processCanonCameraInfo possible buffer overrun on damaged file

LibRaw · Sep 12, 2017 · 8303e74 · 8303e74
1 parent 82616ef
commit 8303e74
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 7 deletions.
diff --git a/Changelog.txt b/Changelog.txt
@@ -1,9 +1,12 @@
+2017-09-12  Alex Tutubalin <lexa@lexa.ru>
+ * Fix for possible heap overrun in Canon makernotes parser
+ * LibRaw 0.18.4
+
 2017-09-09  Alex Tutubalin <lexa@lexa.ru>
  * Fix for CVE-2017-13735
- * Additional check for X-Trans CFA pattern data
+ * CVE-2017-14265: Additional check for X-Trans CFA pattern data
  * LibRaw 0.18.3
 
-
 2017-03-08  Alex Tutubalin <lexa@lexa.ru>
  * Fixed several errors (Secunia advisory SA75000)
  * ACES colorspace output option included in dcraw_emu help page

diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
@@ -7071,6 +7071,7 @@ void CLASS setCanonBodyFeatures (unsigned id)
 void CLASS processCanonCameraInfo (unsigned id, uchar *CameraInfo, unsigned maxlen)
 {
   ushort iCanonLensID = 0, iCanonMaxFocal = 0, iCanonMinFocal = 0, iCanonLens = 0, iCanonCurFocal = 0, iCanonFocalType = 0;
+  if(maxlen<16) return; // too short, so broken
   CameraInfo[0] = 0;
   CameraInfo[1] = 0;
   switch (id) {
@@ -8631,7 +8632,7 @@ void CLASS parse_makernote_0xc634(int base, int uptag, unsigned dng_writer)
       {
         if (tag == 0x000d && len < 256000) // camera info
           {
-            CanonCameraInfo = (uchar*)malloc(len);
+            CanonCameraInfo = (uchar*)malloc(MAX(16,len));
             fread(CanonCameraInfo, len, 1, ifp);
             lenCanonCameraInfo = len;
           }
@@ -9496,7 +9497,7 @@ void CLASS parse_makernote (int base, int uptag)
       {
         if (tag == 0x000d && len < 256000)	// camera info
           {
-            CanonCameraInfo = (uchar*)malloc(len);
+            CanonCameraInfo = (uchar*)malloc(MAX(16,len));
             fread(CanonCameraInfo, len, 1, ifp);
             lenCanonCameraInfo = len;
           }

diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
@@ -5888,6 +5888,7 @@ void CLASS setCanonBodyFeatures (unsigned id)
 void CLASS processCanonCameraInfo (unsigned id, uchar *CameraInfo, unsigned maxlen)
 {
   ushort iCanonLensID = 0, iCanonMaxFocal = 0, iCanonMinFocal = 0, iCanonLens = 0, iCanonCurFocal = 0, iCanonFocalType = 0;
+  if(maxlen<16) return; // too short, so broken
   CameraInfo[0] = 0;
   CameraInfo[1] = 0;
   switch (id) {
@@ -7448,7 +7449,7 @@ void CLASS parse_makernote_0xc634(int base, int uptag, unsigned dng_writer)
       {
         if (tag == 0x000d && len < 256000) // camera info
           {
-            CanonCameraInfo = (uchar*)malloc(len);
+            CanonCameraInfo = (uchar*)malloc(MAX(16,len));
             fread(CanonCameraInfo, len, 1, ifp);
             lenCanonCameraInfo = len;
           }
@@ -8313,7 +8314,7 @@ void CLASS parse_makernote (int base, int uptag)
       {
         if (tag == 0x000d && len < 256000)	// camera info
           {
-            CanonCameraInfo = (uchar*)malloc(len);
+            CanonCameraInfo = (uchar*)malloc(MAX(16,len));
             fread(CanonCameraInfo, len, 1, ifp);
             lenCanonCameraInfo = len;
           }

diff --git a/libraw/libraw_version.h b/libraw/libraw_version.h
@@ -22,7 +22,7 @@ it under the terms of the one of two licenses as you choose:
 
 #define LIBRAW_MAJOR_VERSION  0
 #define LIBRAW_MINOR_VERSION  18
-#define LIBRAW_PATCH_VERSION  3
+#define LIBRAW_PATCH_VERSION  4
 #define LIBRAW_VERSION_TAIL   Release
 
 #define LIBRAW_SHLIB_CURRENT  	16