rpms/dcraw
7
0
Fork 0
Code Issues Pull Requests Releases Activity

avoid writing past array boundaries when reading...

Browse Source 
certain raw formats (CVE-2015-3885)
This commit is contained in:
Nils Philippsen 2015-05-20 17:17:49 +02:00
parent bee95637be
commit 8ea08bcb70
2 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
dcraw-9.25.0-CVE-2015-3885.patch Normal file
View File

@ -0,0 +1,44 @@
From 2142684a57224b0093d5cb29de0eed48b32e4452 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Tue, 19 May 2015 11:36:57 +0200
Subject: [PATCH] CVE-2015-3885: avoid overflowing array
When reading raw image files containing lossless JPEG data, headers
could be manipulated to make the signed int variable 'len' negative
which specifies how much actual data follows. Interpreted as unsigned,
this could lead to reading file data past the 64k boundary of the array
used for storing it. To avoid that, make 'len' unsigned short, and bail
out early if its value would become invalid (i.e. <= 0).
---
dcraw.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/dcraw.c b/dcraw.c
index cc7f764..532840d 100644
--- a/dcraw.c
+++ b/dcraw.c
@@ -824,7 +824,8 @@ struct jhead {
int CLASS ljpeg_start (struct jhead *jh, int info_only)
{
- int c, tag, len;
+ int c, tag;
+ ushort len;
uchar data[0x10000];
const uchar *dp;
@@ -835,8 +836,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
do {
fread (data, 2, 2, ifp);
tag = data[0] << 8 | data[1];
- len = (data[2] << 8 | data[3]) - 2;
- if (tag <= 0xff00) return 0;
+ len = (data[2] << 8 | data[3]);
+ if (tag <= 0xff00 || len <= 2) return 0;
+ len -= 2;
fread (data, 1, len, ifp);
switch (tag) {
case 0xffc3:
--
2.4.1

4
dcraw.spec
View File

@ -8,6 +8,7 @@ URL: http://cybercom.net/~dcoffin/dcraw
Source0: http://cybercom.net/~dcoffin/dcraw/archive/dcraw-%{version}.tar.gz Source0: http://cybercom.net/~dcoffin/dcraw/archive/dcraw-%{version}.tar.gz
Patch0: dcraw-9.25.0-CVE-2013-1438.patch Patch0: dcraw-9.25.0-CVE-2013-1438.patch
Patch1: dcraw-9.21-lcms2-error-reporting.patch Patch1: dcraw-9.21-lcms2-error-reporting.patch
Patch2: dcraw-9.25.0-CVE-2015-3885.patch
BuildRequires: gettext BuildRequires: gettext
BuildRequires: libjpeg-devel BuildRequires: libjpeg-devel
BuildRequires: lcms2-devel BuildRequires: lcms2-devel
@ -22,6 +23,7 @@ downloaded from digital cameras.
%setup -q -n dcraw %setup -q -n dcraw
%patch0 -p1 -b .CVE-2013-1438 %patch0 -p1 -b .CVE-2013-1438
%patch1 -p1 -b .lcms2-error-reporting %patch1 -p1 -b .lcms2-error-reporting
%patch2 -p1 -b .CVE-2015-3885
%build %build
gcc %optflags \ gcc %optflags \
@ -75,6 +77,8 @@ rm -rf %buildroot
* Wed May 20 2015 Nils Philippsen <nils@redhat.com> - 9.25.0-1 * Wed May 20 2015 Nils Philippsen <nils@redhat.com> - 9.25.0-1
- version 9.25.0 - version 9.25.0
- remove unnecessary check from CVE-2013-1438 patch - remove unnecessary check from CVE-2013-1438 patch
- avoid writing past array boundaries when reading certain raw formats
(CVE-2015-3885)
* Wed Apr 08 2015 Nils Philippsen <nils@redhat.com> - 9.24.4-1 * Wed Apr 08 2015 Nils Philippsen <nils@redhat.com> - 9.24.4-1
- version 9.24.4 - version 9.24.4