Petr Gajdos
8834ddc7f5
* CVE-2018-10528 [bsc#1091345]
+ libraw-CVE-2018-10528.patch
* CVE-2018-10529 [bsc#1091346]
+ libraw-CVE-2018-10529.patch
- Updated to version 0.18.9:
* samsung_load_raw: possible buffer overrun
* rollei_load_raw: possible buffer overrun
* nikon_coolscan_load_raw: possible buffer overrun, possible NULL pointer
* find_green: possible stack overrun
* parse_exif: possible stack overrun
OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=113
80 lines
3.3 KiB
Diff
80 lines
3.3 KiB
Diff
Index: LibRaw-0.18.9/internal/libraw_x3f.cpp
|
|
===================================================================
|
|
--- LibRaw-0.18.9.orig/internal/libraw_x3f.cpp 2018-04-24 16:23:24.000000000 +0200
|
|
+++ LibRaw-0.18.9/internal/libraw_x3f.cpp 2018-04-30 11:35:17.477351409 +0200
|
|
@@ -121,8 +121,6 @@ typedef struct x3f_property_s {
|
|
/* Computed */
|
|
utf16_t *name; /* 0x0000 terminated UTF 16 */
|
|
utf16_t *value; /* 0x0000 terminated UTF 16 */
|
|
- char *name_utf8; /* converted to UTF 8 */
|
|
- char *value_utf8; /* converted to UTF 8 */
|
|
} x3f_property_t;
|
|
|
|
typedef struct x3f_property_table_s {
|
|
@@ -516,7 +514,6 @@ unsigned x3f_get4(LibRaw_abstract_datast
|
|
int _cur = _file->_func(_buffer,1,_left); \
|
|
if (_cur == 0) { \
|
|
throw LIBRAW_EXCEPTION_IO_CORRUPT; \
|
|
- exit(1); \
|
|
} \
|
|
_left -= _cur; \
|
|
} \
|
|
@@ -912,11 +909,6 @@ static void free_camf_entry(camf_entry_t
|
|
if (PL)
|
|
{
|
|
int i;
|
|
-
|
|
- for (i = 0; i < PL->property_table.size; i++) {
|
|
- FREE(PL->property_table.element[i].name_utf8);
|
|
- FREE(PL->property_table.element[i].value_utf8);
|
|
- }
|
|
}
|
|
FREE(PL->property_table.element);
|
|
FREE(PL->data);
|
|
@@ -1624,14 +1616,14 @@ static void x3f_load_property_list(x3f_i
|
|
|
|
if (!PL->data_size)
|
|
PL->data_size = read_data_block(&PL->data, I, DE, 0);
|
|
+ uint32_t maxoffset = PL->data_size/sizeof(utf16_t)-2; // at least 2 chars, value + terminating 0x0000
|
|
|
|
for (i=0; i<PL->num_properties; i++) {
|
|
x3f_property_t *P = &PL->property_table.element[i];
|
|
-
|
|
+ if(P->name_offset > maxoffset || P->value_offset > maxoffset)
|
|
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
|
|
P->name = ((utf16_t *)PL->data + P->name_offset);
|
|
P->value = ((utf16_t *)PL->data + P->value_offset);
|
|
- P->name_utf8 = 0;// utf16le_to_utf8(P->name);
|
|
- P->value_utf8 = 0;//utf16le_to_utf8(P->value);
|
|
}
|
|
}
|
|
|
|
Index: LibRaw-0.18.9/src/libraw_cxx.cpp
|
|
===================================================================
|
|
--- LibRaw-0.18.9.orig/src/libraw_cxx.cpp 2018-04-30 11:35:17.477351409 +0200
|
|
+++ LibRaw-0.18.9/src/libraw_cxx.cpp 2018-04-30 11:38:21.568048079 +0200
|
|
@@ -5551,13 +5551,21 @@ void LibRaw::parse_x3f()
|
|
// Parse property list
|
|
DEH = &DE->header;
|
|
x3f_property_list_t *PL = &DEH->data_subsection.property_list;
|
|
+ utf16_t *datap = (utf16_t*) PL->data;
|
|
+ uint32_t maxitems = PL->data_size/sizeof(utf16_t);
|
|
if (PL->property_table.size != 0) {
|
|
int i;
|
|
x3f_property_t *P = PL->property_table.element;
|
|
for (i=0; i<PL->num_properties; i++) {
|
|
char name[100], value[100];
|
|
- utf2char(P[i].name,name,sizeof(name));
|
|
- utf2char(P[i].value,value,sizeof(value));
|
|
+ int noffset = (P[i].name - datap);
|
|
+ int voffset = (P[i].value - datap);
|
|
+ if(noffset < 0 || noffset>maxitems || voffset<0 || voffset>maxitems)
|
|
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
|
|
+ int maxnsize = maxitems - (P[i].name - datap);
|
|
+ int maxvsize = maxitems - (P[i].value - datap);
|
|
+ utf2char(P[i].name, name,MIN(maxnsize,sizeof(name)));
|
|
+ utf2char(P[i].value, value,MIN(maxvsize,sizeof(value)));
|
|
if (!strcmp (name, "ISO"))
|
|
imgdata.other.iso_speed = atoi(value);
|
|
if (!strcmp (name, "CAMMANUF"))
|