From 131aac64a5d52a140cb94d7619755dcf1ae12160 Mon Sep 17 00:00:00 2001
From: hdliu <hdliu@linx-info.com>
Date: Mon, 21 Apr 2025 13:45:05 +0800
Subject: [PATCH] prevent out-of-buffer access in phase_one_correct()

Signed-off-by: hdliu <hdliu@linx-info.com>
---
 src/decoders/load_mfbacks.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
index 493c785..c1c89ee 100644
--- a/src/decoders/load_mfbacks.cpp
+++ b/src/decoders/load_mfbacks.cpp
@@ -348,7 +348,7 @@ int LibRaw::phase_one_correct()
           off_412 = ftell(ifp) - 38;
         }
       }
-      else if (tag == 0x041f && !qlin_applied)
+      else if (tag == 0x041f && !qlin_applied && ph1.split_col > 0 && ph1.split_col < raw_width && ph1.split_row > 0 && ph1.split_row < raw_height)
       { /* Quadrant linearization */
         ushort lc[2][2][16], ref[16];
         int qr, qc;
@@ -425,7 +425,7 @@ int LibRaw::phase_one_correct()
         }
         qmult_applied = 1;
       }
-      else if (tag == 0x0431 && !qmult_applied)
+      else if (tag == 0x0431 && !qmult_applied && ph1.split_col > 0 && ph1.split_col < raw_width && ph1.split_row > 0 && ph1.split_row < raw_height)
       { /* Quadrant combined - four tile gain calibration */
         ushort lc[2][2][7], ref[7];
         int qr, qc;
-- 
2.33.0