Permalink
Browse files

cumulated data checks patch

  • Loading branch information...
1 parent 6ecc82a commit 11909cc59e712e09b508dda729b99aeaac2b29ad @alextutubalin alextutubalin committed Aug 22, 2013
Showing with 124 additions and 33 deletions.
  1. +3 −1 Changelog.txt
  2. +7 −6 Makefile.devel
  3. +45 −6 dcraw/dcraw.c
  4. +54 −15 internal/dcraw_common.cpp
  5. +4 −4 internal/dcraw_fileio.cpp
  6. +1 −1 libraw/libraw_version.h
  7. +10 −0 src/libraw_datastream.cpp
View
@@ -1,11 +1,13 @@
-2013-08-07 Alex Tutubalin <lexa@lexa.ru>
+2013-08-28 Alex Tutubalin <lexa@lexa.ru>
+ * Additional checks to data to prevent broken file opening
* New camera/format support:
Richon GR
Panasonic LF1
Canon EOS 70D
Sony RX100II, RX1R
Olympus E-P5
* Generalized size copy from RawSpeed data
+ * LibRaw 0.15.4
2013-07-04 Alex Tutubalin <lexa@lexa.ru>
* New camera/format support:
View
@@ -4,16 +4,17 @@ PP=./internal/preprocess.pl
CC=gcc
CXX=g++
+CFLAGS+= -O -g -I.
# RawSpeed Support
-CFLAGS+=-DUSE_RAWSPEED -I../RawSpeed -I/usr/local/include/libxml2
-LDADD+=-L../RawSpeed/RawSpeed/release -lrawspeed -L/usr/local/include -ljpeg -lxml2
-RAWSPEED_DATA=../RawSpeed/data/cameras.xml
+#CFLAGS+=-DUSE_RAWSPEED -I../RawSpeed -I/usr/local/include/libxml2
+#LDADD+=-L../RawSpeed/RawSpeed/release -lrawspeed -L/usr/local/include -ljpeg -lxml2
+#RAWSPEED_DATA=../RawSpeed/data/cameras.xml
-CC=gcc48
-CXX=g++48
-CFLAGS+= -O4 -g -march=corei7 -mtune=corei7 -I. -pedantic -Wno-long-long -Wno-overflow -msse4.2 -mfpmath=sse -fopenmp
+#CC=gcc48
+#CXX=g++48
+#CFLAGS+= -O -g -I. -march=corei7 -mtune=corei7 -I. -pedantic -Wno-long-long -Wno-overflow -msse4.2 -mfpmath=sse -fopenmp
# LCMS support
View
@@ -877,6 +877,11 @@ int CLASS ljpeg_diff (ushort *huff)
{
int len, diff;
+#ifdef LIBRAW_LIBRARY_BUILD
+ if(!huff)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
+
len = gethuff(huff);
if (len == 16 && (!dng_version || dng_version >= 0x1010000))
return -32768;
@@ -891,6 +896,9 @@ int CLASS ljpeg_diff_new (LibRaw_bit_buffer& bits, LibRaw_byte_buffer* buf,ushor
{
int len, diff;
+ if(!huff || !buf)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+
len = bits._gethuff_lj(buf,*huff,huff+1);
if (len == 16 && (!dng_version || dng_version >= 0x1010000))
return -32768;
@@ -1010,8 +1018,11 @@ void CLASS lossless_jpeg_load_raw()
}
#endif
-
if (!ljpeg_start (&jh, 0)) return;
+#ifdef LIBRAW_LIBRARY_BUILD
+ if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
jwide = jh.wide * jh.clrs;
#ifdef LIBRAW_LIBRARY_BUILD
@@ -1028,13 +1039,19 @@ void CLASS lossless_jpeg_load_raw()
}
slices = slicesWcnt * jh.high;
+ if(!slices)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+
offset = (unsigned*)calloc(slices+1,sizeof(offset[0]));
for(slice=0;slice<slices;slice++)
{
offset[slice] = (t_x + t_y * raw_width)| (t_s<<28);
if((offset[slice] & 0x0fffffff) >= raw_width * raw_height)
+ {
+ free(offset);
throw LIBRAW_EXCEPTION_IO_BADFILE;
+ }
t_y++;
if(t_y == jh.high)
{
@@ -1087,12 +1104,27 @@ void CLASS lossless_jpeg_load_raw()
pixno++;
if (0 == --pixelsInSlice)
{
+ if(slice > slices)
+ {
+ free(offset);
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+ }
unsigned o = offset[slice++];
pixno = o & 0x0fffffff;
pixelsInSlice = slicesW[o>>28];
}
}
#endif
+
+ if(row>raw_height)
+#ifdef LIBRAW_LIBRARY_BUILD
+ {
+ free(offset);
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+ }
+#else
+ longjmp (failure, 3);
+#endif
if (raw_width == 3984 && (col -= 2) < 0)
col += (row--,raw_width);
if (row >= 0) RAW(row,col) = val;
@@ -6295,6 +6327,7 @@ int CLASS parse_tiff_ifd (int base)
data_offset = get4()+base;
