Package: libraw / 0.17.2-6+deb9u1

CVE-2017-6886_6887.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
From: Luciano Bello <luciano@debian.org>
Date: Mon, 21 Aug 2017 12:45:31 -0400
Subject: Fix for CVE-2017-6886 and CVE-2017-6887
Origin: https://github.com/LibRaw/LibRaw/commit/d7c3d2cb460be10a3ea7b32e9443a83c243b2251
CVE: CVE-2017-6886, CVE-2017-6887

---
--- a/dcraw/dcraw.c
+++ b/dcraw/dcraw.c
@@ -10245,7 +10245,12 @@ int CLASS parse_tiff_ifd (int base)
 	if (!strcmp(model,"DSLR-A100") && tiff_ifd[ifd].t_width == 3872) {
 	  load_raw = &CLASS sony_arw_load_raw;
 	  data_offset = get4()+base;
-	  ifd++;  break;
+	  ifd++;
+#ifdef LIBRAW_LIBRARY_BUILD
+       if (ifd >= sizeof tiff_ifd / sizeof tiff_ifd[0])
+         throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif 
+          break;
 	}
 #ifdef LIBRAW_LIBRARY_BUILD
 	if (!strncmp(make,"Hasselblad",10) && libraw_internal_data.unpacker_data.hasselblad_parser_flag) {
@@ -10497,7 +10502,7 @@ int CLASS parse_tiff_ifd (int base)
 	break;
       case 50454:			/* Sinar tag */
       case 50455:
-	if (!(cbuf = (char *) malloc(len))) break;
+	if (len < 1 || len > 2560000 || !(cbuf = (char *) malloc(len))) break;
 #ifndef LIBRAW_LIBRARY_BUILD
 	fread (cbuf, 1, len, ifp);
 #else
@@ -11564,7 +11569,11 @@ int CLASS parse_jpeg (int offset)
     }
     order = get2();
     hlen  = get4();
-    if (get4() == 0x48454150)		/* "HEAP" */
+    if (get4() == 0x48454150
+#ifdef LIBRAW_LIBRARY_BUILD
+       && (save+hlen) >= 0 && (save+hlen)<=ifp->size()
+#endif
+       ) /* "HEAP" */
 		{
 #ifdef LIBRAW_LIBRARY_BUILD
 			imgdata.lens.makernotes.CameraMount = LIBRAW_MOUNT_FixedLens;
--- a/internal/dcraw_common.cpp
+++ b/internal/dcraw_common.cpp
@@ -9060,7 +9060,12 @@ int CLASS parse_tiff_ifd (int base)
 	if (!strcmp(model,"DSLR-A100") && tiff_ifd[ifd].t_width == 3872) {
 	  load_raw = &CLASS sony_arw_load_raw;
 	  data_offset = get4()+base;
-	  ifd++;  break;
+	  ifd++;
+#ifdef LIBRAW_LIBRARY_BUILD
+       if (ifd >= sizeof tiff_ifd / sizeof tiff_ifd[0])
+         throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif 
+          break;
 	}
 #ifdef LIBRAW_LIBRARY_BUILD
 	if (!strncmp(make,"Hasselblad",10) && libraw_internal_data.unpacker_data.hasselblad_parser_flag) {
@@ -9312,7 +9317,7 @@ int CLASS parse_tiff_ifd (int base)
 	break;
       case 50454:			/* Sinar tag */
       case 50455:
-	if (!(cbuf = (char *) malloc(len))) break;
+	if (len < 1 || len > 2560000 || !(cbuf = (char *) malloc(len))) break;
 #ifndef LIBRAW_LIBRARY_BUILD
 	fread (cbuf, 1, len, ifp);
 #else
@@ -10379,7 +10384,11 @@ int CLASS parse_jpeg (int offset)
     }
     order = get2();
     hlen  = get4();
-    if (get4() == 0x48454150)		/* "HEAP" */
+    if (get4() == 0x48454150
+#ifdef LIBRAW_LIBRARY_BUILD
+       && (save+hlen) >= 0 && (save+hlen)<=ifp->size()
+#endif
+       ) /* "HEAP" */
 		{
 #ifdef LIBRAW_LIBRARY_BUILD
 			imgdata.lens.makernotes.CameraMount = LIBRAW_MOUNT_FixedLens;