From 42297d1b65bb7b8e0270708f9c77ce3d581202c6a142f6c97885499c4aaf2efa Mon Sep 17 00:00:00 2001
From: Petr Gajdos <pgajdos@suse.com>
Date: Tue, 23 May 2017 07:48:34 +0000
Subject: [PATCH] - added missing parts of the fix for CVE-2017-6887   and
 CVE-2017-6886     + libraw-CVE-2017-6887,6886.patch - added missing fix for
 CVE-2017-6890 and CVE-2017-6899   + libraw-CVE-2017-6890,6899.patch

OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=92
---
 libraw-CVE-2017-6887,6886.patch | 34 +++++++++++++++++++++++++++++++++
 libraw-CVE-2017-6890,6899.patch | 30 +++++++++++++++++++++++++++++
 libraw.changes                  |  5 +++++
 libraw.spec                     |  4 ++++
 4 files changed, 73 insertions(+)
 create mode 100644 libraw-CVE-2017-6887,6886.patch
 create mode 100644 libraw-CVE-2017-6890,6899.patch

diff --git a/libraw-CVE-2017-6887,6886.patch b/libraw-CVE-2017-6887,6886.patch
new file mode 100644
index 0000000..fcc1e36
--- /dev/null
+++ b/libraw-CVE-2017-6887,6886.patch
@@ -0,0 +1,34 @@
+From d7c3d2cb460be10a3ea7b32e9443a83c243b2251 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Sat, 4 Mar 2017 21:27:39 +0300
+Subject: [PATCH] Secunia SA75000 advisory: several buffer overruns
+
+---
+ dcraw/dcraw.c             | 12 ++++++++++--
+ internal/dcraw_common.cpp | 12 ++++++++++--
+ 2 files changed, 20 insertions(+), 4 deletions(-)
+
+Index: LibRaw-0.18.2/dcraw/dcraw.c
+===================================================================
+--- LibRaw-0.18.2.orig/dcraw/dcraw.c	2017-05-23 09:32:51.733561941 +0200
++++ LibRaw-0.18.2/dcraw/dcraw.c	2017-05-23 09:38:40.867531376 +0200
+@@ -5842,6 +5842,10 @@ int CLASS parse_tiff_ifd (int base)
+ 	  load_raw = &CLASS sony_arw_load_raw;
+ 	  data_offset = get4()+base;
+ 	  ifd++;  break;
++#ifdef LIBRAW_LIBRARY_BUILD
++       if (ifd >= sizeof tiff_ifd / sizeof tiff_ifd[0])
++         throw LIBRAW_EXCEPTION_IO_CORRUPT;
++#endif  
+ 	}
+ 	while (len--) {
+ 	  i = ftell(ifp);
+@@ -6005,6 +6009,8 @@ int CLASS parse_tiff_ifd (int base)
+ 	break;
+       case 50454:			/* Sinar tag */
+       case 50455:
++        if (len < 1 || len > 2560000)
++          break;
+ 	if (!(cbuf = (char *) malloc(len))) break;
+ 	fread (cbuf, 1, len, ifp);
+ 	for (cp = cbuf-1; cp && cp < cbuf+len; cp = strchr(cp,'\n'))
diff --git a/libraw-CVE-2017-6890,6899.patch b/libraw-CVE-2017-6890,6899.patch
new file mode 100644
index 0000000..b9fcaaf
--- /dev/null
+++ b/libraw-CVE-2017-6890,6899.patch
@@ -0,0 +1,30 @@
+--- a/dcraw/dcraw.c
++++ b/dcraw/dcraw.c
+@@ -319,7 +319,7 @@ void CLASS foveon_huff (ushort *huff)
+ void CLASS foveon_dp_load_raw()
+ {
+   unsigned c, roff[4], row, col, diff;
+-  ushort huff[512], vpred[2][2], hpred[2];
++  ushort huff[1024], vpred[2][2], hpred[2];
+ 
+   fseek (ifp, 8, SEEK_CUR);
+   foveon_huff (huff);
+@@ -346,12 +346,16 @@ void CLASS foveon_dp_load_raw()
+ void CLASS foveon_load_camf()
+ {
+   unsigned type, wide, high, i, j, row, col, diff;
+-  ushort huff[258], vpred[2][2] = {{512,512},{512,512}}, hpred[2];
++  ushort huff[1024], vpred[2][2] = {{512,512},{512,512}}, hpred[2];
+ 
+   fseek (ifp, meta_offset, SEEK_SET);
+   type = get4();  get4();  get4();
+   wide = get4();
+   high = get4();
++#ifdef LIBRAW_LIBRARY_BUILD
++  if(wide>32767 || high > 32767 || wide*high > 20000000)
++     throw LIBRAW_EXCEPTION_IO_CORRUPT;
++#endif
+   if (type == 2) {
+     fread (meta_data, 1, meta_length, ifp);
+     for (i=0; i < meta_length; i++) {
+
diff --git a/libraw.changes b/libraw.changes
index f370789..3068ca3 100644
--- a/libraw.changes
+++ b/libraw.changes
@@ -10,6 +10,11 @@ Tue May 23 06:54:04 UTC 2017 - pgajdos@suse.com
     Fixed bug in FujiExpoMidPointShift parser
     Fixed wrong black level in Sony A350
     Added standard integer types for VisualStudio 2008 and earlier
+- added missing parts of the fix for CVE-2017-6887 
+  and CVE-2017-6886
+    + libraw-CVE-2017-6887,6886.patch
+- added missing fix for CVE-2017-6890 and CVE-2017-6899
+  + libraw-CVE-2017-6890,6899.patch
 
 -------------------------------------------------------------------
 Mon Jan 30 14:58:42 UTC 2017 - pgajdos@suse.com
diff --git a/libraw.spec b/libraw.spec
index 9cbf564..5161001 100644
--- a/libraw.spec
+++ b/libraw.spec
@@ -30,6 +30,8 @@ Url:            http://www.libraw.org/
 
 #Git-Clone:	git://github.com/LibRaw/LibRaw
 Source:         http://www.libraw.org/data/%tar_name-%version.tar.gz
+Patch0:         libraw-CVE-2017-6890,6899.patch
+Patch1:         libraw-CVE-2017-6887,6886.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  libjasper-devel
@@ -98,6 +100,8 @@ against LibRaw. LibRaw does not provide dynamic libraries.
 
 %prep
 %setup -qn %tar_name-%version
+%patch0 -p1
+%patch1 -p1
 
 %build
 export CXXFLAGS="%optflags -fPIC -DUSE_ZLIB"