packages/LibRaw
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:c00c926055d7193bc06843e4fc2d0e219adfa04e
Branches Tags
packages:main
..
compare: packages:0131c6f68b45d535b02a68327cac54ae9dc84003
Branches Tags
packages:main

No commits in common. "c00c926055d7193bc06843e4fc2d0e219adfa04e" and "0131c6f68b45d535b02a68327cac54ae9dc84003" have entirely different histories.
c00c926055 ... 0131c6f68b

11 changed files with 103 additions and 234 deletions
Show Stats Expand all files Collapse all files

BIN
0.20.2.tar.gz Normal file
View File

Binary file not shown.

BIN
0.21.1.tar.gz
View File

Binary file not shown.

22
CVE-2023-1729.patch
View File

@ -1,22 +0,0 @@
From 9ab70f6dca19229cb5caad7cc31af4e7501bac93 Mon Sep 17 00:00:00 2001
From: Alex Tutubalin <lexa@lexa.ru>
Date: Sat, 14 Jan 2023 18:32:59 +0300
Subject: [PATCH] do not set shrink flag for 3/4 component images
---
src/preprocessing/raw2image.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/preprocessing/raw2image.cpp b/src/preprocessing/raw2image.cpp
index e65e2ad7..702cf290 100644
--- a/src/preprocessing/raw2image.cpp
+++ b/src/preprocessing/raw2image.cpp
@@ -43,6 +43,8 @@ void LibRaw::raw2image_start()
// adjust for half mode!
IO.shrink =
+ !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image &&
+ !imgdata.rawdata.float4_image && !imgdata.rawdata.float3_image &&
P1.filters &&
(O.half_size || ((O.threshold || O.aber[0] != 1 || O.aber[2] != 1)));

103
CVE-2025-43961_CVE-2025-43962.patch
View File

@ -1,103 +0,0 @@
From 66fe663e02a4dd610b4e832f5d9af326709336c2 Mon Sep 17 00:00:00 2001
From: Alex Tutubalin <lexa@lexa.ru>
Date: Sat, 1 Feb 2025 15:32:39 +0300
Subject: [PATCH] Prevent out-of-bounds read in fuji 0xf00c tag parser
Prevent out-of-bounds read in fuji 0xf00c tag parser
prevent OOB reads in phase_one_correct
---
Changelog.txt | 5 +++++
src/decoders/load_mfbacks.cpp | 18 ++++++++++++++----
src/metadata/tiff.cpp | 28 +++++++++++++++++-----------
3 files changed, 36 insertions(+), 15 deletions(-)
diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
index cddc33eb..1a1bdfb3 100644
--- a/src/decoders/load_mfbacks.cpp
+++ b/src/decoders/load_mfbacks.cpp
@@ -490,6 +490,9 @@ int LibRaw::phase_one_correct()
fseek(ifp, off_412, SEEK_SET);
for (i = 0; i < 9; i++)
head[i] = get4() & 0x7fff;
+ unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
+ if (w0 > 10240000 || w1 > 10240000)
+ throw LIBRAW_EXCEPTION_ALLOC;
yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
yval[1] = (float *)(yval[0] + head[1] * head[3]);
xval[0] = (ushort *)(yval[1] + head[2] * head[4]);
@@ -514,10 +517,17 @@ int LibRaw::phase_one_correct()
for (k = j = 0; j < head[1]; j++)
if (num < xval[0][k = head[1] * i + j])
break;
- frac = (j == 0 || j == head[1])
- ? 0
- : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]);
- mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac);
+ if (j == 0 || j == head[1] || k < 1 || k >= w0+w1)
+ frac = 0;
+ else
+ {
+ int xdiv = (xval[0][k] - xval[0][k - 1]);
+ frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0;
+ }
+ if (k < w0 + w1)
+ mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac);
+ else
+ mult[i - cip] = 0;
}
i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2;
RAW(row, col) = LIM(i, 0, 65535);
diff --git a/src/metadata/tiff.cpp b/src/metadata/tiff.cpp
index baacdcad..5ec07a20 100644
--- a/src/metadata/tiff.cpp
+++ b/src/metadata/tiff.cpp
@@ -1036,31 +1036,37 @@ int LibRaw::parse_tiff_ifd(int base)
if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) &&
(fwb[2] == rafdata[fi + 2])) // found Tungsten WB
{
- if (rafdata[fi - 15] !=
+ if (fi > 14 && rafdata[fi - 15] !=
fwb[0]) // 15 is offset of Tungsten WB from the first
// preset, Fine Weather WB
continue;
- for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size();
- wb_ind++, ofst += 3)
- {
- icWBC[Fuji_wb_list1[wb_ind]][1] =
- icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
- icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
- icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
- }
+ if (fi >= 15)
+ {
+ for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size();
+ wb_ind++, ofst += 3)
+ {
+ icWBC[Fuji_wb_list1[wb_ind]][1] =
+ icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
+ icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
+ icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
+ }
+ }
if (is34)
fi += 24;
fi += 96;
for (fj = fi; fj < (fi + 15); fj += 3) // looking for the end of the WB table
{
+ if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3)
+ break;
if (rafdata[fj] != rafdata[fi])
{
fj -= 93;
if (is34)
fj -= 9;
-// printf ("wb start in DNG: 0x%04x\n", fj*2-0x4e);
- for (int iCCT = 0, ofst = fj; iCCT < 31;
+//printf ("wb start in DNG: 0x%04x\n", fj*2-0x4e);
+ for (int iCCT = 0, ofst = fj; iCCT < 31
+ && ofst < libraw_internal_data.unpacker_data.lenRAFData - 3;
iCCT++, ofst += 3)
{
icWBCCTC[iCCT][0] = FujiCCT_K[iCCT];

