version 9.27.0
This commit is contained in:
Nils Philippsen
parent
f444fd52a8
commit
44446103e6
1
.gitignore
vendored
1
.gitignore
vendored
@ -16,3 +16,4 @@ dcraw-9.04.tar.gz
|
||||
/dcraw-9.23.0.tar.gz
|
||||
/dcraw-9.24.4.tar.gz
|
||||
/dcraw-9.25.0.tar.gz
|
||||
/dcraw-9.27.0.tar.gz
|
||||
|
||||
@ -1,101 +0,0 @@
|
||||
From 16a638f66b5a6d5c6e83e817db58a92cfe9f62b6 Mon Sep 17 00:00:00 2001
|
||||
From: Nils Philippsen <nils@redhat.com>
|
||||
Date: Tue, 19 May 2015 14:58:47 +0200
|
||||
Subject: [PATCH] CVE-2013-1438: fix various security issues
|
||||
|
||||
This fixes division by zero, infinite loop, and null pointer dereference
|
||||
bugs. Ported from Alex Tutubalin's fix in LibRaw (commit
|
||||
9ae25d8c3a6bfb40c582538193264f74c9b93bc0).
|
||||
|
||||
Don't check 'huff' at the beginning of ljpeg_diff() because it can never
|
||||
be NULL the way it is called elsewhere in the program.
|
||||
---
|
||||
dcraw.c | 30 +++++++++++++++++++++---------
|
||||
1 file changed, 21 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/dcraw.c b/dcraw.c
|
||||
index cc7f764..22e0bb5 100644
|
||||
--- a/dcraw.c
|
||||
+++ b/dcraw.c
|
||||
@@ -939,6 +939,8 @@ void CLASS lossless_jpeg_load_raw()
|
||||
ushort *rp;
|
||||
|
||||
if (!ljpeg_start (&jh, 0)) return;
|
||||
+ if (jh.wide < 1 || jh.high < 1 || jh.clrs < 1 || jh.bits < 1)
|
||||
+ longjmp (failure, 2);
|
||||
jwide = jh.wide * jh.clrs;
|
||||
|
||||
for (jrow=0; jrow < jh.high; jrow++) {
|
||||
@@ -958,6 +960,8 @@ void CLASS lossless_jpeg_load_raw()
|
||||
}
|
||||
if (raw_width == 3984 && (col -= 2) < 0)
|
||||
col += (row--,raw_width);
|
||||
+ if (row > raw_height)
|
||||
+ longjmp (failure, 3);
|
||||
if ((unsigned) row < raw_height) RAW(row,col) = val;
|
||||
if (++col >= raw_width)
|
||||
col = (row++,0);
|
||||
@@ -5783,6 +5787,7 @@ int CLASS parse_tiff_ifd (int base)
|
||||
data_offset = get4()+base;
|
||||
ifd++; break;
|
||||
}
|
||||
+ if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
|
||||
while (len--) {
|
||||
i = ftell(ifp);
|
||||
fseek (ifp, get4()+base, SEEK_SET);
|
||||
@@ -6010,7 +6015,7 @@ guess_cfa_pc:
|
||||
break;
|
||||
case 50715: /* BlackLevelDeltaH */
|
||||
case 50716: /* BlackLevelDeltaV */
|
||||
- for (num=i=0; i < len; i++)
|
||||
+ for (num=i=0; i < len && i < 65536; i++)
|
||||
num += getreal(type);
|
||||
black += num/len + 0.5;
|
||||
break;
|
||||
@@ -6135,9 +6140,13 @@ void CLASS apply_tiff()
|
||||
if (thumb_offset) {
|
||||
fseek (ifp, thumb_offset, SEEK_SET);
|
||||
if (ljpeg_start (&jh, 1)) {
|
||||
- thumb_misc = jh.bits;
|
||||
- thumb_width = jh.wide;
|
||||
- thumb_height = jh.high;
|
||||
+ if ((unsigned)jh.bits < 17 && (unsigned)jh.wide < 0x10000 &&
|
||||
+ (unsigned)jh.high < 0x10000)
|
||||
+ {
|
||||
+ thumb_misc = jh.bits;
|
||||
+ thumb_width = jh.wide;
|
||||
+ thumb_height = jh.high;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
for (i=0; i < tiff_nifds; i++) {
|
||||
@@ -6145,8 +6154,9 @@ void CLASS apply_tiff()
|
||||
max_samp = tiff_ifd[i].samples;
|
||||
if (max_samp > 3) max_samp = 3;
|
||||
if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
|
||||
- (tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 &&
|
||||
- tiff_ifd[i].width*tiff_ifd[i].height > raw_width*raw_height) {
|
||||
+ (tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 &&
|
||||
+ (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
|
||||
+ tiff_ifd[i].width*tiff_ifd[i].height > raw_width*raw_height) {
|
||||
raw_width = tiff_ifd[i].width;
|
||||
raw_height = tiff_ifd[i].height;
|
||||
tiff_bps = tiff_ifd[i].bps;
|
||||
@@ -6240,9 +6250,11 @@ void CLASS apply_tiff()
|
||||
is_raw = 0;
|
