← Back to branch summary

~ubuntu-branches/ubuntu/trusty/libraw/trusty

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2013-143x.patch

  • Committer: Package Import Robot
  • Author(s): Luca Falavigna
  • Date: 2013-10-05 17:53:47 UTC
  • mfrom: (1.4.8) (0.5.2 sid)
  • Revision ID: package-import@ubuntu.com-20131005175347-7oy1gkgre0yufdg0
Tags: 0.15.4-1
http://bugs.debian.org/721231
http://bugs.debian.org/721338
http://bugs.debian.org/716423
* Team upload.
* New upstream release.
  - Fix for CVE-2013-1438 (Closes: #721231).
  - Fix for CVE-2013-1439 (Closes: #721338).
  - Fix segmentaition fault when unprocessed_raw is passed -s option
    wihout any parameter (Closes: #716423).
* debian/patches/4channels_parameter.patch:
  - Dropped, applied upstream.
* debian/patches/typo.patch:
  - Dropped, applied upstream.

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2013-143x.patch
1
 
Description: fix denial of service via crafted photo files
2
 
Origin: backport, https://github.com/LibRaw/LibRaw/commit/11909cc59e712e09b508dda729b99aeaac2b29ad
3
 
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721338
4
 
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721231
5
 
 
6
 
Index: libraw-0.15.3/internal/dcraw_common.cpp
7
 
===================================================================
8
 
--- libraw-0.15.3.orig/internal/dcraw_common.cpp        2013-07-03 23:27:57.000000000 -0400
9
 
+++ libraw-0.15.3/internal/dcraw_common.cpp     2013-09-20 11:53:03.231919077 -0400
10
 
