Compare commits
10 Commits
0131c6f68b
...
c00c926055
| Author | SHA1 | Date | |
|---|---|---|---|
|
c00c926055 | ||
|
|
ce301c57b1 | ||
|
|
caf8d01e95 | ||
|
|
d510b9c383 | ||
|
|
c1460eb95b | ||
|
|
5316428058 | ||
|
|
7769904445 | ||
|
|
b1cf84960e | ||
|
|
da059c053d | ||
|
|
4db0b68b6c |
BIN
0.20.2.tar.gz
BIN
0.20.2.tar.gz
Binary file not shown.
BIN
0.21.1.tar.gz
Normal file
BIN
0.21.1.tar.gz
Normal file
Binary file not shown.
22
CVE-2023-1729.patch
Normal file
22
CVE-2023-1729.patch
Normal file
@ -0,0 +1,22 @@
|
||||
From 9ab70f6dca19229cb5caad7cc31af4e7501bac93 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Tutubalin <lexa@lexa.ru>
|
||||
Date: Sat, 14 Jan 2023 18:32:59 +0300
|
||||
Subject: [PATCH] do not set shrink flag for 3/4 component images
|
||||
|
||||
---
|
||||
src/preprocessing/raw2image.cpp | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/preprocessing/raw2image.cpp b/src/preprocessing/raw2image.cpp
|
||||
index e65e2ad7..702cf290 100644
|
||||
--- a/src/preprocessing/raw2image.cpp
|
||||
+++ b/src/preprocessing/raw2image.cpp
|
||||
@@ -43,6 +43,8 @@ void LibRaw::raw2image_start()
|
||||
|
||||
// adjust for half mode!
|
||||
IO.shrink =
|
||||
+ !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image &&
|
||||
+ !imgdata.rawdata.float4_image && !imgdata.rawdata.float3_image &&
|
||||
P1.filters &&
|
||||
(O.half_size || ((O.threshold || O.aber[0] != 1 || O.aber[2] != 1)));
|
||||
|
||||
103
CVE-2025-43961_CVE-2025-43962.patch
Normal file
103
CVE-2025-43961_CVE-2025-43962.patch
Normal file
@ -0,0 +1,103 @@
|
||||
From 66fe663e02a4dd610b4e832f5d9af326709336c2 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Tutubalin <lexa@lexa.ru>
|
||||
Date: Sat, 1 Feb 2025 15:32:39 +0300
|
||||
Subject: [PATCH] Prevent out-of-bounds read in fuji 0xf00c tag parser
|
||||
|
||||
Prevent out-of-bounds read in fuji 0xf00c tag parser
|
||||
|
||||
prevent OOB reads in phase_one_correct
|
||||
---
|
||||
Changelog.txt | 5 +++++
|
||||
src/decoders/load_mfbacks.cpp | 18 ++++++++++++++----
|
||||
src/metadata/tiff.cpp | 28 +++++++++++++++++-----------
|
||||
3 files changed, 36 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
|
||||
index cddc33eb..1a1bdfb3 100644
|
||||
--- a/src/decoders/load_mfbacks.cpp
|
||||
+++ b/src/decoders/load_mfbacks.cpp
|
||||
@@ -490,6 +490,9 @@ int LibRaw::phase_one_correct()
|
||||
fseek(ifp, off_412, SEEK_SET);
|
||||
for (i = 0; i < 9; i++)
|
||||
head[i] = get4() & 0x7fff;
|
||||
+ unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
|
||||
+ if (w0 > 10240000 || w1 > 10240000)
|
||||
+ throw LIBRAW_EXCEPTION_ALLOC;
|
||||
yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
|
||||
yval[1] = (float *)(yval[0] + head[1] * head[3]);
|
||||
xval[0] = (ushort *)(yval[1] + head[2] * head[4]);
|
||||
@@ -514,10 +517,17 @@ int LibRaw::phase_one_correct()
|
||||
for (k = j = 0; j < head[1]; j++)
|
||||
if (num < xval[0][k = head[1] * i + j])
|
||||
break;
|
||||
- frac = (j == 0 || j == head[1])
|
||||
- ? 0
|
||||
- : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]);
|