22
CVE-2025-43964.patch
View File

@ -1,22 +0,0 @@
From a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0 Mon Sep 17 00:00:00 2001
From: Alex Tutubalin <lexa@lexa.ru>
Date: Sun, 2 Mar 2025 11:35:43 +0300
Subject: [PATCH] additional checks in PhaseOne correction tag 0x412 processing
---
src/decoders/load_mfbacks.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
index f89aecce..95015d27 100644
--- a/src/decoders/load_mfbacks.cpp
+++ b/src/decoders/load_mfbacks.cpp
@@ -495,6 +495,8 @@ int LibRaw::phase_one_correct()
unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
if (w0 > 10240000 || w1 > 10240000)
throw LIBRAW_EXCEPTION_ALLOC;
+ if (w0 < 1 || w1 < 1)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
yval[1] = (float *)(yval[0] + head[1] * head[3]);
xval[0] = (ushort *)(yval[1] + head[2] * head[4]);

25
LibRaw-pkgconfig.patch
View File

@ -1,25 +0,0 @@
--- LibRaw-0.21.0/libraw.pc.in~ 2022-12-18 01:26:41.000000000 -0600
+++ LibRaw-0.21.0/libraw.pc.in 2022-12-19 10:27:02.793929537 -0600
@@ -6,7 +6,9 @@
Name: libraw
Description: Raw image decoder library (non-thread-safe)
Requires: @PACKAGE_REQUIRES@
+Requires.private: @PACKAGE_REQUIRES@
Version: @PACKAGE_VERSION@
-Libs: -L${libdir} -lraw -lstdc++@PC_OPENMP@
+Libs: -L${libdir} -lraw@PC_OPENMP@
+Libs.private: -lstdc++
Libs.private: @PACKAGE_LIBS_PRIVATE@
Cflags: -I${includedir}/libraw -I${includedir}
--- LibRaw-0.21.0/libraw_r.pc.in~ 2022-12-18 01:26:41.000000000 -0600
+++ LibRaw-0.21.0/libraw_r.pc.in 2022-12-19 10:28:30.620571338 -0600
@@ -6,7 +6,8 @@
Name: libraw
Description: Raw image decoder library (thread-safe)
Requires: @PACKAGE_REQUIRES@
+Requires.private: @PACKAGE_REQUIRES@
Version: @PACKAGE_VERSION@
-Libs: -L${libdir} -lraw_r -lstdc++@PC_OPENMP@
+Libs: -L${libdir} -lraw_r@PC_OPENMP@
Libs.private: @PACKAGE_LIBS_PRIVATE@
Cflags: -I${includedir}/libraw -I${includedir}

