1
Description: fix denial of service via crafted photo files
2
Origin: backport, https://github.com/LibRaw/LibRaw/commit/11909cc59e712e09b508dda729b99aeaac2b29ad
3
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721338
4
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721231
6
Index: libraw-0.15.3/internal/dcraw_common.cpp
7
===================================================================
8
--- libraw-0.15.3.orig/internal/dcraw_common.cpp 2013-07-03 23:27:57.000000000 -0400
9
+++ libraw-0.15.3/internal/dcraw_common.cpp 2013-09-20 11:53:03.231919077 -0400
14
+#ifdef LIBRAW_LIBRARY_BUILD
16
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
20
if (len == 16 && (!dng_version || dng_version >= 0x1010000))
27
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
29
len = bits._gethuff_lj(buf,*huff,huff+1);
30
if (len == 16 && (!dng_version || dng_version >= 0x1010000))
37
if (!ljpeg_start (&jh, 0)) return;
38
+#ifdef LIBRAW_LIBRARY_BUILD
39
+ if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
40
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
42
jwide = jh.wide * jh.clrs;
44
#ifdef LIBRAW_LIBRARY_BUILD
48
slices = slicesWcnt * jh.high;
50
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
52
offset = (unsigned*)calloc(slices+1,sizeof(offset[0]));
54
for(slice=0;slice<slices;slice++)
56
offset[slice] = (t_x + t_y * raw_width)| (t_s<<28);
57
if((offset[slice] & 0x0fffffff) >= raw_width * raw_height)
60
throw LIBRAW_EXCEPTION_IO_BADFILE;
67
if (0 == --pixelsInSlice)
72
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
74
unsigned o = offset[slice++];
75
pixno = o & 0x0fffffff;
76
pixelsInSlice = slicesW[o>>28];
82
+#ifdef LIBRAW_LIBRARY_BUILD
85
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
88
+ longjmp (failure, 3);
90
if (raw_width == 3984 && (col -= 2) < 0)
91
col += (row--,raw_width);
92
if (row >= 0) RAW(row,col) = val;
94
data_offset = get4()+base;
97
+ if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
100
fseek (ifp, get4()+base, SEEK_SET);
101
@@ -5353,7 +5386,7 @@
103
case 50715: /* BlackLevelDeltaH */
104
case 50716: /* BlackLevelDeltaV */
105
- for (num=i=0; i < len; i++)
106
+ for (num=i=0; i < len && i < 65536; i++)
107
num += getreal(type);
108
black += num/len + 0.5;
110
@@ -5486,9 +5519,12 @@
112
fseek (ifp, thumb_offset, SEEK_SET);
113
if (ljpeg_start (&jh, 1)) {
114
- thumb_misc = jh.bits;
115
- thumb_width = jh.wide;
116
- thumb_height = jh.high;
117
+ if((unsigned)jh.bits<17 && (unsigned)jh.wide < 0x10000 && (unsigned)jh.high < 0x10000)
119
+ thumb_misc = jh.bits;
120
+ thumb_width = jh.wide;
121
+ thumb_height = jh.high;
125
for (i=0; i < tiff_nifds; i++) {
126
@@ -5496,7 +5532,8 @@
127
max_samp = tiff_ifd[i].samples;
128
if (max_samp > 3) max_samp = 3;
129
if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
130
- (tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
131
+ unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
132
+ (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
133
tiff_ifd[i].t_width*tiff_ifd[i].t_height > raw_width*raw_height) {
134
raw_width = tiff_ifd[i].t_width;
135
raw_height = tiff_ifd[i].t_height;
136
@@ -5583,6 +5620,8 @@
138
for (i=0; i < tiff_nifds; i++)
139
if (i != raw && tiff_ifd[i].samples == max_samp &&
140
+ tiff_ifd[i].bps>0 && tiff_ifd[i].bps < 33 &&
141
+ unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
142
tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) >
143
thumb_width * thumb_height / SQR(thumb_misc+1)
144
&& tiff_ifd[i].comp != 34892) {
145
Index: libraw-0.15.3/src/libraw_datastream.cpp
146
===================================================================
147
--- libraw-0.15.3.orig/src/libraw_datastream.cpp 2013-07-03 23:26:01.000000000 -0400
148
+++ libraw-0.15.3/src/libraw_datastream.cpp 2013-09-20 11:53:03.231919077 -0400
151
LibRaw_byte_buffer *LibRaw_abstract_datastream::make_byte_buffer(unsigned int sz)
153
+ if(INT64(sz)>size())
154
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
156
LibRaw_byte_buffer *ret = new LibRaw_byte_buffer(sz);
157
+ if(!ret) // failed new should throw std::exception
158
+ throw LIBRAW_EXCEPTION_ALLOC;
159
read(ret->get_buffer(),sz,1);
164
LibRaw_byte_buffer *LibRaw_buffer_datastream::make_byte_buffer(unsigned int sz)
166
+ if(INT64(sz)>size())
167
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
169
LibRaw_byte_buffer *ret = new LibRaw_byte_buffer(0);
170
+ if(!ret) // failed new should throw std::exception
171
+ throw LIBRAW_EXCEPTION_ALLOC;
172
if(streampos + sz > streamsize)
173
sz = streamsize - streampos;
174
ret->set_buffer(buf+streampos,sz);