Fix CVE-2018-19655

dcraw-CVE-2018-19655.patch

@@ -0,0 +1,39 @@
+Author: Filip Hroch <hroch@physics.muni.cz>
+Description: stack-based buffer overflow bug
+--- a/dcraw.c
++++ b/dcraw.c
+@@ -8345,9 +8345,15 @@
+ {
+   UINT64 bitbuf=0;
+   int vbits, col, i, c;
+-  ushort img[2][2064];
++  ushort *img;
+   double sum[]={0,0};
+ 
++#define IMG2D(row,col) \
++  img[(row)*width+(col)]
++
++  img = (ushort *) malloc(2*width*sizeof(ushort));
++  merror (img, "find_green()");
++
+   FORC(2) {
+     fseek (ifp, c ? off1:off0, SEEK_SET);
+     for (vbits=col=0; col < width; col++) {
+@@ -8356,13 +8362,14 @@
+ 	for (i=0; i < bite; i+=8)
+ 	  bitbuf |= (unsigned) (fgetc(ifp) << i);
+       }
+-      img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps);
++      IMG2D(c,col) = bitbuf << (64-bps-vbits) >> (64-bps);
+     }
+   }
+   FORC(width-1) {
+-    sum[ c & 1] += ABS(img[0][c]-img[1][c+1]);
+-    sum[~c & 1] += ABS(img[1][c]-img[0][c+1]);
++    sum[ c & 1] += ABS(IMG2D(0,c)-IMG2D(1,c+1));
++    sum[~c & 1] += ABS(IMG2D(1,c)-IMG2D(0,c+1));
+   }
++  free(img);
+   return 100 * log(sum[0]/sum[1]);
+ }
+ 

dcraw.spec

@@ -1,7 +1,7 @@
 Summary: Tool for decoding raw image data from digital cameras
 Name: dcraw
 Version: 9.28.0
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2+
 URL: http://www.dechifro.org/dcraw/
 Source0: http://www.dechifro.org/dcraw/archive/dcraw-%{version}.tar.gz
@@ -9,6 +9,7 @@ Patch0: dcraw-9.21-lcms2-error-reporting.patch
 Patch1: dcraw-CVE-2018-5801.patch
 Patch2: dcraw-CVE-2017-13735.patch
 Patch3: dcraw-CVE-2017-14608.patch
+Patch4: dcraw-CVE-2018-19655.patch
 BuildRequires: gcc
 BuildRequires: gettext
 BuildRequires: libjpeg-devel
@@ -68,6 +69,9 @@ done
 %{_mandir}/man1/*
 
 %changelog
+* Fri Mar 20 2020 Josef Ridky <jridky@redhat.com> - 9.28.0-9
+- Fix CVE-2018-19655
+
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 9.28.0-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild