Skip to content

Commit 11909cc

Browse files
committed
cumulated data checks patch
1 parent 6ecc82a commit 11909cc

File tree

7 files changed

+124
-33
lines changed

7 files changed

+124
-33
lines changed

Diff for: Changelog.txt

+3-1
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,13 @@
1-
2013-08-07 Alex Tutubalin <lexa@lexa.ru>
1+
2013-08-28 Alex Tutubalin <lexa@lexa.ru>
2+
* Additional checks to data to prevent broken file opening
23
* New camera/format support:
34
Richon GR
45
Panasonic LF1
56
Canon EOS 70D
67
Sony RX100II, RX1R
78
Olympus E-P5
89
* Generalized size copy from RawSpeed data
10+
* LibRaw 0.15.4
911

1012
2013-07-04 Alex Tutubalin <lexa@lexa.ru>
1113
* New camera/format support:

Diff for: Makefile.devel

+7-6
Original file line numberDiff line numberDiff line change
@@ -4,16 +4,17 @@ PP=./internal/preprocess.pl
44

55
CC=gcc
66
CXX=g++
7+
CFLAGS+= -O -g -I.
78

89
# RawSpeed Support
9-
CFLAGS+=-DUSE_RAWSPEED -I../RawSpeed -I/usr/local/include/libxml2
10-
LDADD+=-L../RawSpeed/RawSpeed/release -lrawspeed -L/usr/local/include -ljpeg -lxml2
11-
RAWSPEED_DATA=../RawSpeed/data/cameras.xml
10+
#CFLAGS+=-DUSE_RAWSPEED -I../RawSpeed -I/usr/local/include/libxml2
11+
#LDADD+=-L../RawSpeed/RawSpeed/release -lrawspeed -L/usr/local/include -ljpeg -lxml2
12+
#RAWSPEED_DATA=../RawSpeed/data/cameras.xml
1213

1314

14-
CC=gcc48
15-
CXX=g++48
16-
CFLAGS+= -O4 -g -march=corei7 -mtune=corei7 -I. -pedantic -Wno-long-long -Wno-overflow -msse4.2 -mfpmath=sse -fopenmp
15+
#CC=gcc48
16+
#CXX=g++48
17+
#CFLAGS+= -O -g -I. -march=corei7 -mtune=corei7 -I. -pedantic -Wno-long-long -Wno-overflow -msse4.2 -mfpmath=sse -fopenmp
1718

1819

1920
# LCMS support

Diff for: dcraw/dcraw.c

+45-6
Original file line numberDiff line numberDiff line change
@@ -877,6 +877,11 @@ int CLASS ljpeg_diff (ushort *huff)
877877
{
878878
int len, diff;
879879

880+
#ifdef LIBRAW_LIBRARY_BUILD
881+
if(!huff)
882+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
883+
#endif
884+
880885
len = gethuff(huff);
881886
if (len == 16 && (!dng_version || dng_version >= 0x1010000))
882887
return -32768;
@@ -891,6 +896,9 @@ int CLASS ljpeg_diff_new (LibRaw_bit_buffer& bits, LibRaw_byte_buffer* buf,ushor
891896
{
892897
int len, diff;
893898

899+
if(!huff || !buf)
900+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
901+
894902
len = bits._gethuff_lj(buf,*huff,huff+1);
895903
if (len == 16 && (!dng_version || dng_version >= 0x1010000))
896904
return -32768;
@@ -1010,8 +1018,11 @@ void CLASS lossless_jpeg_load_raw()
10101018
}
10111019
#endif
10121020

1013-
10141021
if (!ljpeg_start (&jh, 0)) return;
1022+
#ifdef LIBRAW_LIBRARY_BUILD
1023+
if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
1024+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
1025+
#endif
10151026
jwide = jh.wide * jh.clrs;
10161027

10171028
#ifdef LIBRAW_LIBRARY_BUILD
@@ -1028,13 +1039,19 @@ void CLASS lossless_jpeg_load_raw()
10281039
}
10291040

10301041
slices = slicesWcnt * jh.high;
1042+
if(!slices)
1043+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
1044+
10311045
offset = (unsigned*)calloc(slices+1,sizeof(offset[0]));
10321046

