Hi, We got a patch that is pushed as a security issue as response to announcing KDE SC 4.11.3 tarballs to packagers. As it is a patch against your project and we deem it to be non trivial we would like you to comment on the patch. If it should be part of KDE SC or not. In the former case please update libkdcraw for all relevant branches.
/Regards Torgny Nyblom Release team ---------- Forwarded Message ---------- Subject: Re: KDE SC 4.11.3 tarballs Date: Sunday 03 November 2013, 16.52.57 From: José Manuel SantamarÃa Lema <panfa...@gmail.com> To: kde-packa...@kde.org Torgny Nyblom <nyb...@kde.org> > Hi, > > The tarballs for the 4.11.3 release are now available in the usual > location. > > I've not compiled them so please report any issues you find. > > sha1 sums and revisions/hashes are attached. > > /Regards > Torgny About libdcraw I'm inclined to think it should include the attached patch before releasing 4.11.3. [...] -----------------------------------------
Description: fix denial of service via crafted photo files Origin: backport, https://github.com/LibRaw/LibRaw/commit/c4e374ea6c979a7d1d968f5082b7d0ea8cd27202 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721338 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721231 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721239 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721340 Index: libkdcraw/libraw/internal/dcraw_common.cpp =================================================================== --- libkdcraw.orig/libraw/internal/dcraw_common.cpp 2013-10-01 20:08:24.478682563 +0200 +++ libkdcraw/libraw/internal/dcraw_common.cpp 2013-10-01 20:08:24.474682721 +0200 @@ -606,7 +606,10 @@ int CLASS ljpeg_diff (ushort *huff) { int len, diff; - +#ifdef LIBRAW_LIBRARY_BUILD + if(!huff) + throw LIBRAW_EXCEPTION_IO_CORRUPT; +#endif len = gethuff(huff); if (len == 16 && (!dng_version || dng_version >= 0x1010000)) return -32768; @@ -620,6 +623,8 @@ int CLASS ljpeg_diff_new (LibRaw_bit_buffer& bits, LibRaw_byte_buffer* buf,ushort *huff) { int len, diff; + if(!huff || !buf) + throw LIBRAW_EXCEPTION_IO_CORRUPT; len = bits._gethuff_lj(buf,*huff,huff+1); if (len == 16 && (!dng_version || dng_version >= 0x1010000)) @@ -742,6 +747,10 @@ if (!ljpeg_start (&jh, 0)) return; +#ifdef LIBRAW_LIBRARY_BUILD + if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1) + throw LIBRAW_EXCEPTION_IO_CORRUPT; +#endif jwide = jh.wide * jh.clrs; #ifdef LIBRAW_LIBRARY_BUILD @@ -755,18 +764,25 @@ { // not sliced slicesW[slicesWcnt++] = raw_width; // safe fallback + + } - - slices = slicesWcnt * jh.high; - offset = (unsigned*)calloc(slices+1,sizeof(offset[0])); - for(slice=0;slice<slices;slice++) - { - offset[slice] = (t_x + t_y * raw_width)| (t_s<<28); - if((offset[slice] & 0x0fffffff) >= raw_width * raw_height) - throw LIBRAW_EXCEPTION_IO_BADFILE; - t_y++; - if(t_y == jh.high) + slices = slicesWcnt * jh.high; + if(!slices) + throw LIBRAW_EXCEPTION_IO_CORRUPT; + offset = (unsigned*)calloc(slices+1,sizeof(offset[0])); + + for(slice=0;slice<slices;slice++) + { + offset[slice] = (t_x + t_y * raw_width)| (t_s<<28); + if((offset[slice] & 0x0fffffff) >= raw_width * raw_height) + { + free(offset); + throw LIBRAW_EXCEPTION_IO_BADFILE; + } + t_y++; + if(t_y == jh.high) { t_y = 0; t_x += slicesW[t_s++]; @@ -817,12 +833,28 @@ pixno++; if (0 == --pixelsInSlice) { + if(slice > slices) + { + free(offset); + throw LIBRAW_EXCEPTION_IO_CORRUPT; + } unsigned o = offset[slice++]; pixno = o & 0x0fffffff; pixelsInSlice = slicesW[o>>28]; } } #endif + + if(row>raw_height) +#ifdef LIBRAW_LIBRARY_BUILD + { + free(offset); + throw LIBRAW_EXCEPTION_IO_CORRUPT; + } +#else + longjmp (failure, 3); +#endif + if (raw_width == 3984 && (col -= 2) < 0) col += (row--,raw_width); if (row >= 0) RAW(row,col) = val; @@ -5135,6 +5167,7 @@ data_offset = get4()+base; ifd++; break; } + if(len > 1000) len=1000; /* 1000 SubIFDs is enough */ while (len--) { i = ftell(ifp); fseek (ifp, get4()+base, SEEK_SET); @@ -5353,7 +5386,7 @@ break; case 50715: /* BlackLevelDeltaH */ case 50716: /* BlackLevelDeltaV */ - for (num=i=0; i < len; i++) + for (num=i=0; i < len && i < 65536; i++) num += getreal(type); black += num/len + 0.5; break; @@ -5486,9 +5519,12 @@ if (thumb_offset) { fseek (ifp, thumb_offset, SEEK_SET); if (ljpeg_start (&jh, 1)) { - thumb_misc = jh.bits; - thumb_width = jh.wide; - thumb_height = jh.high; + if((unsigned)jh.bits<17 && (unsigned)jh.wide < 0x10000 && (unsigned)jh.high < 0x10000) + { + thumb_misc = jh.bits; + thumb_width = jh.wide; + thumb_height = jh.high; + } } } for (i=0; i < tiff_nifds; i++) { @@ -5496,7 +5532,8 @@ max_samp = tiff_ifd[i].samples; if (max_samp > 3) max_samp = 3; if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) && - (tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 && + unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 && + (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 && tiff_ifd[i].t_width*tiff_ifd[i].t_height > raw_width*raw_height) { raw_width = tiff_ifd[i].t_width; raw_height = tiff_ifd[i].t_height; @@ -5582,17 +5619,19 @@ !strstr(model2,"DEBUG RAW"))) is_raw = 0; for (i=0; i < tiff_nifds; i++) - if (i != raw && tiff_ifd[i].samples == max_samp && - tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) > - thumb_width * thumb_height / SQR(thumb_misc+1) - && tiff_ifd[i].comp != 34892) { - thumb_width = tiff_ifd[i].t_width; - thumb_height = tiff_ifd[i].t_height; - thumb_offset = tiff_ifd[i].offset; - thumb_length = tiff_ifd[i].bytes; - thumb_misc = tiff_ifd[i].bps; - thm = i; - } + if (i != raw && tiff_ifd[i].samples == max_samp && + tiff_ifd[i].bps>0 && tiff_ifd[i].bps < 33 && + unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 && + tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) > + thumb_width * thumb_height / SQR(thumb_misc+1) + && tiff_ifd[i].comp != 34892) { + thumb_width = tiff_ifd[i].t_width; + thumb_height = tiff_ifd[i].t_height; + thumb_offset = tiff_ifd[i].offset; + thumb_length = tiff_ifd[i].bytes; + thumb_misc = tiff_ifd[i].bps; + thm = i; + } if (thm >= 0) { thumb_misc |= tiff_ifd[thm].samples << 5; switch (tiff_ifd[thm].comp) { Index: libkdcraw/libraw/src/libraw_datastream.cpp =================================================================== --- libkdcraw.orig/libraw/src/libraw_datastream.cpp 2013-10-01 20:08:24.478682563 +0200 +++ libkdcraw/libraw/src/libraw_datastream.cpp 2013-10-01 20:08:24.474682721 +0200 @@ -64,7 +64,12 @@ LibRaw_byte_buffer *LibRaw_abstract_datastream::make_byte_buffer(unsigned int sz) { + if(sz> 2u * 1024u * 1024u * 1024u) // 2GB is enough + throw LIBRAW_EXCEPTION_ALLOC; + LibRaw_byte_buffer *ret = new LibRaw_byte_buffer(sz); + if(!ret) // failed new should throw std::exception + throw LIBRAW_EXCEPTION_ALLOC; read(ret->get_buffer(),sz,1); return ret; } @@ -441,7 +446,10 @@ LibRaw_byte_buffer *LibRaw_buffer_datastream::make_byte_buffer(unsigned int sz) { + LibRaw_byte_buffer *ret = new LibRaw_byte_buffer(0); + if(!ret) // failed new should throw std::exception + throw LIBRAW_EXCEPTION_ALLOC; if(streampos + sz > streamsize) sz = streamsize - streampos; ret->set_buffer(buf+streampos,sz);
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ release-team mailing list release-team@kde.org https://mail.kde.org/mailman/listinfo/release-team