45 lines
1.3 KiB
Diff
45 lines
1.3 KiB
Diff
From 2142684a57224b0093d5cb29de0eed48b32e4452 Mon Sep 17 00:00:00 2001
|
|
From: Nils Philippsen <nils@redhat.com>
|
|
Date: Tue, 19 May 2015 11:36:57 +0200
|
|
Subject: [PATCH] CVE-2015-3885: avoid overflowing array
|
|
|
|
When reading raw image files containing lossless JPEG data, headers
|
|
could be manipulated to make the signed int variable 'len' negative
|
|
which specifies how much actual data follows. Interpreted as unsigned,
|
|
this could lead to reading file data past the 64k boundary of the array
|
|
used for storing it. To avoid that, make 'len' unsigned short, and bail
|
|
out early if its value would become invalid (i.e. <= 0).
|
|
---
|
|
dcraw.c | 8 +++++---
|
|
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/dcraw.c b/dcraw.c
|
|
index cc7f764..532840d 100644
|
|
--- a/dcraw.c
|
|
+++ b/dcraw.c
|
|
@@ -824,7 +824,8 @@ struct jhead {
|
|
|
|
int CLASS ljpeg_start (struct jhead *jh, int info_only)
|
|
{
|
|
- int c, tag, len;
|
|
+ int c, tag;
|
|
+ ushort len;
|
|
uchar data[0x10000];
|
|
const uchar *dp;
|
|
|
|
@@ -835,8 +836,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
|
|
do {
|
|
fread (data, 2, 2, ifp);
|
|
tag = data[0] << 8 | data[1];
|
|
- len = (data[2] << 8 | data[3]) - 2;
|
|
- if (tag <= 0xff00) return 0;
|
|
+ len = (data[2] << 8 | data[3]);
|
|
+ if (tag <= 0xff00 || len <= 2) return 0;
|
|
+ len -= 2;
|
|
fread (data, 1, len, ifp);
|
|
switch (tag) {
|
|
case 0xffc3:
|
|
--
|
|
2.4.1
|
|
|