10331047
for(slice=0;slice<slices;slice++)
10341048
{
10351049
offset[slice] = (t_x + t_y * raw_width)| (t_s<<28);
10361050
if((offset[slice] & 0x0fffffff) >= raw_width * raw_height)
1051+
{
1052+
free(offset);
10371053
throw LIBRAW_EXCEPTION_IO_BADFILE;
1054+
}
10381055
t_y++;
10391056
if(t_y == jh.high)
10401057
{
@@ -1087,12 +1104,27 @@ void CLASS lossless_jpeg_load_raw()
10871104
pixno++;
10881105
if (0 == --pixelsInSlice)
10891106
{
1107+
if(slice > slices)
1108+
{
1109+
free(offset);
1110+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
1111+
}
10901112
unsigned o = offset[slice++];
10911113
pixno = o & 0x0fffffff;
10921114
pixelsInSlice = slicesW[o>>28];
10931115
}
10941116
}
10951117
#endif
1118+
1119+
if(row>raw_height)
1120+
#ifdef LIBRAW_LIBRARY_BUILD
1121+
{
1122+
free(offset);
1123+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
1124+
}
1125+
#else
1126+
longjmp (failure, 3);
1127+
#endif
10961128
if (raw_width == 3984 && (col -= 2) < 0)
10971129
col += (row--,raw_width);
10981130
if (row >= 0) RAW(row,col) = val;
@@ -6295,6 +6327,7 @@ int CLASS parse_tiff_ifd (int base)
62956327
data_offset = get4()+base;
62966328
ifd++; break;
62976329
}
6330+
if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
62986331
while (len--) {
62996332
i = ftell(ifp);
63006333
fseek (ifp, get4()+base, SEEK_SET);
@@ -6513,7 +6546,7 @@ int CLASS parse_tiff_ifd (int base)
65136546
break;
65146547
case 50715: /* BlackLevelDeltaH */
65156548
case 50716: /* BlackLevelDeltaV */
6516-
for (num=i=0; i < len; i++)
6549+
for (num=i=0; i < len && i < 65536; i++)
65176550
num += getreal(type);
65186551
black += num/len + 0.5;
65196552
break;
@@ -6646,17 +6679,21 @@ void CLASS apply_tiff()
66466679
if (thumb_offset) {
66476680
fseek (ifp, thumb_offset, SEEK_SET);
66486681
if (ljpeg_start (&jh, 1)) {
6649-
thumb_misc = jh.bits;
6650-
thumb_width = jh.wide;
6651-
thumb_height = jh.high;
6682+
if((unsigned)jh.bits<17 && (unsigned)jh.wide < 0x10000 && (unsigned)jh.high < 0x10000)
6683+
{
6684+
thumb_misc = jh.bits;
6685+
thumb_width = jh.wide;
6686+
thumb_height = jh.high;
6687+
}
66526688
}
66536689
}
66546690
for (i=0; i < tiff_nifds; i++) {
66556691
if (max_samp < tiff_ifd[i].samples)
66566692
max_samp = tiff_ifd[i].samples;
66576693
if (max_samp > 3) max_samp = 3;
66586694
if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
6659-
(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
6695+
unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
6696+
(unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
66606697
tiff_ifd[i].t_width*tiff_ifd[i].t_height > raw_width*raw_height) {
66616698
raw_width = tiff_ifd[i].t_width;
66626699
raw_height = tiff_ifd[i].t_height;
@@ -6743,6 +6780,8 @@ void CLASS apply_tiff()
67436780
is_raw = 0;
67446781
for (i=0; i < tiff_nifds; i++)
67456782
if (i != raw && tiff_ifd[i].samples == max_samp &&
6783+
tiff_ifd[i].bps>0 && tiff_ifd[i].bps < 33 &&
6784+
unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
67466785
tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) >
67476786
thumb_width * thumb_height / SQR(thumb_misc+1)
67486787
&& tiff_ifd[i].comp != 34892) {

Diff for: internal/dcraw_common.cpp

+54-15
Original file line numberDiff line numberDiff line change
@@ -611,6 +611,11 @@ int CLASS ljpeg_diff (ushort *huff)
611611
{
612612
int len, diff;
613613

614+
#ifdef LIBRAW_LIBRARY_BUILD
615+
if(!huff)
616+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
617+
#endif
618+
614619
len = gethuff(huff);
615620
if (len == 16 && (!dng_version || dng_version >= 0x1010000))
616621
return -32768;
@@ -625,6 +630,9 @@ int CLASS ljpeg_diff_new (LibRaw_bit_buffer& bits, LibRaw_byte_buffer* buf,ushor
625630
{
626631
int len, diff;
627632

633+
if(!huff || !buf)
634+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
635+
628636
len = bits._gethuff_lj(buf,*huff,huff+1);
629637
if (len == 16 && (!dng_version || dng_version >= 0x1010000))
630638
return -32768;
@@ -744,8 +752,11 @@ void CLASS lossless_jpeg_load_raw()
744752
}
745753
#endif
746754

747-
748755
if (!ljpeg_start (&jh, 0)) return;
756+
#ifdef LIBRAW_LIBRARY_BUILD
757+
if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
758+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
759+
#endif
749760
jwide = jh.wide * jh.clrs;
750761

751762
#ifdef LIBRAW_LIBRARY_BUILD
@@ -762,13 +773,19 @@ void CLASS lossless_jpeg_load_raw()
762773
}
763774

764775
slices = slicesWcnt * jh.high;
776+
if(!slices)
777+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
778+
765779
offset = (unsigned*)calloc(slices+1,sizeof(offset[0]));
766780

767781
for(slice=0;slice<slices;slice++)
768782
{
769783
offset[slice] = (t_x + t_y * raw_width)| (t_s<<28);
770784
if((offset[slice] & 0x0fffffff) >= raw_width * raw_height)
785+
{
786+
free(offset);
771787
throw LIBRAW_EXCEPTION_IO_BADFILE;
788+
}
772789
t_y++;
773790
if(t_y == jh.high)
774791
{
@@ -821,12 +838,27 @@ void CLASS lossless_jpeg_load_raw()
821838
pixno++;
822839
if (0 == --pixelsInSlice)
823840
{
841+
if(slice > slices)
842+
{
843+
free(offset);
844+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
845+
}
824846
unsigned o = offset[slice++];
825847
pixno = o & 0x0fffffff;
826848
pixelsInSlice = slicesW[o>>28];
827849
}
828850
}
829851
#endif
852+
853+
if(row>raw_height)
854+
#ifdef LIBRAW_LIBRARY_BUILD
855+
{
856+
free(offset);
857+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
858+
}
859+
#else
860+
longjmp (failure, 3);
861+
#endif
830862
if (raw_width == 3984 && (col -= 2) < 0)
831863
col += (row--,raw_width);
832864
if (row >= 0) RAW(row,col) = val;
@@ -1283,7 +1315,7 @@ int CLASS minolta_z2()
12831315
if (tail[i]) nz++;
12841316
return nz > 20;
12851317
}
1286-
#line 1557 "dcraw/dcraw.c"
1318+
#line 1589 "dcraw/dcraw.c"
12871319
void CLASS ppm_thumb()
12881320
{
12891321
char *thumb;
@@ -2865,7 +2897,7 @@ void CLASS redcine_load_raw()
28652897
jas_stream_close (in);
28662898
#endif
28672899
}
2868-
#line 3846 "dcraw/dcraw.c"
2900+
#line 3878 "dcraw/dcraw.c"
28692901
void CLASS crop_masked_pixels()
28702902
{
28712903
int row, col;
@@ -2965,7 +2997,7 @@ void CLASS remove_zeroes()
29652997
RUN_CALLBACK(LIBRAW_PROGRESS_REMOVE_ZEROES,1,2);
29662998
#endif
29672999
}
2968-
#line 4111 "dcraw/dcraw.c"
3000+
#line 4143 "dcraw/dcraw.c"
29693001
void CLASS gamma_curve (double pwr, double ts, int mode, int imax)
29703002
{
29713003
int i;
@@ -4460,7 +4492,7 @@ void CLASS parse_thumb_note (int base, unsigned toff, unsigned tlen)
44604492
fseek (ifp, save, SEEK_SET);
44614493
}
44624494
}
4463-
#line 5610 "dcraw/dcraw.c"
4495+
#line 5642 "dcraw/dcraw.c"
44644496
void CLASS parse_makernote (int base, int uptag)
44654497
{
44664498
static const uchar xlat[2][256] = {
@@ -4975,7 +5007,7 @@ void CLASS parse_kodak_ifd (int base)
49755007
fseek (ifp, save, SEEK_SET);
49765008
}
49775009
}
4978-
#line 6130 "dcraw/dcraw.c"
5010+
#line 6162 "dcraw/dcraw.c"
49795011
int CLASS parse_tiff_ifd (int base)
49805012
{
49815013
unsigned entries, tag, type, len, plen=16, save;
