From ab9161749c6cd855d10893cdab2d947da712fd4f5a86b8dc3b20221b8e04a1f6 Mon Sep 17 00:00:00 2001
From: Petr Gajdos <pgajdos@suse.com>
Date: Tue, 7 Jul 2020 15:00:30 +0000
Subject: [PATCH] - security update - added patches   fix CVE-2020-15503
 [bsc#1173674], lack of thumbnail size range check can lead to buffer overflow
   + libraw-CVE-2020-15503.patch

OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=137
---
 libraw-CVE-2020-15503.patch | 133 ++++++++++++++++++++++++++++++++++++
 libraw.changes              |   8 +++
 libraw.spec                 |   5 +-
 3 files changed, 145 insertions(+), 1 deletion(-)
 create mode 100644 libraw-CVE-2020-15503.patch

diff --git a/libraw-CVE-2020-15503.patch b/libraw-CVE-2020-15503.patch
new file mode 100644
index 0000000..61ac9c1
--- /dev/null
+++ b/libraw-CVE-2020-15503.patch
@@ -0,0 +1,133 @@
+Index: LibRaw-0.19.5/libraw/libraw_const.h
+===================================================================
+--- LibRaw-0.19.5.orig/libraw/libraw_const.h	2020-07-07 12:42:30.310654582 +0200
++++ LibRaw-0.19.5/libraw/libraw_const.h	2020-07-07 12:49:43.141162263 +0200
+@@ -24,6 +24,11 @@ it under the terms of the one of two lic
+ #define LIBRAW_MAX_ALLOC_MB 2048L
+ #endif
+ 
++/* limit thumbnail size, default is 512Mb*/
++#ifndef LIBRAW_MAX_THUMBNAIL_MB
++#define LIBRAW_MAX_THUMBNAIL_MB 512L
++#endif
++
+ /* Change to non-zero to allow (broken) CRW (and other) files metadata 
+    loop prevention */
+ #ifndef LIBRAW_METADATA_LOOP_PREVENTION
+Index: LibRaw-0.19.5/src/libraw_cxx.cpp
+===================================================================
+--- LibRaw-0.19.5.orig/src/libraw_cxx.cpp	2019-08-20 19:34:30.000000000 +0200
++++ LibRaw-0.19.5/src/libraw_cxx.cpp	2020-07-07 13:03:23.697916270 +0200
+@@ -3712,6 +3712,20 @@ libraw_processed_image_t *LibRaw::dcraw_
+     return NULL;
+   }
+ 
++  if (T.tlength < 64u)
++  {
++      if (errcode)
++          *errcode = EINVAL;
++      return NULL;
++  }
++
++  if (INT64(T.tlength) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB)
++  {
++      if (errcode)
++          *errcode = LIBRAW_TOO_BIG;
++      return NULL;
++  }
++
+   if (T.tformat == LIBRAW_THUMBNAIL_BITMAP)
+   {
+     libraw_processed_image_t *ret = (libraw_processed_image_t *)::malloc(sizeof(libraw_processed_image_t) + T.tlength);
+@@ -3976,6 +3990,12 @@ void LibRaw::kodak_thumb_loader()
+   if (ID.toffset + est_datasize > ID.input->size() + THUMB_READ_BEYOND)
+     throw LIBRAW_EXCEPTION_IO_EOF;
+ 
++  if(INT64(T.theight) * INT64(T.twidth) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB)
++      throw LIBRAW_EXCEPTION_IO_CORRUPT;
++
++  if (INT64(T.theight) * INT64(T.twidth) < 64ULL)
++      throw LIBRAW_EXCEPTION_IO_CORRUPT;
++
+   // some kodak cameras
+   ushort s_height = S.height, s_width = S.width, s_iwidth = S.iwidth, s_iheight = S.iheight;
+   ushort s_flags = libraw_internal_data.unpacker_data.load_flags;
+@@ -4237,6 +4257,25 @@ int LibRaw::unpack_thumb(void)
+   CHECK_ORDER_LOW(LIBRAW_PROGRESS_IDENTIFY);
+   CHECK_ORDER_BIT(LIBRAW_PROGRESS_THUMB_LOAD);
+ 
++#define THUMB_SIZE_CHECKT(A) \
++  do { \
++    if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++    if (INT64(A) > 0 &&  INT64(A) < 64ULL)        throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++  } while (0)
++
++#define THUMB_SIZE_CHECKTNZ(A) \
++  do { \
++    if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++    if (INT64(A) < 64ULL)        throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++  } while (0)
++
++
++#define THUMB_SIZE_CHECKWH(W,H) \
++  do { \
