40 lines
1006 B
Diff
40 lines
1006 B
Diff
Author: Filip Hroch <hroch@physics.muni.cz>
|
|
Description: stack-based buffer overflow bug
|
|
--- a/dcraw.c
|
|
+++ b/dcraw.c
|
|
@@ -8345,9 +8345,15 @@
|
|
{
|
|
UINT64 bitbuf=0;
|
|
int vbits, col, i, c;
|
|
- ushort img[2][2064];
|
|
+ ushort *img;
|
|
double sum[]={0,0};
|
|
|
|
+#define IMG2D(row,col) \
|
|
+ img[(row)*width+(col)]
|
|
+
|
|
+ img = (ushort *) malloc(2*width*sizeof(ushort));
|
|
+ merror (img, "find_green()");
|
|
+
|
|
FORC(2) {
|
|
fseek (ifp, c ? off1:off0, SEEK_SET);
|
|
for (vbits=col=0; col < width; col++) {
|
|
@@ -8356,13 +8362,14 @@
|
|
for (i=0; i < bite; i+=8)
|
|
bitbuf |= (unsigned) (fgetc(ifp) << i);
|
|
}
|
|
- img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps);
|
|
+ IMG2D(c,col) = bitbuf << (64-bps-vbits) >> (64-bps);
|
|
}
|
|
}
|
|
FORC(width-1) {
|
|
- sum[ c & 1] += ABS(img[0][c]-img[1][c+1]);
|
|
- sum[~c & 1] += ABS(img[1][c]-img[0][c+1]);
|
|
+ sum[ c & 1] += ABS(IMG2D(0,c)-IMG2D(1,c+1));
|
|
+ sum[~c & 1] += ABS(IMG2D(1,c)-IMG2D(0,c+1));
|
|
}
|
|
+ free(img);
|
|
return 100 * log(sum[0]/sum[1]);
|
|
}
|
|
|