From 4d463048b9f27a3dc86b7010c198b32d995cd941 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Tue, 27 Apr 2021 17:44:09 +0200
Subject: [PATCH] Limit loops to MIN(colors,4)

This is a backport of commit 4feaed4dea636cee for CVE-2020-24870.

https://github.com/LibRaw/LibRaw/issues/330
---
 internal/dcraw_common.cpp | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
index a36553208194..3e8c009eb08e 100644
--- a/internal/dcraw_common.cpp
+++ b/internal/dcraw_common.cpp
@@ -19598,17 +19598,18 @@ dng_skip:
 
 				  if(calidx[colidx] == sidx)
 				  {
-					  for (int i = 0; i < colors; i++)
+					  for (int i = 0; i < colors && i < 4; i++)
 						  FORCC
 						  cc[i][c] = tiff_ifd[sidx].dng_color[colidx].calibration[i][c];
 				  }
 
 				  if(abidx == sidx)
-					for (int i = 0; i < colors; i++)
+					for (int i = 0; i < colors && i < 4; i++)
 						  FORCC cc[i][c] *= tiff_ifd[sidx].dng_levels.analogbalance[i];
 				  int j;
-				  FORCC for (int i = 0; i < 3; i++) for (cam_xyz[c][i] = j = 0; j < colors; j++) cam_xyz[c][i] +=
-					  cc[c][j] * cm[j][i];// add AsShotXY later * xyz[i];
+				  FORCC for (int i = 0; i < 3; i++)
+					for (cam_xyz[c][i] = j = 0; j < colors && j < 4; j++)
+						cam_xyz[c][i] += cc[c][j] * cm[j][i];// add AsShotXY later * xyz[i];
 				  cam_xyz_coeff(cmatrix, cam_xyz);
 			  }
 		  }
-- 
2.30.2