_quattro_t));
+   int i;
+ 
+   cleanup_quattro(QP);
+@@ -682,7 +712,7 @@ static void cleanup_huffman(x3f_huffman_t **HUFP)
+ 
+ static x3f_huffman_t *new_huffman(x3f_huffman_t **HUFP)
+ {
+-  x3f_huffman_t *HUF = (x3f_huffman_t *)calloc(1, sizeof(x3f_huffman_t));
+  x3f_huffman_t *HUF = (x3f_huffman_t *)x3f_limited_calloc(1, sizeof(x3f_huffman_t));
+ 
+   cleanup_huffman(HUFP);
+ 
+@@ -712,9 +742,7 @@ static x3f_huffman_t *new_huffman(x3f_huffman_t **HUFP)
+ {
+ 	if (!infile) return NULL;
+   	INT64 fsize = infile->size();
+-	x3f_t *x3f = (x3f_t *)calloc(1, sizeof(x3f_t));
+-        if(!x3f)
+-           throw LIBRAW_EXCEPTION_ALLOC;
+	x3f_t *x3f = (x3f_t *)x3f_limited_calloc(1, sizeof(x3f_t));
+   try {
+ 	x3f_info_t *I = NULL;
+ 	x3f_header_t *H = NULL;
+@@ -773,7 +801,7 @@ static x3f_huffman_t *new_huffman(x3f_huffman_t **HUFP)
+ 
+   if (DS->num_directory_entries > 0) {
+     size_t size = DS->num_directory_entries * sizeof(x3f_directory_entry_t);
+-    DS->directory_entry = (x3f_directory_entry_t *)calloc(1, size);
+    DS->directory_entry = (x3f_directory_entry_t *)x3f_limited_calloc(1, size);
+   }
+ 
+   /* Traverse the directory */
+@@ -1579,14 +1607,7 @@ static uint32_t read_data_block(void **data,
+ 	if (fpos + size > I->input.file->size())
+ 		throw LIBRAW_EXCEPTION_IO_CORRUPT;
+ 
+-	// All known files from real cameras are many times smaller than 1 GB, so the hard limit is OK here.
+-
+-	if(size > 1024*1024*1024)
+-		throw LIBRAW_EXCEPTION_ALLOC;
+-
+-	*data = (void *)malloc(size);
+-	if (!*data)
+-		throw LIBRAW_EXCEPTION_ALLOC;
+	*data = (void *)x3f_limited_malloc(size);
+ 
+ 	GETN(*data, size);
+ 
+@@ -1719,35 +1740,35 @@ static void x3f_load_true(x3f_info_t *I,
+ 			uint32_t columns = Q->plane[0].columns;
+ 			uint32_t rows = Q->plane[0].rows;
+ 			uint32_t channels = 3;
+-			uint32_t size = columns * rows * channels;
+			UINT64 size = UINT64(columns) * UINT64(rows) * UINT64(channels);
+ 
+ 			TRU->x3rgb16.columns = columns;
+ 			TRU->x3rgb16.rows = rows;
+ 			TRU->x3rgb16.channels = channels;
+ 			TRU->x3rgb16.row_stride = columns * channels;
+-			TRU->x3rgb16.buf = malloc(sizeof(uint16_t)*size);
+			TRU->x3rgb16.buf = x3f_limited_malloc(sizeof(uint16_t)*size);
+ 			TRU->x3rgb16.data = (uint16_t *) TRU->x3rgb16.buf;
+ 
+ 			columns = Q->plane[2].columns;
+ 			rows = Q->plane[2].rows;
+ 			channels = 1;
+-			size = columns * rows * channels;
+			size = UINT64(columns) * UINT64(rows) * UINT64(channels);
+ 
+ 			Q->top16.columns = columns;
+ 			Q->top16.rows = rows;
+ 			Q->top16.channels = channels;
+ 			Q->top16.row_stride = columns * channels;
+-			Q->top16.buf = malloc(sizeof(uint16_t)*size);
+			Q->top16.buf = x3f_limited_malloc(sizeof(uint16_t)*size);
+ 			Q->top16.data = (uint16_t *)Q->top16.buf;
+ 				
+ 	} else {
+-		uint32_t size = ID->columns * ID->rows * 3;
+		UINT64 size = UINT64(ID->columns) * UINT64(ID->rows) * 3ULL;
+ 
+ 		TRU->x3rgb16.columns = ID->columns;
+ 		TRU->x3rgb16.rows = ID->rows;
+ 		TRU->x3rgb16.channels = 3;
+ 		TRU->x3rgb16.row_stride = ID->columns * 3;
+-		TRU->x3rgb16.buf =malloc(sizeof(uint16_t)*size);
+		TRU->x3rgb16.buf = x3f_limited_malloc(sizeof(uint16_t)*size);
+ 		TRU->x3rgb16.data = (uint16_t *)TRU->x3rgb16.buf;		
+ 	}
+ 
+@@ -1802,7 +1823,7 @@ static void x3f_load_huffman(x3f_info_t *I,
+ 	x3f_directory_entry_header_t *DEH = &DE->header;
+ 	x3f_image_data_t *ID = &DEH->data_subsection.image_data;
+ 	x3f_huffman_t *HUF = new_huffman(&ID->huffman);
+-	uint32_t size;
+	UINT64 size;
+ 
+ 	if (use_map_table) {
+ 		int table_size = 1<<bits;
+@@ -1813,21 +1834,21 @@ static void x3f_load_huffman(x3f_info_t *I,
+ 	switch (ID->type_format) {
+ 	case X3F_IMAGE_RAW_HUFFMAN_X530:
+ 	case X3F_IMAGE_RAW_HUFFMAN_10BIT:
+-		size = ID->columns * ID->rows * 3;
+		size = UINT64(ID->columns) * UINT64(ID->rows) * 3ULL;
+ 		HUF->x3rgb16.columns = ID->columns;
+ 		HUF->x3rgb16.rows = ID->rows;
+ 		HUF->x3rgb16.channels = 3;
+ 		HUF->x3rgb16.row_stride = ID->columns * 3;
+-		HUF->x3rgb16.buf = malloc(sizeof(uint16_t)*size);
+		HUF->x3rgb16.buf = x3f_limited_malloc(sizeof(uint16_t)*size);
+ 		HUF->x3rgb16.data = (uint16_t *)HUF->x3rgb16.buf;
+ 		break;
+ 	case X3F_IMAGE_THUMB_HUFFMAN:
+-		size = ID->columns * ID->rows * 3;
+		size = UINT64(ID->columns) * UINT64(ID->rows) * 3ULL;
+ 		HUF->rgb8.columns = ID->columns;
+ 		HUF->rgb8.rows = ID->rows;
+ 		HUF->rgb8.channels = 3;
+ 		HUF->rgb8.row_stride = ID->columns * 3;
+-		HUF->rgb8.buf = malloc(sizeof(uint8_t)*size);
+		HUF->rgb8.buf = x3f_limited_malloc(sizeof(uint8_t)*size);
