rpms/LibRaw
7
0
Fork 0
Code Issues Pull Requests Releases Activity
3fbdcce34b
LibRaw/d13e8f6d1e987b7491182040a188c16a395f1d21.patch
Gwyn Ciesla 3fbdcce34b CVE-2017-14348
2017-09-15 09:28:31 -05:00

71 lines
2.1 KiB
Diff
Raw Blame History

From d13e8f6d1e987b7491182040a188c16a395f1d21 Mon Sep 17 00:00:00 2001
From: Alex Tutubalin <lexa@lexa.ru>
Date: Wed, 13 Sep 2017 09:31:01 +0300
Subject: [PATCH] CVE-2017-1438 credits; fix for Kodak 65000 out of bounds
access
---
Changelog.txt | 6 +++++-
dcraw/dcraw.c | 11 +++++++++--
internal/dcraw_common.cpp | 11 +++++++++--
3 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/Changelog.txt b/Changelog.txt
index 95bdc952..9b247882 100755
--- a/Changelog.txt
+++ b/Changelog.txt
@@ -1,5 +1,9 @@
+2017-09-13 Alex Tutubalin <lexa@lexa.ru>
+ * Fixed possible out of bound access in Kodak 6500 loader
+
2017-09-12 Alex Tutubalin <lexa@lexa.ru>
- * Fix for possible heap overrun in Canon makernotes parser
+ * CVE-2017-14348: Fix for possible heap overrun in Canon makernotes parser
+ Credit: Henri Salo from Nixu Corporation
* LibRaw 0.18.4
2017-09-09 Alex Tutubalin <lexa@lexa.ru>
diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
index 18bcdbcb..8fb2b073 100644
--- a/internal/dcraw_common.cpp
+++ b/internal/dcraw_common.cpp
@@ -3240,8 +3240,15 @@ void CLASS kodak_65000_load_raw()
len = MIN (256, width-col);
ret = kodak_65000_decode (buf, len);
for (i=0; i < len; i++)
- if ((RAW(row,col+i) = curve[ret ? buf[i] :
- (pred[i & 1] += buf[i])]) >> 12) derror();
+ {
+ int idx = ret ? buf[i] : (pred[i & 1] += buf[i]);
+ if(idx >=0 && idx <= 0xffff)
+ {
+ if ((RAW(row,col+i) = curve[idx]) >> 12) derror();
+ }
+ else
+ derror();
+ }
}
}
}
--- LibRaw-0.18.4/dcraw/dcraw.c~ 2017-09-15 09:17:55.000000000 -0500
+++ LibRaw-0.18.4/dcraw/dcraw.c 2017-09-15 09:20:29.532287605 -0500
@@ -2589,8 +2589,16 @@
len = MIN (256, width-col);
ret = kodak_65000_decode (buf, len);
for (i=0; i < len; i++)
- if ((RAW(row,col+i) = curve[ret ? buf[i] :
- (pred[i & 1] += buf[i])]) >> 12) derror();
+ {
+ int idx = ret ? buf[i] : (pred[i & 1] += buf[i]);
+ if(idx >=0 && idx <= 0xffff)
+ {
+ if ((RAW(row,col+i) = curve[idx]) >> 12) derror();
+ }
+ else
+ derror();
+ }
+
}
}
Reference in New Issue View Git Blame Copy Permalink