||||
- mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac);
|
||||
+ if (j == 0 || j == head[1] || k < 1 || k >= w0+w1)
|
||||
+ frac = 0;
|
||||
+ else
|
||||
+ {
|
||||
+ int xdiv = (xval[0][k] - xval[0][k - 1]);
|
||||
+ frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0;
|
||||
+ }
|
||||
+ if (k < w0 + w1)
|
||||
+ mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac);
|
||||
+ else
|
||||
+ mult[i - cip] = 0;
|
||||
}
|
||||
i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2;
|
||||
RAW(row, col) = LIM(i, 0, 65535);
|
||||
diff --git a/src/metadata/tiff.cpp b/src/metadata/tiff.cpp
|
||||
index baacdcad..5ec07a20 100644
|
||||
--- a/src/metadata/tiff.cpp
|
||||
+++ b/src/metadata/tiff.cpp
|
||||
@@ -1036,31 +1036,37 @@ int LibRaw::parse_tiff_ifd(int base)
|
||||
if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) &&
|
||||
(fwb[2] == rafdata[fi + 2])) // found Tungsten WB
|
||||
{
|
||||
- if (rafdata[fi - 15] !=
|
||||
+ if (fi > 14 && rafdata[fi - 15] !=
|
||||
fwb[0]) // 15 is offset of Tungsten WB from the first
|
||||
// preset, Fine Weather WB
|
||||
continue;
|
||||
- for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size();
|
||||
- wb_ind++, ofst += 3)
|
||||
- {
|
||||
- icWBC[Fuji_wb_list1[wb_ind]][1] =
|
||||
- icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
|
||||
- icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
|
||||
- icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
|
||||
- }
|
||||
+ if (fi >= 15)
|
||||
+ {
|
||||
+ for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size();
|
||||
+ wb_ind++, ofst += 3)
|
||||
+ {
|
||||
+ icWBC[Fuji_wb_list1[wb_ind]][1] =
|
||||
+ icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
|
||||
+ icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
|
||||
+ icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
|
||||
+ }
|
||||
+ }
|
||||
|
||||
if (is34)
|
||||
fi += 24;
|
||||
fi += 96;
|
||||
for (fj = fi; fj < (fi + 15); fj += 3) // looking for the end of the WB table
|
||||
{
|
||||
+ if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3)
|
||||
+ break;
|
||||
if (rafdata[fj] != rafdata[fi])
|
||||
{
|
||||
fj -= 93;
|
||||
if (is34)
|
||||
fj -= 9;
|
||||
-// printf ("wb start in DNG: 0x%04x\n", fj*2-0x4e);
|
||||
- for (int iCCT = 0, ofst = fj; iCCT < 31;
|
||||
+//printf ("wb start in DNG: 0x%04x\n", fj*2-0x4e);
|
||||
+ for (int iCCT = 0, ofst = fj; iCCT < 31
|
||||
+ && ofst < libraw_internal_data.unpacker_data.lenRAFData - 3;
|
||||
iCCT++, ofst += 3)
|
||||
{
|
||||
icWBCCTC[iCCT][0] = FujiCCT_K[iCCT];
|
||||
22
CVE-2025-43964.patch
Normal file
22
CVE-2025-43964.patch
Normal file
@ -0,0 +1,22 @@
|
||||
From a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Tutubalin <lexa@lexa.ru>
|
||||
Date: Sun, 2 Mar 2025 11:35:43 +0300
|
||||
Subject: [PATCH] additional checks in PhaseOne correction tag 0x412 processing
|
||||
|
||||
---
|
||||
src/decoders/load_mfbacks.cpp | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
|
||||
index f89aecce..95015d27 100644
|
||||
--- a/src/decoders/load_mfbacks.cpp
