From 2142684a57224b0093d5cb29de0eed48b32e4452 Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Tue, 19 May 2015 11:36:57 +0200 Subject: [PATCH] CVE-2015-3885: avoid overflowing array When reading raw image files containing lossless JPEG data, headers could be manipulated to make the signed int variable 'len' negative which specifies how much actual data follows. Interpreted as unsigned, this could lead to reading file data past the 64k boundary of the array used for storing it. To avoid that, make 'len' unsigned short, and bail out early if its value would become invalid (i.e. <= 0). --- dcraw.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/dcraw.c b/dcraw.c index cc7f764..532840d 100644 --- a/dcraw.c +++ b/dcraw.c @@ -824,7 +824,8 @@ struct jhead { int CLASS ljpeg_start (struct jhead *jh, int info_only) { - int c, tag, len; + int c, tag; + ushort len; uchar data[0x10000]; const uchar *dp; @@ -835,8 +836,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only) do { fread (data, 2, 2, ifp); tag = data[0] << 8 | data[1]; - len = (data[2] << 8 | data[3]) - 2; - if (tag <= 0xff00) return 0; + len = (data[2] << 8 | data[3]); + if (tag <= 0xff00 || len <= 2) return 0; + len -= 2; fread (data, 1, len, ifp); switch (tag) { case 0xffc3: -- 2.4.1