+ 		HUF->rgb8.data = (uint8_t *)HUF->rgb8.buf;
+ 		break;
+ 	default:
+@@ -1923,7 +1944,7 @@ static void x3f_load_camf_decode_type2(x3f_camf_t *CAMF)
+ 	int i;
+ 
+ 	CAMF->decoded_data_size = CAMF->data_size;
+-	CAMF->decoded_data = malloc(CAMF->decoded_data_size);
+	CAMF->decoded_data = x3f_limited_malloc(CAMF->decoded_data_size);
+ 
+ 	for (i=0; i<CAMF->data_size; i++) {
+ 		uint8_t old, _new;
+@@ -1963,7 +1984,7 @@ static void camf_decode_type4(x3f_camf_t *CAMF)
+ 
+   CAMF->decoded_data_size = dst_size;
+ 
+-  CAMF->decoded_data = malloc(CAMF->decoded_data_size);
+  CAMF->decoded_data = x3f_limited_malloc(CAMF->decoded_data_size);
+   memset(CAMF->decoded_data, 0, CAMF->decoded_data_size);
+ 
+   dst = (uint8_t *)CAMF->decoded_data;
+@@ -2038,7 +2059,7 @@ static void x3f_load_camf_decode_type4(x3f_camf_t *CAMF)
+   for (i=0, p = (uint8_t*)CAMF->data; *p != 0; i++) {
+     /* TODO: Is this too expensive ??*/
+     element =
+-      (x3f_true_huffman_element_t *)realloc(element, (i+1)*sizeof(*element));
+      (x3f_true_huffman_element_t *)x3f_limited_realloc(element, (i+1)*sizeof(*element));
+ 
+     element[i].code_size = *p++;
+     element[i].code = *p++;
+@@ -2077,7 +2098,7 @@ static void camf_decode_type5(x3f_camf_t *CAMF)
+   int32_t i;
+ 
+   CAMF->decoded_data_size = CAMF->t5.decoded_data_size;
+-  CAMF->decoded_data = malloc(CAMF->decoded_data_size);
+  CAMF->decoded_data = x3f_limited_malloc(CAMF->decoded_data_size);
+ 
+   dst = (uint8_t *)CAMF->decoded_data;
+ 
+@@ -2100,7 +2121,7 @@ static void x3f_load_camf_decode_type5(x3f_camf_t *CAMF)
+   for (i=0, p = (uint8_t*)CAMF->data; *p != 0; i++) {
+     /* TODO: Is this too expensive ??*/
+     element =
+-      (x3f_true_huffman_element_t *)realloc(element, (i+1)*sizeof(*element));
+      (x3f_true_huffman_element_t *)x3f_limited_realloc(element, (i+1)*sizeof(*element));
+ 
+     element[i].code_size = *p++;
+     element[i].code = *p++;
+@@ -2144,8 +2165,8 @@ static void x3f_setup_camf_property_entry(camf_entry_t *entry)
+     entry->property_num = *(uint32_t *)v;
+   uint32_t off = *(uint32_t *)(v + 4);
+ 
+-  entry->property_name = (char **)malloc(num*sizeof(uint8_t*));
+-  entry->property_value = (uint8_t **)malloc(num*sizeof(uint8_t*));
+  entry->property_name = (char **)x3f_limited_malloc(num*sizeof(uint8_t*));
+  entry->property_value = (uint8_t **)x3f_limited_malloc(num*sizeof(uint8_t*));
+ 
+   for (i=0; i<num; i++) {
+     uint32_t name_off = off + *(uint32_t *)(v + 8 + 8*i);
+@@ -2198,7 +2219,7 @@ static void get_matrix_copy(camf_entry_t *entry)
+ 		 sizeof(double) :
+ 		 sizeof(uint32_t)) * elements;
+ 
+-  entry->matrix_decoded = malloc(size);
+  entry->matrix_decoded = x3f_limited_malloc(size);
+ 
+   switch (element_size) {
+   case 4:
+@@ -2271,7 +2292,7 @@ static void x3f_setup_camf_matrix_entry(camf_entry_t *entry)
+ 		entry->matrix_data_off = *(uint32_t *)(v + 8);
+ 	camf_dim_entry_t *dentry =
+ 		entry->matrix_dim_entry =
+-		(camf_dim_entry_t*)malloc(dim*sizeof(camf_dim_entry_t));
+		(camf_dim_entry_t*)x3f_limited_malloc(dim*sizeof(camf_dim_entry_t));
+ 
+ 	for (i=0; i<dim; i++) {
+ 		uint32_t size =
+@@ -2320,7 +2341,7 @@ static void x3f_setup_camf_entries(x3f_camf_t *CAMF)
+ 		}
+ 
+ 		/* TODO: lots of realloc - may be inefficient */
+-		entry = (camf_entry_t *)realloc(entry, (i+1)*sizeof(camf_entry_t));
+		entry = (camf_entry_t *)x3f_limited_realloc(entry, (i+1)*sizeof(camf_entry_t));
+ 
+ 		/* Pointer */
+ 		entry[i].entry = p;
+diff --git a/libraw/libraw_const.h b/libraw/libraw_const.h
+index 66fae4d4c17f..39b2a8cc9c2e 100644
+--- a/libraw/libraw_const.h
+++ b/libraw/libraw_const.h
+@@ -34,6 +34,12 @@ it under the terms of the one of two licenses as you choose:
+ #ifndef LIBRAW_NO_IOSPACE_CHECK
+ #define LIBRAW_IOSPACE_CHECK
+ #endif
+
+/* max data size for known foveon cameras: 30mpix * 3 channels * 2 bytes = 180Mb, so 512Mb is OK for everything until/if new cameras will arrive */
+#ifndef LIBRAW_X3F_ALLOC_LIMIT_MB
+#define LIBRAW_X3F_ALLOC_LIMIT_MB 512ULL
+#endif
+
+ /* LibRaw uses own memory pool management, with LIBRAW_MSIZE (512)
+ entries. It is enough for parsing/decoding non-damaged files, but
+ may overflow on specially crafted files (eg. with many string values
+-- 
+2.53.0
+
--- a/LibRaw.spec
+++ b/LibRaw.spec
@ -1,7 +1,7 @@
 Summary: Library for reading RAW files obtained from digital photo cameras
 Name: LibRaw
 Version: 0.19.5
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: BSD-3-Clause and (CDDL-1.0 or LGPL-2.1-only)
 URL: http://www.libraw.org

