Skip to content
Permalink
Browse files Browse the repository at this point in the history
SA79000 advisory fix
  • Loading branch information
alextutubalin committed Jan 19, 2018
1 parent 21da3cd commit 0df5490
Show file tree
Hide file tree
Showing 4 changed files with 105 additions and 6 deletions.
9 changes: 8 additions & 1 deletion Changelog.txt
@@ -1,4 +1,11 @@
Alex Tutubalin <lexa@lexa.ru>
2018-01-19 Alex Tutubalin <lexa@lexa.ru>
Secunia #79000:
Credit: Laurent Delosieres, Secunia Research at Flexera
* All legacy (RGB raw) image loaders checks for imgdata.image is not NULL
* kodak_radc_load_raw: check image size before processing
* legacy memory allocator: allocate max(widh,raw_width)*max(height,raw_height)

2017-12-06 Alex Tutubalin <lexa@lexa.ru>
Secunia #76000:
* Fixed fuji_width handling if file is neither fuji nor DNG
* Fixed xtrans interpolate for broken xtrans pattern
Expand Down
54 changes: 52 additions & 2 deletions dcraw/dcraw.c
Expand Up @@ -1886,6 +1886,10 @@ void CLASS nikon_load_raw()

void CLASS nikon_yuv_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
int row, col, yuv[4], rgb[3], b, c;
UINT64 bitbuf = 0;
float cmul[4];
Expand Down Expand Up @@ -2815,6 +2819,10 @@ void CLASS sinar_4shot_load_raw()
unpacked_load_raw();
return;
}
#ifdef LIBRAW_LIBRARY_BUILD
else if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
pixel = (ushort *)calloc(raw_width, sizeof *pixel);
merror(pixel, "sinar_4shot_load_raw()");
#ifdef LIBRAW_LIBRARY_BUILD
Expand Down Expand Up @@ -2857,8 +2865,10 @@ void CLASS imacon_full_load_raw()
{
int row, col;

if (!image)
return;
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif

#ifdef LIBRAW_LIBRARY_BUILD
unsigned short *buf = (unsigned short *)malloc(width * 3 * sizeof(unsigned short));
Expand Down Expand Up @@ -3404,6 +3414,12 @@ void CLASS quicktake_100_load_raw()

void CLASS kodak_radc_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
// All kodak radc images are 768x512
if(width>768 || raw_width>768 || height > 512 || raw_height>512 )
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif

static const signed char src[] = {
1, 1, 2, 3, 3, 4, 4, 2, 5, 7, 6, 5, 7, 6, 7, 8, 1, 0, 2, 1, 3, 3, 4, 4, 5, 2, 6, 7, 7, 6,
8, 5, 8, 8, 2, 1, 2, 3, 3, 0, 3, 2, 3, 4, 4, 6, 5, 5, 6, 7, 6, 8, 2, 0, 2, 1, 2, 3, 3, 2,
Expand Down Expand Up @@ -3652,6 +3668,10 @@ void CLASS gamma_curve(double pwr, double ts, int mode, int imax);

void CLASS lossy_dng_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
struct jpeg_decompress_struct cinfo;
struct jpeg_error_mgr jerr;
JSAMPARRAY buf;
Expand Down Expand Up @@ -3806,6 +3826,11 @@ void CLASS eight_bit_load_raw()

void CLASS kodak_c330_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif

uchar *pixel;
int row, col, y, cb, cr, rgb[3], c;

Expand Down Expand Up @@ -3849,6 +3874,11 @@ void CLASS kodak_c330_load_raw()

void CLASS kodak_c603_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif

uchar *pixel;
int row, col, y, cb, cr, rgb[3], c;

Expand Down Expand Up @@ -4028,6 +4058,10 @@ void CLASS kodak_65000_load_raw()

void CLASS kodak_ycbcr_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
short buf[384], *bp;
int row, col, len, c, i, j, k, y[2][2], cb, cr, rgb[3];
ushort *ip;
Expand Down Expand Up @@ -4067,6 +4101,10 @@ void CLASS kodak_ycbcr_load_raw()

void CLASS kodak_rgb_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
short buf[768], *bp;
int row, col, len, c, i, rgb[3], ret;
ushort *ip = image[0];
Expand Down Expand Up @@ -4096,6 +4134,10 @@ void CLASS kodak_rgb_load_raw()

void CLASS kodak_thumb_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
int row, col;
colors = thumb_misc >> 5;
for (row = 0; row < height; row++)
Expand Down Expand Up @@ -4809,6 +4851,10 @@ void CLASS foveon_thumb()

void CLASS foveon_sd_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
struct decode *dindex;
short diff[1024];
unsigned bitbuf = 0;
Expand Down Expand Up @@ -4869,6 +4915,10 @@ void CLASS foveon_huff(ushort *huff)

void CLASS foveon_dp_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
unsigned c, roff[4], row, col, diff;
ushort huff[512], vpred[2][2], hpred[2];