|
||||
+++ b/src/decoders/load_mfbacks.cpp
|
||||
@@ -495,6 +495,8 @@ int LibRaw::phase_one_correct()
|
||||
unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
|
||||
if (w0 > 10240000 || w1 > 10240000)
|
||||
throw LIBRAW_EXCEPTION_ALLOC;
|
||||
+ if (w0 < 1 || w1 < 1)
|
||||
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
|
||||
yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
|
||||
yval[1] = (float *)(yval[0] + head[1] * head[3]);
|
||||
xval[0] = (ushort *)(yval[1] + head[2] * head[4]);
|
||||
25
LibRaw-pkgconfig.patch
Normal file
25
LibRaw-pkgconfig.patch
Normal file
@ -0,0 +1,25 @@
|
||||
--- LibRaw-0.21.0/libraw.pc.in~ 2022-12-18 01:26:41.000000000 -0600
|
||||
+++ LibRaw-0.21.0/libraw.pc.in 2022-12-19 10:27:02.793929537 -0600
|
||||
@@ -6,7 +6,9 @@
|
||||
Name: libraw
|
||||
Description: Raw image decoder library (non-thread-safe)
|
||||
Requires: @PACKAGE_REQUIRES@
|
||||
+Requires.private: @PACKAGE_REQUIRES@
|
||||
Version: @PACKAGE_VERSION@
|
||||
-Libs: -L${libdir} -lraw -lstdc++@PC_OPENMP@
|
||||
+Libs: -L${libdir} -lraw@PC_OPENMP@
|
||||
+Libs.private: -lstdc++
|
||||
Libs.private: @PACKAGE_LIBS_PRIVATE@
|
||||
Cflags: -I${includedir}/libraw -I${includedir}
|
||||
--- LibRaw-0.21.0/libraw_r.pc.in~ 2022-12-18 01:26:41.000000000 -0600
|
||||
+++ LibRaw-0.21.0/libraw_r.pc.in 2022-12-19 10:28:30.620571338 -0600
|
||||
@@ -6,7 +6,8 @@
|
||||
Name: libraw
|
||||
Description: Raw image decoder library (thread-safe)
|
||||
Requires: @PACKAGE_REQUIRES@
|
||||
+Requires.private: @PACKAGE_REQUIRES@
|
||||
Version: @PACKAGE_VERSION@
|
||||
-Libs: -L${libdir} -lraw_r -lstdc++@PC_OPENMP@
|
||||
+Libs: -L${libdir} -lraw_r@PC_OPENMP@
|
||||
Libs.private: @PACKAGE_LIBS_PRIVATE@
|
||||
Cflags: -I${includedir}/libraw -I${includedir}
|
||||
37
LibRaw.spec
37
LibRaw.spec
@ -1,15 +1,19 @@
|
||||
Name: LibRaw
|
||||
Version: 0.20.2
|
||||
Version: 0.21.1
|
||||
Release: 4
|
||||
Summary: Library for reading RAW files obtained from digital photo cameras
|
||||
License: BSD and (CDDL or LGPLv2)
|
||||
License: BSD-3-Clause and (CDDL-1.0 or LGPL-2.1-only)
|
||||
URL: http://www.libraw.org
|
||||
Source0: http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz
|
||||
Patch0000: prevent-buffer-overrun-in-parse_rollei.patch
|
||||
Patch0001: fix-stack-buffer-overflow-in-LibRaw_buffer_datastream_gets.patch
|
||||
Patch0002: fix-use-of-uninitialized-value.patch
|
||||
Patch0: LibRaw-pkgconfig.patch
|
||||
Patch1: CVE-2023-1729.patch
|
||||
Patch2: backport-upstream_CVE-2025-43963.patch
|
||||
Patch3: CVE-2025-43961_CVE-2025-43962.patch
|
||||
Patch4: CVE-2025-43964.patch
|
||||
|
||||
BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg)
|
||||
BuildRequires: autoconf automake libtool
|
||||
BuildRequires: autoconf automake libtool make
|
||||
|
||||
Provides: bundled(dcraw) = 9.25
|
||||
%description
|
||||
LibRaw is a library for reading RAW files from digital photo cameras (CRW/CR2, NEF,
|
||||
@ -49,14 +53,10 @@ chmod 644 LICENSE.CDDL LICENSE.LGPL COPYRIGHT Changelog.txt manual/*.html
|
||||
rm -rfv samples/.deps samples/.dirstamp samples/*.o
|
||||
%delete_la
|
||||
|
||||
%post -p /sbin/ldconfig
|
||||
|
||||
%postun -p /sbin/ldconfig
|
||||
|
||||
%files
|
||||
%doc Changelog.txt
|
||||
%license LICENSE.CDDL LICENSE.LGPL COPYRIGHT
|
||||
%{_libdir}/{libraw,libraw_r}.so.20*
|
||||
%{_libdir}/{libraw,libraw_r}.so.23*
|
||||
|
||||
%files devel
|
||||
%doc manual samples
|
||||
@ -68,6 +68,21 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o
|
||||
%exclude %{_docdir}/libraw/*
|
||||
|
||||
%changelog
|
||||
* Thu Apr 24 2025 yaoxin <1024769339@qq.com> - 0.21.1-4
|
||||
- Fix CVE-2025-43961,CVE-2025-43962 and CVE-2025-43964
|
||||
|
||||
* Thu Apr 24 2025 hdliu <dev03108@linx-info.com> - 0.21.1-3
|
||||
- Fix CVE-2025-43963
|
||||
|
||||
* Mon May 15 2023 yaoxin <yao_xin001@hoperun.com> - 0.21.1-2
|
||||
- Fix CVE-2023-1729
|
||||
|
||||
* Thu Mar 02 2023 Li Long <lilong@kylinos.cn> - 0.21.1-1
|
||||
- Upgrade to 0.21.1
|
||||
|
||||
* Fri Feb 25 2022 xu_ping <xuping33@huawei.com> - 0.20.2-5
|
||||
- fix use of uninitialized value of makernotes.cpp and misc_parsers.cpp
|
||||
|
||||
* Thu Jun 3 2021 zhangjiapeng <zhangjiapeng9@huawei.com> - 0.20.2-4
|
||||
- fix use of uninitialized value
|
||||
|
||||
|
||||
35
backport-upstream_CVE-2025-43963.patch
Normal file
35
backport-upstream_CVE-2025-43963.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 131aac64a5d52a140cb94d7619755dcf1ae12160 Mon Sep 17 00:00:00 2001
|
||||
From: hdliu <hdliu@linx-info.com>
|
||||
Date: Mon, 21 Apr 2025 13:45:05 +0800
|
||||
Subject: [PATCH] prevent out-of-buffer access in phase_one_correct()
|
||||
|
||||
Signed-off-by: hdliu <hdliu@linx-info.com>
|
||||
---
|
||||
src/decoders/load_mfbacks.cpp | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
|
||||
index 493c785..c1c89ee 100644
|
||||
--- a/src/decoders/load_mfbacks.cpp
|
||||
+++ b/src/decoders/load_mfbacks.cpp
|
||||
@@ -348,7 +348,7 @@ int LibRaw::phase_one_correct()
|
||||
off_412 = ftell(ifp) - 38;
|
||||
}
|
||||
}
|
||||
- else if (tag == 0x041f && !qlin_applied)
|
||||
+ else if (tag == 0x041f && !qlin_applied && ph1.split_col > 0 && ph1.split_col < raw_width && ph1.split_row > 0 && ph1.split_row < raw_height)
|
||||
{ /* Quadrant linearization */
|
||||
ushort lc[2][2][16], ref[16];
|
||||
int qr, qc;
|
||||
@@ -425,7 +425,7 @@ int LibRaw::phase_one_correct()
|
||||
}
|
||||
qmult_applied = 1;
|
||||
}
|
||||
- else if (tag == 0x0431 && !qmult_applied)
|
||||
+ else if (tag == 0x0431 && !qmult_applied && ph1.split_col > 0 && ph1.split_col < raw_width && ph1.split_row > 0 && ph1.split_row < raw_height)
|
||||
{ /* Quadrant combined - four tile gain calibration */
|
||||
ushort lc[2][2][7], ref[7];
|
||||
int qr, qc;
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -1,50 +0,0 @@
|
||||
From e70ded8b0bc231f7ed3fd5d2e83d61bd18ef5e94 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Tutubalin <lexa@lexa.ru>
|
||||
Date: Thu, 3 Dec 2020 12:28:52 +0300
|
||||
Subject: [PATCH] LibRaw_buffer_datastream: gets() not always returns
|
||||
0-terminated string
|
||||
|
||||
Reverted back parse_rollei change