||||
for (i=0; i < tiff_nifds; i++)
|
||||
if (i != raw && tiff_ifd[i].samples == max_samp &&
|
||||
- tiff_ifd[i].width * tiff_ifd[i].height / (SQR(tiff_ifd[i].bps)+1) >
|
||||
- thumb_width * thumb_height / (SQR(thumb_misc)+1)
|
||||
- && tiff_ifd[i].comp != 34892) {
|
||||
+ tiff_ifd[i].bps > 0 && tiff_ifd[i].bps < 33 &&
|
||||
+ ((unsigned)(tiff_ifd[i].width | tiff_ifd[i].height)) < 0x10000 &&
|
||||
+ tiff_ifd[i].width * tiff_ifd[i].height / (SQR(tiff_ifd[i].bps)+1) >
|
||||
+ thumb_width * thumb_height / (SQR(thumb_misc)+1)
|
||||
+ && tiff_ifd[i].comp != 34892) {
|
||||
thumb_width = tiff_ifd[i].width;
|
||||
thumb_height = tiff_ifd[i].height;
|
||||
thumb_offset = tiff_ifd[i].offset;
|
||||
--
|
||||
2.4.1
|
||||
|
||||
@ -1,44 +0,0 @@
|
||||
From 2142684a57224b0093d5cb29de0eed48b32e4452 Mon Sep 17 00:00:00 2001
|
||||
From: Nils Philippsen <nils@redhat.com>
|
||||
Date: Tue, 19 May 2015 11:36:57 +0200
|
||||
Subject: [PATCH] CVE-2015-3885: avoid overflowing array
|
||||
|
||||
When reading raw image files containing lossless JPEG data, headers
|
||||
could be manipulated to make the signed int variable 'len' negative
|
||||
which specifies how much actual data follows. Interpreted as unsigned,
|
||||
this could lead to reading file data past the 64k boundary of the array
|
||||
used for storing it. To avoid that, make 'len' unsigned short, and bail
|
||||
out early if its value would become invalid (i.e. <= 0).
|
||||
---
|
||||
dcraw.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dcraw.c b/dcraw.c
|
||||
index cc7f764..532840d 100644
|
||||
--- a/dcraw.c
|
||||
+++ b/dcraw.c
|
||||
@@ -824,7 +824,8 @@ struct jhead {
|
||||
|
||||
int CLASS ljpeg_start (struct jhead *jh, int info_only)
|
||||
{
|
||||
- int c, tag, len;
|
||||
+ int c, tag;
|
||||
+ ushort len;
|
||||
uchar data[0x10000];
|
||||
const uchar *dp;
|
||||
|
||||
@@ -835,8 +836,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
|
||||
do {
|
||||
fread (data, 2, 2, ifp);
|
||||
tag = data[0] << 8 | data[1];
|
||||
- len = (data[2] << 8 | data[3]) - 2;
|
||||
- if (tag <= 0xff00) return 0;
|
||||
+ len = (data[2] << 8 | data[3]);
|
||||
+ if (tag <= 0xff00 || len <= 2) return 0;
|
||||
+ len -= 2;
|
||||
fread (data, 1, len, ifp);
|
||||
switch (tag) {
|
||||
case 0xffc3:
|
||||
--
|
||||
2.4.1
|
||||
|
||||
15
dcraw.spec
15
dcraw.spec
@ -1,14 +1,12 @@
|
||||
Summary: Tool for decoding raw image data from digital cameras
|
||||
Name: dcraw
|
||||
Version: 9.25.0
|
||||
Release: 4%{?dist}
|
||||
Version: 9.27.0
|
||||
Release: 1%{?dist}
|
||||
Group: Applications/Multimedia
|
||||
License: GPLv2+
|
||||
URL: http://cybercom.net/~dcoffin/dcraw
|
||||
Source0: http://cybercom.net/~dcoffin/dcraw/archive/dcraw-%{version}.tar.gz
|
||||
Patch0: dcraw-9.25.0-CVE-2013-1438.patch
|
||||
Patch1: dcraw-9.21-lcms2-error-reporting.patch
|
||||
Patch2: dcraw-9.25.0-CVE-2015-3885.patch
|
||||
Patch0: dcraw-9.21-lcms2-error-reporting.patch
|
||||
BuildRequires: gettext
|
||||
BuildRequires: libjpeg-devel
|
||||
BuildRequires: lcms2-devel
|
||||
@ -21,9 +19,7 @@ downloaded from digital cameras.
|
||||
|
||||
%prep
|
||||
%setup -q -n dcraw
|
||||
%patch0 -p1 -b .CVE-2013-1438
|
||||
%patch1 -p1 -b .lcms2-error-reporting
|
||||
%patch2 -p1 -b .CVE-2015-3885
|
||||
%patch0 -p1 -b .lcms2-error-reporting
|
||||
|
||||
%build
|
||||
gcc %optflags \
|
||||
@ -70,6 +66,9 @@ done
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Thu Jun 09 2016 Nils Philippsen <nils@redhat.com> - 9.27.0
|
||||
- version 9.27.0
|
||||
|
||||
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 9.25.0-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user