Permalink
Browse files

processCanonCameraInfo possible buffer overrun on damaged file

  • Loading branch information...
alextutubalin committed Sep 12, 2017
1 parent 82616ef commit 8303e74b0567806dd5f16fc39aab70fe928de1a2
Showing with 12 additions and 7 deletions.
  1. +5 −2 Changelog.txt
  2. +3 −2 dcraw/dcraw.c
  3. +3 −2 internal/dcraw_common.cpp
  4. +1 −1 libraw/libraw_version.h
View
@@ -1,9 +1,12 @@
2017-09-12 Alex Tutubalin <lexa@lexa.ru>
* Fix for possible heap overrun in Canon makernotes parser
* LibRaw 0.18.4
2017-09-09 Alex Tutubalin <lexa@lexa.ru>
* Fix for CVE-2017-13735
* Additional check for X-Trans CFA pattern data
* CVE-2017-14265: Additional check for X-Trans CFA pattern data
* LibRaw 0.18.3
2017-03-08 Alex Tutubalin <lexa@lexa.ru>
* Fixed several errors (Secunia advisory SA75000)
* ACES colorspace output option included in dcraw_emu help page
View
@@ -7071,6 +7071,7 @@ void CLASS setCanonBodyFeatures (unsigned id)
void CLASS processCanonCameraInfo (unsigned id, uchar *CameraInfo, unsigned maxlen)
{
ushort iCanonLensID = 0, iCanonMaxFocal = 0, iCanonMinFocal = 0, iCanonLens = 0, iCanonCurFocal = 0, iCanonFocalType = 0;
if(maxlen<16) return; // too short, so broken
CameraInfo[0] = 0;
CameraInfo[1] = 0;
switch (id) {
@@ -8631,7 +8632,7 @@ void CLASS parse_makernote_0xc634(int base, int uptag, unsigned dng_writer)
{
if (tag == 0x000d && len < 256000) // camera info
{
CanonCameraInfo = (uchar*)malloc(len);
CanonCameraInfo = (uchar*)malloc(MAX(16,len));
fread(CanonCameraInfo, len, 1, ifp);
lenCanonCameraInfo = len;
}
@@ -9496,7 +9497,7 @@ void CLASS parse_makernote (int base, int uptag)
{
if (tag == 0x000d && len < 256000) // camera info
{
CanonCameraInfo = (uchar*)malloc(len);
CanonCameraInfo = (uchar*)malloc(MAX(16,len));
fread(CanonCameraInfo, len, 1, ifp);
lenCanonCameraInfo = len;
}
@@ -5888,6 +5888,7 @@ void CLASS setCanonBodyFeatures (unsigned id)
void CLASS processCanonCameraInfo (unsigned id, uchar *CameraInfo, unsigned maxlen)
{
ushort iCanonLensID = 0, iCanonMaxFocal = 0, iCanonMinFocal = 0, iCanonLens = 0, iCanonCurFocal = 0, iCanonFocalType = 0;
if(maxlen<16) return; // too short, so broken
CameraInfo[0] = 0;
CameraInfo[1] = 0;
switch (id) {
@@ -7448,7 +7449,7 @@ void CLASS parse_makernote_0xc634(int base, int uptag, unsigned dng_writer)
{
if (tag == 0x000d && len < 256000) // camera info
{
CanonCameraInfo = (uchar*)malloc(len);
CanonCameraInfo = (uchar*)malloc(MAX(16,len));
fread(CanonCameraInfo, len, 1, ifp);
lenCanonCameraInfo = len;
}
@@ -8313,7 +8314,7 @@ void CLASS parse_makernote (int base, int uptag)
{
if (tag == 0x000d && len < 256000) // camera info
{
CanonCameraInfo = (uchar*)malloc(len);
CanonCameraInfo = (uchar*)malloc(MAX(16,len));
fread(CanonCameraInfo, len, 1, ifp);
lenCanonCameraInfo = len;
}
View
@@ -22,7 +22,7 @@ it under the terms of the one of two licenses as you choose:
#define LIBRAW_MAJOR_VERSION 0
#define LIBRAW_MINOR_VERSION 18
#define LIBRAW_PATCH_VERSION 3
#define LIBRAW_PATCH_VERSION 4
#define LIBRAW_VERSION_TAIL Release
#define LIBRAW_SHLIB_CURRENT 16

0 comments on commit 8303e74

Please sign in to comment.