@@ -5144,6 +5176,7 @@ int CLASS parse_tiff_ifd (int base)
51445176
data_offset = get4()+base;
51455177
ifd++; break;
51465178
}
5179+
if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
51475180
while (len--) {
51485181
i = ftell(ifp);
51495182
fseek (ifp, get4()+base, SEEK_SET);
@@ -5362,7 +5395,7 @@ int CLASS parse_tiff_ifd (int base)
53625395
break;
53635396
case 50715: /* BlackLevelDeltaH */
53645397
case 50716: /* BlackLevelDeltaV */
5365-
for (num=i=0; i < len; i++)
5398+
for (num=i=0; i < len && i < 65536; i++)
53665399
num += getreal(type);
53675400
black += num/len + 0.5;
53685401
break;
@@ -5495,17 +5528,21 @@ void CLASS apply_tiff()
54955528
if (thumb_offset) {
54965529
fseek (ifp, thumb_offset, SEEK_SET);
54975530
if (ljpeg_start (&jh, 1)) {
5498-
thumb_misc = jh.bits;
5499-
thumb_width = jh.wide;
5500-
thumb_height = jh.high;
5531+
if((unsigned)jh.bits<17 && (unsigned)jh.wide < 0x10000 && (unsigned)jh.high < 0x10000)
5532+
{
5533+
thumb_misc = jh.bits;
5534+
thumb_width = jh.wide;
5535+
thumb_height = jh.high;
5536+
}
55015537
}
55025538
}
55035539
for (i=0; i < tiff_nifds; i++) {
55045540
if (max_samp < tiff_ifd[i].samples)
55055541
max_samp = tiff_ifd[i].samples;
55065542
if (max_samp > 3) max_samp = 3;
55075543
if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
5508-
(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
5544+
unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
5545+
(unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
55095546
tiff_ifd[i].t_width*tiff_ifd[i].t_height > raw_width*raw_height) {
55105547
raw_width = tiff_ifd[i].t_width;
55115548
raw_height = tiff_ifd[i].t_height;
@@ -5592,6 +5629,8 @@ void CLASS apply_tiff()
55925629
is_raw = 0;
55935630
for (i=0; i < tiff_nifds; i++)
55945631
if (i != raw && tiff_ifd[i].samples == max_samp &&
5632+
tiff_ifd[i].bps>0 && tiff_ifd[i].bps < 33 &&
5633+
unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
55955634
tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) >
55965635
thumb_width * thumb_height / SQR(thumb_misc+1)
55975636
&& tiff_ifd[i].comp != 34892) {
@@ -6233,7 +6272,7 @@ void CLASS parse_redcine()
62336272
data_offset = get4();
62346273
}
62356274
}
6236-
#line 7390 "dcraw/dcraw.c"
6275+
#line 7429 "dcraw/dcraw.c"
62376276
char * CLASS foveon_gets (int offset, char *str, int len)
62386277
{
62396278
int i;
@@ -6334,7 +6373,7 @@ void CLASS parse_foveon()
63346373
}
63356374
is_foveon = 1;
63366375
}
6337-
#line 7493 "dcraw/dcraw.c"
6376+
#line 7532 "dcraw/dcraw.c"
63386377
/*
63396378
All matrices are from Adobe DNG Converter unless otherwise noted.
63406379
*/
@@ -8981,7 +9020,7 @@ void CLASS identify2(unsigned fsize, unsigned flen, char *head)
89819020
}
89829021

89839022

8984-
#line 10231 "dcraw/dcraw.c"
9023+
#line 10270 "dcraw/dcraw.c"
89859024
void CLASS convert_to_rgb()
89869025
{
89879026
#ifndef LIBRAW_LIBRARY_BUILD
@@ -9212,7 +9251,7 @@ int CLASS flip_index (int row, int col)
92129251
if (flip & 1) col = iwidth - 1 - col;
92139252
return row * iwidth + col;
92149253
}
9215-
#line 10487 "dcraw/dcraw.c"
9254+
#line 10526 "dcraw/dcraw.c"
92169255
void CLASS tiff_set (ushort *ntag,
92179256
ushort tag, ushort type, int count, int val)
92189257
{

0 commit comments

Comments
 (0)