- add libraw-CVE-2017-14348.patch [bsc#1058467]

OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=97

libraw-CVE-2017-14348.patch

@@ -0,0 +1,22 @@
+diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
+index 18bcdbcb..8fb2b073 100644
+--- a/internal/dcraw_common.cpp
++++ b/internal/dcraw_common.cpp
+@@ -3240,8 +3240,15 @@ void CLASS kodak_65000_load_raw()
+       len = MIN (256, width-col);
+       ret = kodak_65000_decode (buf, len);
+       for (i=0; i < len; i++)
+-	if ((RAW(row,col+i) =	curve[ret ? buf[i] :
+-		(pred[i & 1] += buf[i])]) >> 12) derror();
++      {
++	int idx = ret ? buf[i] : (pred[i & 1] += buf[i]);
++	if(idx >=0 && idx <= 0xffff)
++	 {
++	   if ((RAW(row,col+i) = curve[idx]) >> 12) derror();
++         }
++	 else
++	   derror();
++      }
+     }
+   }
+ }

libraw.changes

@@ -5,6 +5,7 @@ Wed Sep 13 10:25:35 UTC 2017 - pgajdos@suse.com
  * Fix for possible heap overrun in Canon makernotes parser
  * Fix for CVE-2017-13735
  * CVE-2017-14265: Additional check for X-Trans CFA pattern data
+- add libraw-CVE-2017-14348.patch [bsc#1058467]
 - remove libraw-CVE-2017-6887,6886.patch and
          libraw-CVE-2017-6890,6899.patch:
   no need to patch dcraw.c, it is not used

libraw.spec

@@ -30,6 +30,7 @@ Url:            http://www.libraw.org/
 
 #Git-Clone:	git://github.com/LibRaw/LibRaw
 Source:         http://www.libraw.org/data/%tar_name-%version.tar.gz
+Patch0:         libraw-CVE-2017-14348.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  libjasper-devel
@@ -98,6 +99,7 @@ against LibRaw. LibRaw does not provide dynamic libraries.
 
 %prep
 %setup -qn %tar_name-%version
+%patch0 -p1
 
 %build
 export CXXFLAGS="%optflags -fPIC -DUSE_ZLIB"