avoid writing past array boundaries when reading...
certain raw formats (CVE-2015-3885)
This commit is contained in:
Nils Philippsen
parent
bee95637be
commit
8ea08bcb70
44
dcraw-9.25.0-CVE-2015-3885.patch
Normal file
44
dcraw-9.25.0-CVE-2015-3885.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 2142684a57224b0093d5cb29de0eed48b32e4452 Mon Sep 17 00:00:00 2001
|
||||
From: Nils Philippsen <nils@redhat.com>
|
||||
Date: Tue, 19 May 2015 11:36:57 +0200
|
||||
Subject: [PATCH] CVE-2015-3885: avoid overflowing array
|
||||
|
||||
When reading raw image files containing lossless JPEG data, headers
|
||||
could be manipulated to make the signed int variable 'len' negative
|
||||
which specifies how much actual data follows. Interpreted as unsigned,
|
||||
this could lead to reading file data past the 64k boundary of the array
|
||||
used for storing it. To avoid that, make 'len' unsigned short, and bail
|
||||
out early if its value would become invalid (i.e. <= 0).
|
||||
---
|
||||
dcraw.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dcraw.c b/dcraw.c
|
||||
index cc7f764..532840d 100644
|
||||
--- a/dcraw.c
|
||||
+++ b/dcraw.c
|
||||
@@ -824,7 +824,8 @@ struct jhead {
|
||||
|
||||
int CLASS ljpeg_start (struct jhead *jh, int info_only)
|
||||
{
|
||||
- int c, tag, len;
|
||||
+ int c, tag;
|
||||
+ ushort len;
|
||||
uchar data[0x10000];
|
||||
const uchar *dp;
|
||||
|
||||
@@ -835,8 +836,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
|
||||
do {
|
||||
fread (data, 2, 2, ifp);
|
||||
tag = data[0] << 8 | data[1];
|
||||
- len = (data[2] << 8 | data[3]) - 2;
|
||||
- if (tag <= 0xff00) return 0;
|
||||
+ len = (data[2] << 8 | data[3]);
|
||||
+ if (tag <= 0xff00 || len <= 2) return 0;
|
||||
+ len -= 2;
|
||||
fread (data, 1, len, ifp);
|
||||
switch (tag) {
|
||||
case 0xffc3:
|
||||
--
|
||||
2.4.1
|
||||
|
||||
@ -8,6 +8,7 @@ URL: http://cybercom.net/~dcoffin/dcraw
|
||||
Source0: http://cybercom.net/~dcoffin/dcraw/archive/dcraw-%{version}.tar.gz
|
||||
Patch0: dcraw-9.25.0-CVE-2013-1438.patch
|
||||
Patch1: dcraw-9.21-lcms2-error-reporting.patch
|
||||
Patch2: dcraw-9.25.0-CVE-2015-3885.patch
|
||||
BuildRequires: gettext
|
||||
BuildRequires: libjpeg-devel
|
||||
BuildRequires: lcms2-devel
|
||||
@ -22,6 +23,7 @@ downloaded from digital cameras.
|
||||
%setup -q -n dcraw
|
||||
%patch0 -p1 -b .CVE-2013-1438
|
||||
%patch1 -p1 -b .lcms2-error-reporting
|
||||
%patch2 -p1 -b .CVE-2015-3885
|
||||
|
||||
%build
|
||||
gcc %optflags \
|
||||
@ -75,6 +77,8 @@ rm -rf %buildroot
|
||||
* Wed May 20 2015 Nils Philippsen <nils@redhat.com> - 9.25.0-1
|
||||
- version 9.25.0
|
||||
- remove unnecessary check from CVE-2013-1438 patch
|
||||
- avoid writing past array boundaries when reading certain raw formats
|
||||
(CVE-2015-3885)
|
||||
|
||||
* Wed Apr 08 2015 Nils Philippsen <nils@redhat.com> - 9.24.4-1
|
||||
- version 9.24.4
|
||||
|
||||
Loading…
Reference in New Issue
Block a user