@ -18,6 +18,7 @@ Patch2:  LibRaw-CVE-2020-24870.patch
 Patch3:  LibRaw-CVE-2021-32142.patch
 Patch4:  LibRaw-CVE-2026-20889-TALOS-2026-2358.patch
 Patch5:  LibRaw-CVE-2026-21413-TALOS-2026-2331.patch
+Patch6:  LibRaw-CVE-2026-24660-TALOS-2026-2359.patch

 Provides: bundled(dcraw) = 9.25

@ -63,6 +64,7 @@ LibRaw sample programs
 %patch3 -p1 -b .cve-2021-32142
 %patch4 -p1 -b .cve-2026-20889
 %patch5 -p1 -b .cve-2026-21413
+%patch6 -p1 -b .cve-2026-24660

 %build
 autoreconf -if
@ -126,6 +128,10 @@ rm -fv %{buildroot}%{_libdir}/lib*.la


 %changelog
+* Thu Apr 30 2026 Debarshi Ray <rishi@fedoraproject.org> - 0.19.5-6
+- Backport fix for CVE-2026-24660 from upstream
+Resolves: RHEL-165412
+
 * Tue Apr 28 2026 Debarshi Ray <rishi@fedoraproject.org> - 0.19.5-5
 - Backport fixes for CVE-2026-20889 and CVE-2026-21413 from upstream
 - Migrate to SPDX license