++    if (INT64(W)*INT64(H) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++    if (INT64(W)*INT64(H) < 64ULL)        throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++  } while (0)
++
+   try
+   {
+     if (!libraw_internal_data.internal_data.input)
+@@ -4267,6 +4306,7 @@ int LibRaw::unpack_thumb(void)
+ 
+         if (INT64(ID.toffset) + tsize > ID.input->size() + THUMB_READ_BEYOND)
+           throw LIBRAW_EXCEPTION_IO_EOF;
++        THUMB_SIZE_CHECKT(tsize);
+       }
+       else
+       {
+@@ -4280,6 +4320,8 @@ int LibRaw::unpack_thumb(void)
+       ID.input->seek(ID.toffset, SEEK_SET);
+       if (write_thumb == &LibRaw::jpeg_thumb)
+       {
++        THUMB_SIZE_CHECKTNZ(T.tlength);
++
+         if (T.thumb)
+           free(T.thumb);
+         T.thumb = (char *)malloc(T.tlength);
+@@ -4326,6 +4368,7 @@ int LibRaw::unpack_thumb(void)
+       {
+         if (t_bytesps > 1)
+           throw LIBRAW_EXCEPTION_IO_CORRUPT; // 8-bit thumb, but parsed for more bits
++        THUMB_SIZE_CHECKWH(T.twidth, T.theight);
+         int t_length = T.twidth * T.theight * t_colors;
+ 
+         if (T.tlength && T.tlength < t_length) // try to find tiff ifd with needed offset
+@@ -4351,6 +4394,7 @@ int LibRaw::unpack_thumb(void)
+                 T.tcolors = 1;
+             }
+             T.tlength = total_size;
++            THUMB_SIZE_CHECKTNZ(T.tlength);
+             if (T.thumb)
+               free(T.thumb);
+             T.thumb = (char *)malloc(T.tlength);
+@@ -4384,6 +4428,8 @@ int LibRaw::unpack_thumb(void)
+         if (T.thumb)
+           free(T.thumb);
+ 
++        THUMB_SIZE_CHECKTNZ(T.tlength);
++
+         T.thumb = (char *)malloc(T.tlength);
+         if (!T.tcolors)
+           T.tcolors = t_colors;
+@@ -4404,6 +4450,10 @@ int LibRaw::unpack_thumb(void)
+         int i_length = T.twidth * T.theight * t_colors * 2;
+         if (!T.tlength)
+           T.tlength = o_length;
++        THUMB_SIZE_CHECKTNZ(o_length);
++        THUMB_SIZE_CHECKTNZ(i_length);
++        THUMB_SIZE_CHECKTNZ(T.tlength);
++
+         ushort *t_thumb = (ushort *)calloc(i_length, 1);
+         ID.input->read(t_thumb, 1, i_length);
+         if ((libraw_internal_data.unpacker_data.order == 0x4949) == (ntohs(0x1234) == 0x1234))
diff --git a/libraw.changes b/libraw.changes
index eb0f80d..6ad8fe2 100644
--- a/libraw.changes
+++ b/libraw.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Jul  7 14:20:04 UTC 2020 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2020-15503 [bsc#1173674], lack of thumbnail size range check can lead to buffer overflow
+  + libraw-CVE-2020-15503.patch
+
 -------------------------------------------------------------------
 Fri Dec 20 09:46:35 UTC 2019 - pgajdos@suse.com
 
diff --git a/libraw.spec b/libraw.spec
index 49c97fc..ed961f7 100644
--- a/libraw.spec
+++ b/libraw.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libraw
 #
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,8 @@ URL:            https://www.libraw.org/
 #Git-Clone:	git://github.com/LibRaw/LibRaw
 Source:         https://www.libraw.org/data/%tar_name-%version.tar.gz
 Patch1:         libraw-Add-Sony-ILCE-7M3.patch
+# CVE-2020-15503 [bsc#1173674], lack of thumbnail size range check can lead to buffer overflow
+Patch2:         libraw-CVE-2020-15503.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -102,6 +104,7 @@ against LibRaw. LibRaw does not provide dynamic libraries.
 %prep
 %setup -q -n %{tar_name}-%{version}
 %patch1 -p1
+%patch2 -p1
 
 %build
 %global _lto_cflags %{_lto_cflags} -ffat-lto-objects