File libraw-CVE-2020-15503.patch of Package libraw.15684

Overview Repositories Revisions Requests Users Attributes Meta

File libraw-CVE-2020-15503.patch of Package libraw.15684

Index: LibRaw-0.18.9/libraw/libraw_const.h
===================================================================
--- LibRaw-0.18.9.orig/libraw/libraw_const.h	2020-07-07 14:55:39.414381456 +0200
+++ LibRaw-0.18.9/libraw/libraw_const.h	2020-07-07 14:57:32.407049474 +0200
@@ -25,6 +25,11 @@ it under the terms of the one of two lic
 #define LIBRAW_MAX_ALLOC_MB 2048L
 #endif
 
+/* limit thumbnail size, default is 512Mb*/
+#ifndef LIBRAW_MAX_THUMBNAIL_MB
+#define LIBRAW_MAX_THUMBNAIL_MB 512L
+#endif
+
 enum LibRaw_whitebalance_code
 {
 /*
Index: LibRaw-0.18.9/src/libraw_cxx.cpp
===================================================================
--- LibRaw-0.18.9.orig/src/libraw_cxx.cpp	2020-07-07 14:55:39.386381290 +0200
+++ LibRaw-0.18.9/src/libraw_cxx.cpp	2020-07-07 16:59:40.986748813 +0200
@@ -3281,6 +3281,20 @@ libraw_processed_image_t * LibRaw::dcraw
       return NULL;
     }
 
+  if (T.tlength < 64u)
+  {
+      if (errcode)
+          *errcode = EINVAL;
+      return NULL;
+  }
+
+  if (INT64(T.tlength) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB)
+  {
+      if (errcode)
+          *errcode = LIBRAW_DATA_ERROR;
+      return NULL;
+  }
+
   if (T.tformat == LIBRAW_THUMBNAIL_BITMAP)
     {
       libraw_processed_image_t * ret =
@@ -3533,6 +3547,12 @@ void LibRaw::kodak_thumb_loader()
 	if (ID.toffset + est_datasize > ID.input->size() + THUMB_READ_BEYOND)
 		throw LIBRAW_EXCEPTION_IO_EOF;
 
+  if(INT64(T.theight) * INT64(T.twidth) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB)
+      throw LIBRAW_EXCEPTION_IO_CORRUPT;
+
+  if (INT64(T.theight) * INT64(T.twidth) < 64ULL)
+      throw LIBRAW_EXCEPTION_IO_CORRUPT;
+
 	// some kodak cameras
   ushort s_height = S.height, s_width = S.width,s_iwidth = S.iwidth,s_iheight=S.iheight;
   ushort s_flags = libraw_internal_data.unpacker_data.load_flags;
@@ -3763,6 +3783,25 @@ int LibRaw::unpack_thumb(void)
 	CHECK_ORDER_LOW(LIBRAW_PROGRESS_IDENTIFY);
 	CHECK_ORDER_BIT(LIBRAW_PROGRESS_THUMB_LOAD);
 
+#define THUMB_SIZE_CHECKT(A) \
+  do { \
+    if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+    if (INT64(A) > 0 &&  INT64(A) < 64ULL)        throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+  } while (0)
+
+#define THUMB_SIZE_CHECKTNZ(A) \
+  do { \
+    if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+    if (INT64(A) < 64ULL)        throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+  } while (0)
+
+
+#define THUMB_SIZE_CHECKWH(W,H) \
+  do { \
+    if (INT64(W)*INT64(H) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+    if (INT64(W)*INT64(H) < 64ULL)        throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+  } while (0)
+
 	try {
 		if (!libraw_internal_data.internal_data.input)
 			return LIBRAW_INPUT_CLOSED;
@@ -3790,6 +3829,7 @@ int LibRaw::unpack_thumb(void)
 
 				if (INT64(ID.toffset) + tsize > ID.input->size() + THUMB_READ_BEYOND)
 					throw LIBRAW_EXCEPTION_IO_EOF;
+				THUMB_SIZE_CHECKT(tsize);
 			}
 			else
 			{
@@ -3803,6 +3843,7 @@ int LibRaw::unpack_thumb(void)
         ID.input->seek(ID.toffset, SEEK_SET);
         if ( write_thumb == &LibRaw::jpeg_thumb)
           {
+            THUMB_SIZE_CHECKTNZ(T.tlength);
             if(T.thumb) free(T.thumb);
             T.thumb = (char *) malloc (T.tlength);
             merror (T.thumb, "jpeg_thumb()");
@@ -3816,7 +3857,9 @@ int LibRaw::unpack_thumb(void)
           }
         else if (write_thumb == &LibRaw::ppm_thumb)
           {
+            THUMB_SIZE_CHECKWH(T.twidth, T.theight);
             T.tlength = T.twidth * T.theight*3;
+            THUMB_SIZE_CHECKTNZ(T.tlength);
             if(T.thumb) free(T.thumb);
 
             T.thumb = (char *) malloc (T.tlength);
@@ -3832,6 +3875,7 @@ int LibRaw::unpack_thumb(void)
         else if (write_thumb == &LibRaw::ppm16_thumb)
           {
             T.tlength = T.twidth * T.theight*3;
+            THUMB_SIZE_CHECKTNZ(T.tlength);
             ushort *t_thumb = (ushort*)calloc(T.tlength,2);
             ID.input->read(t_thumb,2,T.tlength);
             if ((libraw_internal_data.unpacker_data.order == 0x4949) == (ntohs(0x1234) == 0x1234))

Places

File libraw-CVE-2020-15503.patch of Package libraw.15684

Places