[gentoo-commits] gentoo-x86 commit in media-gfx/ufraw/files: ufraw-0.21-CVE-2015-3885.patch

Fri, 22 May 2015 14:29:15 -0700 

maekke      15/05/22 21:28:52

  Added:                ufraw-0.21-CVE-2015-3885.patch
  Log:
  bump for security bug #549344
  
  (Portage version: 2.2.19/cvs/Linux x86_64, signed Manifest commit with key 
072AD062)

Revision  Changes    Path
1.1                  media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch?rev=1.1&content-type=text/plain

Index: ufraw-0.21-CVE-2015-3885.patch
===================================================================
>From 6b4ff65c6fc1a88eaa7bfc1ee5a25413d171b5f7 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <[email protected]>
Date: Thu, 21 May 2015 13:47:29 +0200
Subject: [PATCH] patch: CVE-2015-3885

Squashed commit of the following:

commit 8f2a2348638f74e059069d98a6329fcc656ae4b5
Author: Nils Philippsen <[email protected]>
Date:   Tue May 19 11:36:57 2015 +0200

    CVE-2015-3885: avoid overflowing array

    When reading raw image files containing lossless JPEG data, headers
    could be manipulated to make the signed int variable 'len' negative
    which specifies how much actual data follows. Interpreted as unsigned,
    this could lead to reading file data past the 64k boundary of the array
    used for storing it. To avoid that, make 'len' unsigned short, and bail
    out early if its value would become invalid (i.e. <= 0).
---
 dcraw.cc | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/dcraw.cc b/dcraw.cc
index 75ea121..d9f96ff 100644
--- a/dcraw.cc
+++ b/dcraw.cc
@@ -934,7 +934,8 @@ struct jhead {
 
 int CLASS ljpeg_start (struct jhead *jh, int info_only)
 {
-  int c, tag, len;
+  int c, tag;
+  ushort len;
   uchar data[0x10000];
   const uchar *dp;
 
@@ -945,8 +946,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
   do {
     fread (data, 2, 2, ifp);
     tag =  data[0] << 8 | data[1];
-    len = (data[2] << 8 | data[3]) - 2;
-    if (tag <= 0xff00) return 0;
+    len = (data[2] << 8 | data[3]);
+    if (tag <= 0xff00 || len <= 2) return 0;
+    len -= 2;
     fread (data, 1, len, ifp);
     switch (tag) {
       case 0xffc3:
-- 
2.4.1

Reply via email to