From 44446103e6a2f55ce53ea6cd3a8f3aa0e20e1d8e Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Thu, 9 Jun 2016 12:04:54 +0200
Subject: [PATCH] version 9.27.0

---
 .gitignore                       |   1 +
 dcraw-9.25.0-CVE-2013-1438.patch | 101 -------------------------------
 dcraw-9.25.0-CVE-2015-3885.patch |  44 --------------
 dcraw.spec                       |  15 +++--
 sources                          |   2 +-
 5 files changed, 9 insertions(+), 154 deletions(-)
 delete mode 100644 dcraw-9.25.0-CVE-2013-1438.patch
 delete mode 100644 dcraw-9.25.0-CVE-2015-3885.patch

diff --git a/.gitignore b/.gitignore
index 55e0428..4803065 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,3 +16,4 @@ dcraw-9.04.tar.gz
 /dcraw-9.23.0.tar.gz
 /dcraw-9.24.4.tar.gz
 /dcraw-9.25.0.tar.gz
+/dcraw-9.27.0.tar.gz
diff --git a/dcraw-9.25.0-CVE-2013-1438.patch b/dcraw-9.25.0-CVE-2013-1438.patch
deleted file mode 100644
index 53188b6..0000000
--- a/dcraw-9.25.0-CVE-2013-1438.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 16a638f66b5a6d5c6e83e817db58a92cfe9f62b6 Mon Sep 17 00:00:00 2001
-From: Nils Philippsen <nils@redhat.com>
-Date: Tue, 19 May 2015 14:58:47 +0200
-Subject: [PATCH] CVE-2013-1438: fix various security issues
-
-This fixes division by zero, infinite loop, and null pointer dereference
-bugs. Ported from Alex Tutubalin's fix in LibRaw (commit
-9ae25d8c3a6bfb40c582538193264f74c9b93bc0).
-
-Don't check 'huff' at the beginning of ljpeg_diff() because it can never
-be NULL the way it is called elsewhere in the program.
----
- dcraw.c | 30 +++++++++++++++++++++---------
- 1 file changed, 21 insertions(+), 9 deletions(-)
-
-diff --git a/dcraw.c b/dcraw.c
-index cc7f764..22e0bb5 100644
---- a/dcraw.c
-+++ b/dcraw.c
-@@ -939,6 +939,8 @@ void CLASS lossless_jpeg_load_raw()
-   ushort *rp;
- 
-   if (!ljpeg_start (&jh, 0)) return;
-+  if (jh.wide < 1 || jh.high < 1 || jh.clrs < 1 || jh.bits < 1)
-+    longjmp (failure, 2);
-   jwide = jh.wide * jh.clrs;
- 
-   for (jrow=0; jrow < jh.high; jrow++) {
-@@ -958,6 +960,8 @@ void CLASS lossless_jpeg_load_raw()
-       }
-       if (raw_width == 3984 && (col -= 2) < 0)
- 	col += (row--,raw_width);
-+      if (row > raw_height)
-+        longjmp (failure, 3);
-       if ((unsigned) row < raw_height) RAW(row,col) = val;
-       if (++col >= raw_width)
- 	col = (row++,0);
-@@ -5783,6 +5787,7 @@ int CLASS parse_tiff_ifd (int base)
- 	  data_offset = get4()+base;
- 	  ifd++;  break;
- 	}
-+  if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
- 	while (len--) {
- 	  i = ftell(ifp);
- 	  fseek (ifp, get4()+base, SEEK_SET);
-@@ -6010,7 +6015,7 @@ guess_cfa_pc:
- 	break;
-       case 50715:			/* BlackLevelDeltaH */
-       case 50716:			/* BlackLevelDeltaV */
--	for (num=i=0; i < len; i++)
-+	for (num=i=0; i < len && i < 65536; i++)
- 	  num += getreal(type);
- 	black += num/len + 0.5;
- 	break;
-@@ -6135,9 +6140,13 @@ void CLASS apply_tiff()
-   if (thumb_offset) {
-     fseek (ifp, thumb_offset, SEEK_SET);
-     if (ljpeg_start (&jh, 1)) {
--      thumb_misc   = jh.bits;
--      thumb_width  = jh.wide;
--      thumb_height = jh.high;
-+      if ((unsigned)jh.bits < 17 && (unsigned)jh.wide < 0x10000 &&
-+          (unsigned)jh.high < 0x10000)
-+        {
-+          thumb_misc   = jh.bits;
-+          thumb_width  = jh.wide;
-+          thumb_height = jh.high;
-+        }
-     }
-   }
-   for (i=0; i < tiff_nifds; i++) {
-@@ -6145,8 +6154,9 @@ void CLASS apply_tiff()
- 	max_samp = tiff_ifd[i].samples;
-     if (max_samp > 3) max_samp = 3;
-     if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
--	(tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 &&
--	tiff_ifd[i].width*tiff_ifd[i].height > raw_width*raw_height) {
-+	      (tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 &&
-+        (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
-+        tiff_ifd[i].width*tiff_ifd[i].height > raw_width*raw_height) {
