Package: libraw / 0.16.0-9+deb8u3

0002-Fix_CVE-2015-8366_CVE-2015-8367.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
From: Alex Tutubalin <lexa@lexa.ru>
Date: Sat, 12 Dec 2015 21:51:27 +0100
Subject: Fix_CVE-2015-8366_CVE-2015-8367

---
 dcraw/dcraw.c             | 4 ++++
 internal/dcraw_common.cpp | 4 ++++
 src/libraw_cxx.cpp        | 5 +++++
 3 files changed, 13 insertions(+)

diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
index 4f72aee..7ff8fe7 100644
--- a/dcraw/dcraw.c
+++ b/dcraw/dcraw.c
@@ -2559,6 +2559,10 @@ void CLASS smal_decode_segment (unsigned seg[2][2], int holes)
       diff = diff ? -diff : 0x80;
     if (ftell(ifp) + 12 >= seg[1][1])
       diff = 0;
+#ifdef LIBRAW_LIBRARY_BUILD
+    if(pix>=raw_width*raw_height)
+      throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
     raw_image[pix] = pred[pix & 1] += diff;
     if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
   }
diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
index ac55074..1e423fe 100644
--- a/internal/dcraw_common.cpp
+++ b/internal/dcraw_common.cpp
@@ -2816,6 +2816,10 @@ void CLASS smal_decode_segment (unsigned seg[2][2], int holes)
       diff = diff ? -diff : 0x80;
     if (ftell(ifp) + 12 >= seg[1][1])
       diff = 0;
+#ifdef LIBRAW_LIBRARY_BUILD
+    if(pix>=raw_width*raw_height)
+      throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
     raw_image[pix] = pred[pix & 1] += diff;
     if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
   }
diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp
index 433323b..7d61d81 100644
--- a/src/libraw_cxx.cpp
+++ b/src/libraw_cxx.cpp
@@ -1246,6 +1246,7 @@ int LibRaw::unpack(void)
     if(!imgdata.rawdata.raw_image && !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image) //RawSpeed failed!
       {
         // Not allocated on RawSpeed call, try call LibRaw
+        int zero_rawimage = 0;
         if(decoder_info.decoder_flags &  LIBRAW_DECODER_OWNALLOC)
           {
             // x3f foveon decoder
@@ -1268,6 +1269,8 @@ int LibRaw::unpack(void)
             // allocate image as temporary buffer, size 
             imgdata.rawdata.raw_alloc = 0;
             imgdata.image = (ushort (*)[4]) calloc(S.iwidth*S.iheight,sizeof(*imgdata.image));
+            imgdata.rawdata.raw_image = (ushort*) imgdata.image ;
+            zero_rawimage = 1;
           }
         ID.input->seek(libraw_internal_data.unpacker_data.data_offset, SEEK_SET);
             
@@ -1275,6 +1278,8 @@ int LibRaw::unpack(void)
         if(load_raw == &LibRaw::unpacked_load_raw && !strcasecmp(imgdata.idata.make,"Nikon"))
           C.maximum=65535;
         (this->*load_raw)();
+        if(zero_rawimage)
+          imgdata.rawdata.raw_image = 0;
         if(load_raw == &LibRaw::unpacked_load_raw && !strcasecmp(imgdata.idata.make,"Nikon"))
           C.maximum = m_save;
         if(decoder_info.decoder_flags &  LIBRAW_DECODER_OWNALLOC)