Expand Down
46 changes: 44 additions & 2 deletions internal/dcraw_common.cpp
Expand Up @@ -1595,6 +1595,10 @@ void CLASS nikon_load_raw()

void CLASS nikon_yuv_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
int row, col, yuv[4], rgb[3], b, c;
UINT64 bitbuf = 0;
float cmul[4];
Expand Down Expand Up @@ -2519,6 +2523,10 @@ void CLASS sinar_4shot_load_raw()
unpacked_load_raw();
return;
}
#ifdef LIBRAW_LIBRARY_BUILD
else if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
pixel = (ushort *)calloc(raw_width, sizeof *pixel);
merror(pixel, "sinar_4shot_load_raw()");
#ifdef LIBRAW_LIBRARY_BUILD
Expand Down Expand Up @@ -2561,8 +2569,10 @@ void CLASS imacon_full_load_raw()
{
int row, col;

if (!image)
return;
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif

#ifdef LIBRAW_LIBRARY_BUILD
unsigned short *buf = (unsigned short *)malloc(width * 3 * sizeof(unsigned short));
Expand Down Expand Up @@ -3108,6 +3118,12 @@ void CLASS quicktake_100_load_raw()

void CLASS kodak_radc_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
// All kodak radc images are 768x512
if(width>768 || raw_width>768 || height > 512 || raw_height>512 )
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif

static const signed char src[] = {
1, 1, 2, 3, 3, 4, 4, 2, 5, 7, 6, 5, 7, 6, 7, 8, 1, 0, 2, 1, 3, 3, 4, 4, 5, 2, 6, 7, 7, 6,
8, 5, 8, 8, 2, 1, 2, 3, 3, 0, 3, 2, 3, 4, 4, 6, 5, 5, 6, 7, 6, 8, 2, 0, 2, 1, 2, 3, 3, 2,
Expand Down Expand Up @@ -3356,6 +3372,10 @@ void CLASS gamma_curve(double pwr, double ts, int mode, int imax);

void CLASS lossy_dng_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
struct jpeg_decompress_struct cinfo;
struct jpeg_error_mgr jerr;
JSAMPARRAY buf;
Expand Down Expand Up @@ -3510,6 +3530,11 @@ void CLASS eight_bit_load_raw()

void CLASS kodak_c330_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif

uchar *pixel;
int row, col, y, cb, cr, rgb[3], c;

Expand Down Expand Up @@ -3553,6 +3578,11 @@ void CLASS kodak_c330_load_raw()

void CLASS kodak_c603_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif

uchar *pixel;
int row, col, y, cb, cr, rgb[3], c;

Expand Down Expand Up @@ -3732,6 +3762,10 @@ void CLASS kodak_65000_load_raw()

void CLASS kodak_ycbcr_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
short buf[384], *bp;
int row, col, len, c, i, j, k, y[2][2], cb, cr, rgb[3];
ushort *ip;
Expand Down Expand Up @@ -3771,6 +3805,10 @@ void CLASS kodak_ycbcr_load_raw()

void CLASS kodak_rgb_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
short buf[768], *bp;
int row, col, len, c, i, rgb[3], ret;
ushort *ip = image[0];
Expand Down Expand Up @@ -3800,6 +3838,10 @@ void CLASS kodak_rgb_load_raw()

void CLASS kodak_thumb_load_raw()
{
#ifdef LIBRAW_LIBRARY_BUILD
if(!image)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
#endif
int row, col;
colors = thumb_misc >> 5;
for (row = 0; row < height; row++)
Expand Down
2 changes: 1 addition & 1 deletion src/libraw_cxx.cpp
Expand Up @@ -2792,7 +2792,7 @@ int LibRaw::unpack(void)
// sRAW and old Foveon decoders only, so extra buffer size is just 1/4
// allocate image as temporary buffer, size
imgdata.rawdata.raw_alloc = 0;
imgdata.image = (ushort(*)[4])calloc(unsigned(S.raw_width) * unsigned(S.raw_height), sizeof(*imgdata.image));
imgdata.image = (ushort(*)[4])calloc(unsigned(MAX(S.width,S.raw_width)) * unsigned(MAX(S.height,S.raw_height)), sizeof(*imgdata.image));
if (!(decoder_info.decoder_flags & LIBRAW_DECODER_ADOBECOPYPIXEL))
{
imgdata.rawdata.raw_image = (ushort *)imgdata.image;
Expand Down

0 comments on commit 0df5490

Please sign in to comment.