-       raw_width     = tiff_ifd[i].width;
-       raw_height    = tiff_ifd[i].height;
-       tiff_bps      = tiff_ifd[i].bps;
-@@ -6240,9 +6250,11 @@ void CLASS apply_tiff()
-       is_raw = 0;
-   for (i=0; i < tiff_nifds; i++)
-     if (i != raw && tiff_ifd[i].samples == max_samp &&
--	tiff_ifd[i].width * tiff_ifd[i].height / (SQR(tiff_ifd[i].bps)+1) >
--	      thumb_width *       thumb_height / (SQR(thumb_misc)+1)
--	&& tiff_ifd[i].comp != 34892) {
-+        tiff_ifd[i].bps > 0 && tiff_ifd[i].bps < 33 &&
-+        ((unsigned)(tiff_ifd[i].width | tiff_ifd[i].height)) < 0x10000 &&
-+        tiff_ifd[i].width * tiff_ifd[i].height / (SQR(tiff_ifd[i].bps)+1) >
-+              thumb_width *       thumb_height / (SQR(thumb_misc)+1)
-+        && tiff_ifd[i].comp != 34892) {
-       thumb_width  = tiff_ifd[i].width;
-       thumb_height = tiff_ifd[i].height;
-       thumb_offset = tiff_ifd[i].offset;
--- 
-2.4.1
-
diff --git a/dcraw-9.25.0-CVE-2015-3885.patch b/dcraw-9.25.0-CVE-2015-3885.patch
deleted file mode 100644
index 502e69a..0000000
--- a/dcraw-9.25.0-CVE-2015-3885.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 2142684a57224b0093d5cb29de0eed48b32e4452 Mon Sep 17 00:00:00 2001
-From: Nils Philippsen <nils@redhat.com>
-Date: Tue, 19 May 2015 11:36:57 +0200
-Subject: [PATCH] CVE-2015-3885: avoid overflowing array
-
-When reading raw image files containing lossless JPEG data, headers
-could be manipulated to make the signed int variable 'len' negative
-which specifies how much actual data follows. Interpreted as unsigned,
-this could lead to reading file data past the 64k boundary of the array
-used for storing it. To avoid that, make 'len' unsigned short, and bail
-out early if its value would become invalid (i.e. <= 0).
----
- dcraw.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/dcraw.c b/dcraw.c
-index cc7f764..532840d 100644
---- a/dcraw.c
-+++ b/dcraw.c
-@@ -824,7 +824,8 @@ struct jhead {
- 
- int CLASS ljpeg_start (struct jhead *jh, int info_only)
- {
--  int c, tag, len;
-+  int c, tag;
-+  ushort len;
-   uchar data[0x10000];
-   const uchar *dp;
- 
-@@ -835,8 +836,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
-   do {
-     fread (data, 2, 2, ifp);
-     tag =  data[0] << 8 | data[1];
--    len = (data[2] << 8 | data[3]) - 2;
--    if (tag <= 0xff00) return 0;
-+    len = (data[2] << 8 | data[3]);
-+    if (tag <= 0xff00 || len <= 2) return 0;
-+    len -= 2;
-     fread (data, 1, len, ifp);
-     switch (tag) {
-       case 0xffc3:
--- 
-2.4.1
-
diff --git a/dcraw.spec b/dcraw.spec
index 398e8c7..d4d6e46 100644
--- a/dcraw.spec
+++ b/dcraw.spec
@@ -1,14 +1,12 @@
 Summary: Tool for decoding raw image data from digital cameras
 Name: dcraw
-Version: 9.25.0
-Release: 4%{?dist}
+Version: 9.27.0
+Release: 1%{?dist}
 Group: Applications/Multimedia
 License: GPLv2+
 URL: http://cybercom.net/~dcoffin/dcraw
 Source0: http://cybercom.net/~dcoffin/dcraw/archive/dcraw-%{version}.tar.gz
-Patch0: dcraw-9.25.0-CVE-2013-1438.patch
-Patch1: dcraw-9.21-lcms2-error-reporting.patch
-Patch2: dcraw-9.25.0-CVE-2015-3885.patch
+Patch0: dcraw-9.21-lcms2-error-reporting.patch
 BuildRequires: gettext
 BuildRequires: libjpeg-devel
 BuildRequires: lcms2-devel
@@ -21,9 +19,7 @@ downloaded from digital cameras.
 
 %prep
 %setup -q -n dcraw
-%patch0 -p1 -b .CVE-2013-1438
-%patch1 -p1 -b .lcms2-error-reporting
-%patch2 -p1 -b .CVE-2015-3885
+%patch0 -p1 -b .lcms2-error-reporting
 
 %build
 gcc %optflags \
@@ -70,6 +66,9 @@ done
 %{_mandir}/man1/*
 
 %changelog
+* Thu Jun 09 2016 Nils Philippsen <nils@redhat.com> - 9.27.0
+- version 9.27.0
+
 * Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 9.25.0-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 
diff --git a/sources b/sources
index a108596..5c770b0 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-92fdbd7fdc73fefd8baa9394be59898d  dcraw-9.25.0.tar.gz
+87ca3ec9d4e882f0d2250fed61b3326f  dcraw-9.27.0.tar.gz