Update of /cvsroot/ufraw/ufraw
In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv15146
Modified Files:
dcraw.cc
Log Message:
Bug #361: Fixing various security issues (CVE-2013-1438). Patch by Nils
Philippsen.
Index: dcraw.cc
===================================================================
RCS file: /cvsroot/ufraw/ufraw/dcraw.cc,v
retrieving revision 1.305
retrieving revision 1.306
diff -u -d -r1.305 -r1.306
--- dcraw.cc 22 Nov 2013 14:00:13 -0000 1.305
+++ dcraw.cc 7 Dec 2013 02:00:13 -0000 1.306
@@ -938,6 +938,9 @@
{
int len, diff;
+ if (!huff)
+ longjmp(failure, 2);
+
len = gethuff(huff);
if (len == 16 && (!dng_version || dng_version >= 0x1010000))
return -32768;
@@ -993,6 +996,8 @@
ushort *rp;
if (!ljpeg_start (&jh, 0)) return;
+ if (jh.wide < 1 || jh.high < 1 || jh.clrs < 1 || jh.bits < 1)
+ longjmp (failure, 2);
jwide = jh.wide * jh.clrs;
for (jrow=0; jrow < jh.high; jrow++) {
@@ -1012,6 +1017,8 @@
}
if (raw_width == 3984 && (col -= 2) < 0)
col += (row--,raw_width);
+ if (row > raw_height)
+ longjmp (failure, 3);
if ((unsigned) row < raw_height) RAW(row,col) = val;
if (++col >= raw_width)
col = (row++,0);
@@ -5601,6 +5608,7 @@
data_offset = get4()+base;
ifd++; break;
}
+ if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
while (len--) {
i = ftell(ifp);
fseek (ifp, get4()+base, SEEK_SET);
@@ -5820,7 +5828,7 @@
break;
case 50715: /* BlackLevelDeltaH */
case 50716: /* BlackLevelDeltaV */
- for (num=i=0; i < len; i++)
+ for (num=i=0; i < len && i < 65536; i++)
num += getreal(type);
black += num/len + 0.5;
break;
@@ -5947,9 +5955,13 @@
if (thumb_offset) {
fseek (ifp, thumb_offset, SEEK_SET);
if (ljpeg_start (&jh, 1)) {
- thumb_misc = jh.bits;
- thumb_width = jh.wide;
- thumb_height = jh.high;
+ if ((unsigned)jh.bits < 17 && (unsigned)jh.wide < 0x10000 &&
+ (unsigned)jh.high < 0x10000)
+ {
+ thumb_misc = jh.bits;
+ thumb_width = jh.wide;
+ thumb_height = jh.high;
+ }
}
}
for (i=0; i < tiff_nifds; i++) {
@@ -5957,8 +5969,9 @@
max_samp = tiff_ifd[i].samples;
if (max_samp > 3) max_samp = 3;
if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
- (tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 &&
- tiff_ifd[i].width*tiff_ifd[i].height > raw_width*raw_height) {
+ (tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 &&
+ (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
+ tiff_ifd[i].width*tiff_ifd[i].height > raw_width*raw_height) {
raw_width = tiff_ifd[i].width;
raw_height = tiff_ifd[i].height;
tiff_bps = tiff_ifd[i].bps;
@@ -6044,6 +6057,8 @@
is_raw = 0;
for (i=0; i < tiff_nifds; i++)
if ((int) i != raw && tiff_ifd[i].samples == max_samp &&
+ tiff_ifd[i].bps > 0 && tiff_ifd[i].bps < 33 &&
+ ((unsigned)(tiff_ifd[i].width | tiff_ifd[i].height)) < 0x10000 &&
tiff_ifd[i].width * tiff_ifd[i].height / (SQR(tiff_ifd[i].bps)+1) >
(int)(thumb_width * thumb_height / (SQR(thumb_misc)+1))
&& tiff_ifd[i].comp != 34892) {
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
ufraw-cvs mailing list
ufraw-cvs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ufraw-cvs
