75 lines
2.3 KiB
Diff
75 lines
2.3 KiB
Diff
From e67a9862d10ebaa97712f532eca1eb5e2e410a22 Mon Sep 17 00:00:00 2001
|
|
From: Alex Tutubalin <lexa@lexa.ru>
|
|
Date: Thu, 22 Nov 2018 16:24:54 +0300
|
|
Subject: [PATCH] Fixed Secunia Advisory SA86384 - possible infinite loop
|
|
in unpacked_load_raw() - possible infinite loop in parse_rollei() -
|
|
possible infinite loop in parse_sinar_ia()
|
|
|
|
Credits: Laurent Delosieres, Secunia Research at Flexera
|
|
---
|
|
dcraw/dcraw.c | 4 +++-
|
|
internal/dcraw_common.cpp | 4 +++-
|
|
2 files changed, 6 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
|
|
index c71874c..a78e67a 100644
|
|
--- a/dcraw/dcraw.c
|
|
+++ b/dcraw/dcraw.c
|
|
@@ -6592,7 +6592,7 @@ void CLASS parse_rollei()
|
|
fseek (ifp, 0, SEEK_SET);
|
|
memset (&t, 0, sizeof t);
|
|
do {
|
|
- fgets (line, 128, ifp);
|
|
+ if(!fgets(line, 128, ifp)) break;
|
|
if ((val = strchr(line,'=')))
|
|
*val++ = 0;
|
|
else
|
|
@@ -6630,6 +6630,7 @@ void CLASS parse_sinar_ia()
|
|
order = 0x4949;
|
|
fseek (ifp, 4, SEEK_SET);
|
|
entries = get4();
|
|
+ if(entries < 1 || entries > 8192) return;
|
|
fseek (ifp, get4(), SEEK_SET);
|
|
while (entries--) {
|
|
off = get4(); get4();
|
|
@@ -9621,6 +9622,7 @@ dng_skip:
|
|
}
|
|
if (!tiff_bps) tiff_bps = 12;
|
|
if (!maximum) maximum = (1 << tiff_bps) - 1;
|
|
+ if(maximum > 0xffff) maximum = 0xffff;
|
|
if (!load_raw || height < 22 || width < 22 ||
|
|
tiff_bps > 16 || tiff_samples > 6 || colors > 4)
|
|
is_raw = 0;
|
|
diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
|
|
index 29cc72f..a8a8e0f 100644
|
|
--- a/internal/dcraw_common.cpp
|
|
+++ b/internal/dcraw_common.cpp
|
|
@@ -14851,7 +14851,7 @@ void CLASS parse_rollei()
|
|
memset(&t, 0, sizeof t);
|
|
do
|
|
{
|
|
- fgets(line, 128, ifp);
|
|
+ if(!fgets(line, 128, ifp)) break;
|
|
if ((val = strchr(line, '=')))
|
|
*val++ = 0;
|
|
else
|
|
@@ -14889,6 +14889,7 @@ void CLASS parse_sinar_ia()
|
|
order = 0x4949;
|
|
fseek(ifp, 4, SEEK_SET);
|
|
entries = get4();
|
|
+ if(entries < 1 || entries > 8192) return;
|
|
fseek(ifp, get4(), SEEK_SET);
|
|
while (entries--)
|
|
{
|
|
@@ -19732,6 +19733,7 @@ dng_skip:
|
|
if (maximum < 0x10000 && curve[maximum] > 0 && load_raw == &CLASS sony_arw2_load_raw)
|
|
maximum = curve[maximum];
|
|
}
|
|
+ if(maximum > 0xffff) maximum = 0xffff;
|
|
if (!load_raw || height < 22 || width < 22 ||
|
|
#ifdef LIBRAW_LIBRARY_BUILD
|
|
(tiff_bps > 16 && load_raw != &LibRaw::deflate_dng_load_raw)
|
|
--
|
|
1.8.3.1
|
|
|