* CVE-2018-5815 [bsc#1103206]

+ libraw-CVE-2018-5815.patch

OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=117

libraw-CVE-2018-5815.patch

@@ -0,0 +1,13 @@
+Index: LibRaw-0.19.0/dcraw/dcraw.c
+===================================================================
+--- LibRaw-0.19.0.orig/dcraw/dcraw.c	2018-08-01 13:33:31.125280841 +0200
++++ LibRaw-0.19.0/dcraw/dcraw.c	2018-08-01 13:34:22.757544606 +0200
+@@ -6915,6 +6915,8 @@ void CLASS parse_qt (int end)
+   while (ftell(ifp)+7 < end) {
+     save = ftell(ifp);
+     if ((size = get4()) < 8) return;
++    if ((int)size < 0) return; // 2+GB is too much
++    if (save + size < save) return; // 32bit overflow
+     fread (tag, 4, 1, ifp);
+     if (!memcmp(tag,"moov",4) ||
+ 	!memcmp(tag,"udta",4) ||

libraw.changes

@@ -4,6 +4,8 @@ Wed Aug  1 11:07:43 UTC 2018 - pgajdos@suse.com
 - security update
   * CVE-2018-5813 [bsc#1103200]
     + libraw-CVE-2018-5813.patch
+  * CVE-2018-5815 [bsc#1103206]
+    + libraw-CVE-2018-5815.patch
 
 -------------------------------------------------------------------
 Wed Aug  1 10:13:46 UTC 2018 - pgajdos@suse.com

libraw.spec

@@ -29,6 +29,7 @@ Url:            https://www.libraw.org/
 #Git-Clone:	git://github.com/LibRaw/LibRaw
 Source:         https://www.libraw.org/data/%tar_name-%version.tar.gz
 Patch0:         libraw-CVE-2018-5813.patch
+Patch1:         libraw-CVE-2018-5815.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  libjasper-devel
@@ -97,6 +98,7 @@ against LibRaw. LibRaw does not provide dynamic libraries.
 %prep
 %setup -qn %tar_name-%version
 %patch0 -p1
+%patch1 -p1
 
 %build
 export CXXFLAGS="%optflags -fPIC -DUSE_ZLIB"