ifd++; break;
}
+ if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
while (len--) {
i = ftell(ifp);
fseek (ifp, get4()+base, SEEK_SET);
@@ -6513,7 +6546,7 @@ int CLASS parse_tiff_ifd (int base)
break;
case 50715: /* BlackLevelDeltaH */
case 50716: /* BlackLevelDeltaV */
- for (num=i=0; i < len; i++)
+ for (num=i=0; i < len && i < 65536; i++)
num += getreal(type);
black += num/len + 0.5;
break;
@@ -6646,17 +6679,21 @@ void CLASS apply_tiff()
if (thumb_offset) {
fseek (ifp, thumb_offset, SEEK_SET);
if (ljpeg_start (&jh, 1)) {
- thumb_misc = jh.bits;
- thumb_width = jh.wide;
- thumb_height = jh.high;
+ if((unsigned)jh.bits<17 && (unsigned)jh.wide < 0x10000 && (unsigned)jh.high < 0x10000)
+ {
+ thumb_misc = jh.bits;
+ thumb_width = jh.wide;
+ thumb_height = jh.high;
+ }
}
}
for (i=0; i < tiff_nifds; i++) {
if (max_samp < tiff_ifd[i].samples)
max_samp = tiff_ifd[i].samples;
if (max_samp > 3) max_samp = 3;
if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
- (tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
+ unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
+ (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
tiff_ifd[i].t_width*tiff_ifd[i].t_height > raw_width*raw_height) {
raw_width = tiff_ifd[i].t_width;
raw_height = tiff_ifd[i].t_height;
@@ -6743,6 +6780,8 @@ void CLASS apply_tiff()
is_raw = 0;
for (i=0; i < tiff_nifds; i++)
if (i != raw && tiff_ifd[i].samples == max_samp &&
+ tiff_ifd[i].bps>0 && tiff_ifd[i].bps < 33 &&
+ unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) >
thumb_width * thumb_height / SQR(thumb_misc+1)
&& tiff_ifd[i].comp != 34892) {
View
@@ -611,6 +611,11 @@ int CLASS ljpeg_diff (ushort *huff)
{
int len, diff;
+#ifdef LIBRAW_LIBRARY_BUILD
+ if(!huff)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
+
len = gethuff(huff);
if (len == 16 && (!dng_version || dng_version >= 0x1010000))
return -32768;
@@ -625,6 +630,9 @@ int CLASS ljpeg_diff_new (LibRaw_bit_buffer& bits, LibRaw_byte_buffer* buf,ushor
{
int len, diff;
+ if(!huff || !buf)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+
len = bits._gethuff_lj(buf,*huff,huff+1);
if (len == 16 && (!dng_version || dng_version >= 0x1010000))
return -32768;
@@ -744,8 +752,11 @@ void CLASS lossless_jpeg_load_raw()
}
#endif
-
if (!ljpeg_start (&jh, 0)) return;
+#ifdef LIBRAW_LIBRARY_BUILD
+ if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
jwide = jh.wide * jh.clrs;
#ifdef LIBRAW_LIBRARY_BUILD
@@ -762,13 +773,19 @@ void CLASS lossless_jpeg_load_raw()
}
slices = slicesWcnt * jh.high;
+ if(!slices)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+
offset = (unsigned*)calloc(slices+1,sizeof(offset[0]));
for(slice=0;slice<slices;slice++)
{
offset[slice] = (t_x + t_y * raw_width)| (t_s<<28);
if((offset[slice] & 0x0fffffff) >= raw_width * raw_height)
+ {
+ free(offset);
throw LIBRAW_EXCEPTION_IO_BADFILE;
+ }
t_y++;
if(t_y == jh.high)
{
@@ -821,12 +838,27 @@ void CLASS lossless_jpeg_load_raw()
pixno++;
if (0 == --pixelsInSlice)
{
+ if(slice > slices)
+ {
+ free(offset);
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+ }
unsigned o = offset[slice++];
pixno = o & 0x0fffffff;
pixelsInSlice = slicesW[o>>28];
}
}
#endif
+
+ if(row>raw_height)
+#ifdef LIBRAW_LIBRARY_BUILD
+ {
+ free(offset);
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+ }
+#else
+ longjmp (failure, 3);
+#endif
if (raw_width == 3984 && (col -= 2) < 0)
col += (row--,raw_width);
if (row >= 0) RAW(row,col) = val;
@@ -1283,7 +1315,7 @@ int CLASS minolta_z2()
if (tail[i]) nz++;
return nz > 20;
}
-#line 1557 "dcraw/dcraw.c"
+#line 1589 "dcraw/dcraw.c"
void CLASS ppm_thumb()