|
||||
---
|
||||
src/libraw_datastream.cpp | 7 +++++--
|
||||
src/metadata/misc_parsers.cpp | 1 -
|
||||
2 files changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/libraw_datastream.cpp b/src/libraw_datastream.cpp
|
||||
index 606e5de7..eaf071ee 100644
|
||||
--- a/src/libraw_datastream.cpp
|
||||
+++ b/src/libraw_datastream.cpp
|
||||
@@ -422,7 +422,7 @@ char *LibRaw_buffer_datastream::gets(char *s, int sz)
|
||||
psrc = buf + streampos;
|
||||
pdest = str;
|
||||
if(streampos >= streamsize) return NULL;
|
||||
- while ((size_t(psrc - buf) < streamsize) && ((pdest - str) < sz))
|
||||
+ while ((size_t(psrc - buf) < streamsize) && ((pdest - str) < (sz-1)))
|
||||
{
|
||||
*pdest = *psrc;
|
||||
if (*psrc == '\n')
|
||||
@@ -432,8 +432,11 @@ char *LibRaw_buffer_datastream::gets(char *s, int sz)
|
||||
}
|
||||
if (size_t(psrc - buf) < streamsize)
|
||||
psrc++;
|
||||
- if ((pdest - str) < sz)
|
||||
+ if ((pdest - str) < sz-1)
|
||||
*(++pdest) = 0;
|
||||
+ else
|
||||
+ s[sz - 1] = 0; // ensure trailing zero
|
||||
+
|
||||
streampos = psrc - buf;
|
||||
return s;
|
||||
}
|
||||
diff --git a/src/metadata/misc_parsers.cpp b/src/metadata/misc_parsers.cpp
|
||||
index 4e36e940..7a74c9f1 100644
|
||||
--- a/src/metadata/misc_parsers.cpp
|
||||
+++ b/src/metadata/misc_parsers.cpp
|
||||
@@ -304,7 +304,6 @@ void LibRaw::parse_rollei()
|
||||
line[0] = 0;
|
||||
if (!fgets(line, 128, ifp))
|
||||
break;
|
||||
- line[127] = 0;
|
||||
if(!line[0]) break; // zero-length
|
||||
if ((val = strchr(line, '=')))
|
||||
*val++ = 0;
|
||||
@ -1,20 +0,0 @@
|
||||
diff --git a/src/metadata/sony.cpp b/src/metadata/sony.cpp
|
||||
index 120340b..2e8dd49 100644
|
||||
--- a/src/metadata/sony.cpp
|
||||
+++ b/src/metadata/sony.cpp
|
||||
@@ -1071,6 +1071,7 @@ void LibRaw::parseSonyMakernotes(
|
||||
(len >= 196))
|
||||
{
|
||||
table_buf = (uchar *)malloc(len);
|
||||
+ memset(table_buf,0,len);
|
||||
fread(table_buf, len, 1, ifp);
|
||||
|
||||
lid = 0x01 << 2;
|
||||
@@ -1106,6 +1107,7 @@ void LibRaw::parseSonyMakernotes(
|
||||
(len >= 227))
|
||||
{
|
||||
table_buf = (uchar *)malloc(len);
|
||||
+ memset(table_buf,0,len);
|
||||
fread(table_buf, len, 1, ifp);
|
||||
|
||||
lid = 0x0;
|
||||
@ -1,21 +0,0 @@
|
||||
From 539d07dcaa64aed706c5bb4ada7213e3e1cd07d6 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Tutubalin <lexa@lexa.ru>
|
||||
Date: Mon, 30 Nov 2020 13:13:19 +0300
|
||||
Subject: [PATCH] prevent buffer overrun in parse_rollei
|
||||
|
||||
---
|
||||
src/metadata/misc_parsers.cpp | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/metadata/misc_parsers.cpp b/src/metadata/misc_parsers.cpp
|
||||
index 7a74c9f1..4e36e940 100644
|
||||
--- a/src/metadata/misc_parsers.cpp
|
||||
+++ b/src/metadata/misc_parsers.cpp
|
||||
@@ -304,6 +304,7 @@ void LibRaw::parse_rollei()
|
||||
line[0] = 0;
|
||||
if (!fgets(line, 128, ifp))
|
||||
break;
|
||||
+ line[127] = 0;
|
||||
if(!line[0]) break; // zero-length
|
||||
if ((val = strchr(line, '=')))
|
||||
*val++ = 0;
|
||||
Loading…
x
Reference in New Issue
Block a user