@@ -607,6 +607,11 @@
11
 
 {
12
 
   int len, diff;
13
 
 
14
 
+#ifdef LIBRAW_LIBRARY_BUILD
15
 
+  if(!huff)
16
 
+    throw LIBRAW_EXCEPTION_IO_CORRUPT;
17
 
+#endif
18
 
+
19
 
   len = gethuff(huff);
20
 
   if (len == 16 && (!dng_version || dng_version >= 0x1010000))
21
 
     return -32768;
22
 
@@ -621,6 +626,9 @@
23
 
 {
24
 
   int len, diff;
25
 
 
26
 
+  if(!huff || !buf)
27
 
+    throw LIBRAW_EXCEPTION_IO_CORRUPT;
28
 
+
29
 
   len = bits._gethuff_lj(buf,*huff,huff+1);
30
 
   if (len == 16 && (!dng_version || dng_version >= 0x1010000))
31
 
     return -32768;
32
 
@@ -740,8 +748,11 @@
33
 
   }
34
 
 #endif
35
 
 
36
 
-
37
 
   if (!ljpeg_start (&jh, 0)) return;
38
 
+#ifdef LIBRAW_LIBRARY_BUILD
39
 
+  if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
40
 
+    throw LIBRAW_EXCEPTION_IO_CORRUPT;
41
 
+#endif
42
 
   jwide = jh.wide * jh.clrs;
43
 
 
44
 
 #ifdef LIBRAW_LIBRARY_BUILD
45
 
@@ -758,13 +769,19 @@
46
 
       }
47
 
        
48
 
   slices = slicesWcnt * jh.high;
49
 
+  if(!slices)
50
 
+    throw LIBRAW_EXCEPTION_IO_CORRUPT;
51
 
+
52
 
   offset = (unsigned*)calloc(slices+1,sizeof(offset[0]));
53
 
 
54
 
   for(slice=0;slice<slices;slice++)
55
 
       {
56
 
           offset[slice] = (t_x + t_y * raw_width)| (t_s<<28);
57
 
           if((offset[slice] & 0x0fffffff) >= raw_width * raw_height)
58
 
+            {
59
 
+              free(offset);
60
 
               throw LIBRAW_EXCEPTION_IO_BADFILE; 
61
 
+            }
62
 
           t_y++;
63
 
           if(t_y == jh.high)
64
 
               {
65
 
@@ -817,12 +834,27 @@
66
 
               pixno++;
67
 
               if (0 == --pixelsInSlice)
68
 
                   {
69
 
+                    if(slice > slices)
70
 
+                      {
71
 
+                        free(offset);
72
 
+                        throw LIBRAW_EXCEPTION_IO_CORRUPT;
73
 
+                      }
74
 
                       unsigned o = offset[slice++];
75
 
                       pixno = o & 0x0fffffff;
76
 
                       pixelsInSlice = slicesW[o>>28];
77
 
                   }
78
 
           }
79
 
 #endif
80
 
+
81
 
+      if(row>raw_height)
82
 
+#ifdef LIBRAW_LIBRARY_BUILD
83
 
+      {
84
 
+        free(offset);
85
 
+        throw LIBRAW_EXCEPTION_IO_CORRUPT;
86
 
+      }
87
 
+#else
88
 
+        longjmp (failure, 3);
89
 
+#endif
90
 
       if (raw_width == 3984 && (col -= 2) < 0)
91
 
        col += (row--,raw_width);
92
 
       if (row >= 0) RAW(row,col) = val;
93
 
@@ -5135,6 +5167,7 @@
94
 
          data_offset = get4()+base;
95
 
          ifd++;  break;
96
 
        }
97
 
+        if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
98
 
        while (len--) {
99
 
          i = ftell(ifp);
100
 
          fseek (ifp, get4()+base, SEEK_SET);
101
 
@@ -5353,7 +5386,7 @@
102
 
        break;
103
 
       case 50715:                      /* BlackLevelDeltaH */
104
 
       case 50716:                      /* BlackLevelDeltaV */
105
 
-       for (num=i=0; i < len; i++)
106
 
+       for (num=i=0; i < len && i < 65536; i++)
107
 
          num += getreal(type);
108
 
        black += num/len + 0.5;
109
 
        break;
110
 
@@ -5486,9 +5519,12 @@
111
 
   if (thumb_offset) {
112
 
     fseek (ifp, thumb_offset, SEEK_SET);
113
 
     if (ljpeg_start (&jh, 1)) {
114
 
-      thumb_misc   = jh.bits;
115
 
-      thumb_width  = jh.wide;
116
 
-      thumb_height = jh.high;
117
 
+      if((unsigned)jh.bits<17 && (unsigned)jh.wide < 0x10000 && (unsigned)jh.high < 0x10000)
118
 
+        {
119
 
+          thumb_misc   = jh.bits;
120
 
+          thumb_width  = jh.wide;
121
 
+          thumb_height = jh.high;
122
 
+        }
123
 
     }
124
 
   }
125
 
   for (i=0; i < tiff_nifds; i++) {
126
 
@@ -5496,7 +5532,8 @@
127
 
        max_samp = tiff_ifd[i].samples;
128
 
     if (max_samp > 3) max_samp = 3;
129
 
     if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
130
 
-       (tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
131
 
+        unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
132
 
+        (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
133
 
        tiff_ifd[i].t_width*tiff_ifd[i].t_height > raw_width*raw_height) {
134
 
       raw_width     = tiff_ifd[i].t_width;
135
 
       raw_height    = tiff_ifd[i].t_height;
136
 
@@ -5583,6 +5620,8 @@
137
 
       is_raw = 0;
138
 
   for (i=0; i < tiff_nifds; i++)
139
 
     if (i != raw && tiff_ifd[i].samples == max_samp &&
140
 
+        tiff_ifd[i].bps>0 && tiff_ifd[i].bps < 33 &&
141
 
+       unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
142
 
        tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) >
143
 
              thumb_width *       thumb_height / SQR(thumb_misc+1)
144
 
        && tiff_ifd[i].comp != 34892) {
145
 
Index: libraw-0.15.3/src/libraw_datastream.cpp
146
 
===================================================================
147
 
--- libraw-0.15.3.orig/src/libraw_datastream.cpp        2013-07-03 23:26:01.000000000 -0400
148
 
+++ libraw-0.15.3/src/libraw_datastream.cpp     2013-09-20 11:53:03.231919077 -0400
149
 
@@ -64,7 +64,12 @@
150
 
 
151
 
 LibRaw_byte_buffer *LibRaw_abstract_datastream::make_byte_buffer(unsigned int sz)
152
 
 {
153
 
+  if(INT64(sz)>size())
154
 
+    throw LIBRAW_EXCEPTION_IO_CORRUPT;
155
 
+
156
 
     LibRaw_byte_buffer *ret = new LibRaw_byte_buffer(sz);
157
 
+    if(!ret) // failed new should throw std::exception
158
 
+      throw LIBRAW_EXCEPTION_ALLOC;
159
 
     read(ret->get_buffer(),sz,1);
160
 
     return ret;
161
 
 }
162
 
@@ -441,7 +446,12 @@
163
 
 
164
 
 LibRaw_byte_buffer *LibRaw_buffer_datastream::make_byte_buffer(unsigned int sz)
165
 
 {
166
 
+  if(INT64(sz)>size())
167
 
+    throw LIBRAW_EXCEPTION_IO_CORRUPT;
168
 
+
169
 
     LibRaw_byte_buffer *ret = new LibRaw_byte_buffer(0);
170
 
+    if(!ret) // failed new should throw std::exception
171
 
+      throw LIBRAW_EXCEPTION_ALLOC;
172
 
     if(streampos + sz > streamsize)
173
 
         sz = streamsize - streampos;
174
 
     ret->set_buffer(buf+streampos,sz);