39
LibRaw.spec
View File

@ -1,19 +1,15 @@
Name: LibRaw
Version: 0.21.1
Version: 0.20.2
Release: 4
Summary: Library for reading RAW files obtained from digital photo cameras
License: BSD-3-Clause and (CDDL-1.0 or LGPL-2.1-only)
License: BSD and (CDDL or LGPLv2)
URL: http://www.libraw.org
Source0: http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz
Patch0: LibRaw-pkgconfig.patch
Patch1: CVE-2023-1729.patch
Patch2: backport-upstream_CVE-2025-43963.patch
Patch3: CVE-2025-43961_CVE-2025-43962.patch
Patch4: CVE-2025-43964.patch
BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg)
BuildRequires: autoconf automake libtool make
Patch0000: prevent-buffer-overrun-in-parse_rollei.patch
Patch0001: fix-stack-buffer-overflow-in-LibRaw_buffer_datastream_gets.patch
Patch0002: fix-use-of-uninitialized-value.patch
BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg)
BuildRequires: autoconf automake libtool
Provides: bundled(dcraw) = 9.25
%description
LibRaw is a library for reading RAW files from digital photo cameras (CRW/CR2, NEF,
@ -53,10 +49,14 @@ chmod 644 LICENSE.CDDL LICENSE.LGPL COPYRIGHT Changelog.txt manual/*.html
rm -rfv samples/.deps samples/.dirstamp samples/*.o
%delete_la
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%doc Changelog.txt
%license LICENSE.CDDL LICENSE.LGPL COPYRIGHT
%{_libdir}/{libraw,libraw_r}.so.23*
%{_libdir}/{libraw,libraw_r}.so.20*
%files devel
%doc manual samples
@ -68,21 +68,6 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o
%exclude %{_docdir}/libraw/*
%changelog
* Thu Apr 24 2025 yaoxin <1024769339@qq.com> - 0.21.1-4
- Fix CVE-2025-43961,CVE-2025-43962 and CVE-2025-43964
* Thu Apr 24 2025 hdliu <dev03108@linx-info.com> - 0.21.1-3
- Fix CVE-2025-43963
* Mon May 15 2023 yaoxin <yao_xin001@hoperun.com> - 0.21.1-2
- Fix CVE-2023-1729
* Thu Mar 02 2023 Li Long <lilong@kylinos.cn> - 0.21.1-1
- Upgrade to 0.21.1
* Fri Feb 25 2022 xu_ping <xuping33@huawei.com> - 0.20.2-5
- fix use of uninitialized value of makernotes.cpp and misc_parsers.cpp
* Thu Jun 3 2021 zhangjiapeng <zhangjiapeng9@huawei.com> - 0.20.2-4
- fix use of uninitialized value

35
backport-upstream_CVE-2025-43963.patch
View File

@ -1,35 +0,0 @@
From 131aac64a5d52a140cb94d7619755dcf1ae12160 Mon Sep 17 00:00:00 2001
From: hdliu <hdliu@linx-info.com>
Date: Mon, 21 Apr 2025 13:45:05 +0800
Subject: [PATCH] prevent out-of-buffer access in phase_one_correct()
Signed-off-by: hdliu <hdliu@linx-info.com>
---
src/decoders/load_mfbacks.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
index 493c785..c1c89ee 100644
--- a/src/decoders/load_mfbacks.cpp
+++ b/src/decoders/load_mfbacks.cpp
@@ -348,7 +348,7 @@ int LibRaw::phase_one_correct()
off_412 = ftell(ifp) - 38;
}
}
- else if (tag == 0x041f && !qlin_applied)
+ else if (tag == 0x041f && !qlin_applied && ph1.split_col > 0 && ph1.split_col < raw_width && ph1.split_row > 0 && ph1.split_row < raw_height)
{ /* Quadrant linearization */
ushort lc[2][2][16], ref[16];
int qr, qc;
@@ -425,7 +425,7 @@ int LibRaw::phase_one_correct()
}
qmult_applied = 1;
}
- else if (tag == 0x0431 && !qmult_applied)
+ else if (tag == 0x0431 && !qmult_applied && ph1.split_col > 0 && ph1.split_col < raw_width && ph1.split_row > 0 && ph1.split_row < raw_height)
{ /* Quadrant combined - four tile gain calibration */
ushort lc[2][2][7], ref[7];
int qr, qc;
--
2.33.0