{
char *thumb;
@@ -2865,7 +2897,7 @@ void CLASS redcine_load_raw()
jas_stream_close (in);
#endif
}
-#line 3846 "dcraw/dcraw.c"
+#line 3878 "dcraw/dcraw.c"
void CLASS crop_masked_pixels()
{
int row, col;
@@ -2965,7 +2997,7 @@ void CLASS remove_zeroes()
RUN_CALLBACK(LIBRAW_PROGRESS_REMOVE_ZEROES,1,2);
#endif
}
-#line 4111 "dcraw/dcraw.c"
+#line 4143 "dcraw/dcraw.c"
void CLASS gamma_curve (double pwr, double ts, int mode, int imax)
{
int i;
@@ -4460,7 +4492,7 @@ void CLASS parse_thumb_note (int base, unsigned toff, unsigned tlen)
fseek (ifp, save, SEEK_SET);
}
}
-#line 5610 "dcraw/dcraw.c"
+#line 5642 "dcraw/dcraw.c"
void CLASS parse_makernote (int base, int uptag)
{
static const uchar xlat[2][256] = {
@@ -4975,7 +5007,7 @@ void CLASS parse_kodak_ifd (int base)
fseek (ifp, save, SEEK_SET);
}
}
-#line 6130 "dcraw/dcraw.c"
+#line 6162 "dcraw/dcraw.c"
int CLASS parse_tiff_ifd (int base)
{
unsigned entries, tag, type, len, plen=16, save;
@@ -5144,6 +5176,7 @@ int CLASS parse_tiff_ifd (int base)
data_offset = get4()+base;
ifd++; break;
}
+ if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
while (len--) {
i = ftell(ifp);
fseek (ifp, get4()+base, SEEK_SET);
@@ -5362,7 +5395,7 @@ int CLASS parse_tiff_ifd (int base)
break;
case 50715: /* BlackLevelDeltaH */
case 50716: /* BlackLevelDeltaV */
- for (num=i=0; i < len; i++)
+ for (num=i=0; i < len && i < 65536; i++)
num += getreal(type);
black += num/len + 0.5;
break;
@@ -5495,17 +5528,21 @@ void CLASS apply_tiff()
if (thumb_offset) {
fseek (ifp, thumb_offset, SEEK_SET);
if (ljpeg_start (&jh, 1)) {
- thumb_misc = jh.bits;
- thumb_width = jh.wide;
- thumb_height = jh.high;
+ if((unsigned)jh.bits<17 && (unsigned)jh.wide < 0x10000 && (unsigned)jh.high < 0x10000)
+ {
+ thumb_misc = jh.bits;
+ thumb_width = jh.wide;
+ thumb_height = jh.high;
+ }
}
}
for (i=0; i < tiff_nifds; i++) {
if (max_samp < tiff_ifd[i].samples)
max_samp = tiff_ifd[i].samples;
if (max_samp > 3) max_samp = 3;
if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
- (tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
+ unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
+ (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
tiff_ifd[i].t_width*tiff_ifd[i].t_height > raw_width*raw_height) {
raw_width = tiff_ifd[i].t_width;
raw_height = tiff_ifd[i].t_height;
@@ -5592,6 +5629,8 @@ void CLASS apply_tiff()
is_raw = 0;
for (i=0; i < tiff_nifds; i++)
if (i != raw && tiff_ifd[i].samples == max_samp &&
+ tiff_ifd[i].bps>0 && tiff_ifd[i].bps < 33 &&
+ unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) >
thumb_width * thumb_height / SQR(thumb_misc+1)
&& tiff_ifd[i].comp != 34892) {
@@ -6233,7 +6272,7 @@ void CLASS parse_redcine()
data_offset = get4();
}
}
-#line 7390 "dcraw/dcraw.c"
+#line 7429 "dcraw/dcraw.c"
char * CLASS foveon_gets (int offset, char *str, int len)
{
int i;
@@ -6334,7 +6373,7 @@ void CLASS parse_foveon()
}
is_foveon = 1;
}
-#line 7493 "dcraw/dcraw.c"
+#line 7532 "dcraw/dcraw.c"
/*
All matrices are from Adobe DNG Converter unless otherwise noted.
*/
@@ -8981,7 +9020,7 @@ void CLASS identify2(unsigned fsize, unsigned flen, char *head)
}
-#line 10231 "dcraw/dcraw.c"
+#line 10270 "dcraw/dcraw.c"
void CLASS convert_to_rgb()
{
#ifndef LIBRAW_LIBRARY_BUILD
@@ -9212,7 +9251,7 @@ int CLASS flip_index (int row, int col)
if (flip & 1) col = iwidth - 1 - col;
return row * iwidth + col;
}
-#line 10487 "dcraw/dcraw.c"
+#line 10526 "dcraw/dcraw.c"
void CLASS tiff_set (ushort *ntag,
ushort tag, ushort type, int count, int val)
{
Oops, something went wrong.

0 comments on commit 11909cc

Please sign in to comment.