SA81000: LibRaw 0.18.8

Changelog.txt

@@ -1,3 +1,11 @@
+2018-02-23  Alex Tutubalin <lexa@lexa.ru>
+Secunia #81000: 
+Credit: Laurent Delosieres, Secunia Research at Flexera
+ * leaf_hdr_load_raw: check for image pointer for demosaiced raw
+ * NOKIARAW parser: check image dimensions readed from file
+ * quicktake_100_load_raw: check width/height limits
+ * LibRaw 0.18.8
+
 2018-01-29  Alex Tutubalin <lexa@lexa.ru>
  * Checks for width+left_margin/height+top_margin not larger than 64k
  * LIBRAW_MAX_ALLOC_MB define limits maximum image/raw_image allocation

dcraw/dcraw.c

@@ -2365,6 +2365,10 @@ void CLASS leaf_hdr_load_raw()
   unsigned tile=0, r, c, row, col;
 
   if (!filters) {
+#ifdef LIBRAW_LIBRARY_BUILD
+    if(!image)
+      throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
     pixel = (ushort *) calloc (raw_width, sizeof *pixel);
     merror (pixel, "leaf_hdr_load_raw()");
   }
@@ -2894,7 +2898,11 @@ void CLASS quicktake_100_load_raw()
     654,665,676,687,698,710,721,732,743,754,766,777,788,799,810,822,833,844,
     855,866,878,889,900,911,922,933,945,956,967,978,989,1001,1012,1023 };
   int rb, row, col, sharp, val=0;
-
+#ifdef LIBRAW_LIBRARY_BUILD
+  if(width>640 || height > 480)
+    throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
+
   getbits(-1);
   memset (pixel, 0x80, sizeof pixel);
   for (row=2; row < height+2; row++) {
@@ -15649,13 +15657,24 @@ void CLASS identify()
     i = get4();
     width = get2();
     height = get2();
-    switch (tiff_bps = i*8 / (width * height)) {
-      case  8: load_raw = &CLASS eight_bit_load_raw;  break;
-      case 10: load_raw = &CLASS nokia_load_raw;
-    }
-    raw_height = height + (top_margin = i / (width * tiff_bps/8) - height);
-    mask[0][3] = 1;
-    filters = 0x61616161;
+#ifdef LIBRAW_LIBRARY_BUILD
+    // data length should be in range w*h..w*h*2
+    if(width*height < (LIBRAW_MAX_ALLOC_MB*1024*512L) && width*height>1
+       && i >= width * height && i <= width*height*2)
+      {
+#endif
+	switch (tiff_bps = i*8 / (width * height)) {
+	case  8: load_raw = &CLASS eight_bit_load_raw;  break;
+	case 10: load_raw = &CLASS nokia_load_raw;
+	}
+	raw_height = height + (top_margin = i / (width * tiff_bps/8) - height);
+	mask[0][3] = 1;
+	filters = 0x61616161;
+#ifdef LIBRAW_LIBRARY_BUILD
+      }
+    else
+      is_raw = 0;
+#endif
   } else if (!memcmp (head,"ARRI",4)) {
     order = 0x4949;
     fseek (ifp, 20, SEEK_SET);

internal/dcraw_common.cpp

@@ -2077,6 +2077,10 @@ void CLASS leaf_hdr_load_raw()
   unsigned tile=0, r, c, row, col;
 
   if (!filters) {
+#ifdef LIBRAW_LIBRARY_BUILD
+    if(!image)
+      throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
     pixel = (ushort *) calloc (raw_width, sizeof *pixel);
     merror (pixel, "leaf_hdr_load_raw()");
   }
@@ -2606,7 +2610,11 @@ void CLASS quicktake_100_load_raw()
     654,665,676,687,698,710,721,732,743,754,766,777,788,799,810,822,833,844,
     855,866,878,889,900,911,922,933,945,956,967,978,989,1001,1012,1023 };
   int rb, row, col, sharp, val=0;
-
+#ifdef LIBRAW_LIBRARY_BUILD
+  if(width>640 || height > 480)
+    throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
+
   getbits(-1);
   memset (pixel, 0x80, sizeof pixel);
   for (row=2; row < height+2; row++) {
@@ -14311,13 +14319,24 @@ void CLASS identify()
     i = get4();
     width = get2();
     height = get2();
-    switch (tiff_bps = i*8 / (width * height)) {
-      case  8: load_raw = &CLASS eight_bit_load_raw;  break;
-      case 10: load_raw = &CLASS nokia_load_raw;
-    }
-    raw_height = height + (top_margin = i / (width * tiff_bps/8) - height);
-    mask[0][3] = 1;
-    filters = 0x61616161;
+#ifdef LIBRAW_LIBRARY_BUILD
+    // data length should be in range w*h..w*h*2
+    if(width*height < (LIBRAW_MAX_ALLOC_MB*1024*512L) && width*height>1
+       && i >= width * height && i <= width*height*2)
+      {
+#endif
+	switch (tiff_bps = i*8 / (width * height)) {
+	case  8: load_raw = &CLASS eight_bit_load_raw;  break;
+	case 10: load_raw = &CLASS nokia_load_raw;
+	}
+	raw_height = height + (top_margin = i / (width * tiff_bps/8) - height);
+	mask[0][3] = 1;
+	filters = 0x61616161;
+#ifdef LIBRAW_LIBRARY_BUILD
+      }
+    else
+      is_raw = 0;
+#endif
   } else if (!memcmp (head,"ARRI",4)) {
     order = 0x4949;
     fseek (ifp, 20, SEEK_SET);

libraw/libraw_version.h

@@ -22,7 +22,7 @@ it under the terms of the one of two licenses as you choose:
 
 #define LIBRAW_MAJOR_VERSION  0
 #define LIBRAW_MINOR_VERSION  18
-#define LIBRAW_PATCH_VERSION  7
+#define LIBRAW_PATCH_VERSION  8
 #define LIBRAW_VERSION_TAIL   Release
 
 #define LIBRAW_SHLIB_CURRENT  	16