50
fix-stack-buffer-overflow-in-LibRaw_buffer_datastream_gets.patch Normal file
View File

@ -0,0 +1,50 @@
From e70ded8b0bc231f7ed3fd5d2e83d61bd18ef5e94 Mon Sep 17 00:00:00 2001
From: Alex Tutubalin <lexa@lexa.ru>
Date: Thu, 3 Dec 2020 12:28:52 +0300
Subject: [PATCH] LibRaw_buffer_datastream: gets() not always returns
0-terminated string
Reverted back parse_rollei change
---
src/libraw_datastream.cpp | 7 +++++--
src/metadata/misc_parsers.cpp | 1 -
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/libraw_datastream.cpp b/src/libraw_datastream.cpp
index 606e5de7..eaf071ee 100644
--- a/src/libraw_datastream.cpp
+++ b/src/libraw_datastream.cpp
@@ -422,7 +422,7 @@ char *LibRaw_buffer_datastream::gets(char *s, int sz)
psrc = buf + streampos;
pdest = str;
if(streampos >= streamsize) return NULL;
- while ((size_t(psrc - buf) < streamsize) && ((pdest - str) < sz))
+ while ((size_t(psrc - buf) < streamsize) && ((pdest - str) < (sz-1)))
{
*pdest = *psrc;
if (*psrc == '\n')
@@ -432,8 +432,11 @@ char *LibRaw_buffer_datastream::gets(char *s, int sz)
}
if (size_t(psrc - buf) < streamsize)
psrc++;
- if ((pdest - str) < sz)
+ if ((pdest - str) < sz-1)
*(++pdest) = 0;
+ else
+ s[sz - 1] = 0; // ensure trailing zero
+
streampos = psrc - buf;
return s;
}
diff --git a/src/metadata/misc_parsers.cpp b/src/metadata/misc_parsers.cpp
index 4e36e940..7a74c9f1 100644
--- a/src/metadata/misc_parsers.cpp
+++ b/src/metadata/misc_parsers.cpp
@@ -304,7 +304,6 @@ void LibRaw::parse_rollei()
line[0] = 0;
if (!fgets(line, 128, ifp))
break;
- line[127] = 0;
if(!line[0]) break; // zero-length
if ((val = strchr(line, '=')))
*val++ = 0;

20
fix-use-of-uninitialized-value.patch Normal file
View File

@ -0,0 +1,20 @@
diff --git a/src/metadata/sony.cpp b/src/metadata/sony.cpp
index 120340b..2e8dd49 100644
--- a/src/metadata/sony.cpp
+++ b/src/metadata/sony.cpp
@@ -1071,6 +1071,7 @@ void LibRaw::parseSonyMakernotes(
(len >= 196))
{
table_buf = (uchar *)malloc(len);
+ memset(table_buf,0,len);
fread(table_buf, len, 1, ifp);
lid = 0x01 << 2;
@@ -1106,6 +1107,7 @@ void LibRaw::parseSonyMakernotes(
(len >= 227))
{
table_buf = (uchar *)malloc(len);
+ memset(table_buf,0,len);
fread(table_buf, len, 1, ifp);
lid = 0x0;

21
prevent-buffer-overrun-in-parse_rollei.patch Normal file
View File

@ -0,0 +1,21 @@
From 539d07dcaa64aed706c5bb4ada7213e3e1cd07d6 Mon Sep 17 00:00:00 2001
From: Alex Tutubalin <lexa@lexa.ru>
Date: Mon, 30 Nov 2020 13:13:19 +0300
Subject: [PATCH] prevent buffer overrun in parse_rollei
---
src/metadata/misc_parsers.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/metadata/misc_parsers.cpp b/src/metadata/misc_parsers.cpp
index 7a74c9f1..4e36e940 100644
--- a/src/metadata/misc_parsers.cpp
+++ b/src/metadata/misc_parsers.cpp
@@ -304,6 +304,7 @@ void LibRaw::parse_rollei()
line[0] = 0;
if (!fgets(line, 128, ifp))
break;
+ line[127] = 0;
if(!line[0]) break; // zero-length
if ((val = strchr(line, '=')))
*val++ = 0;