Skip to content
Permalink
Browse files

Fixed Secunia Advisory SA86384

   - possible infinite loop in unpacked_load_raw()
   - possible infinite loop in parse_rollei()
   - possible infinite loop in parse_sinar_ia()

 Credits: Laurent Delosieres, Secunia Research at Flexera
  • Loading branch information...
alextutubalin committed Nov 22, 2018
1 parent bcc115d commit 9eb76dc153f5acf42ec7325a33fe7ccdcadaf8d6
Showing with 6 additions and 2 deletions.
  1. +3 −1 dcraw/dcraw.c
  2. +3 −1 internal/dcraw_common.cpp
@@ -16211,7 +16211,7 @@ void CLASS parse_rollei()
memset(&t, 0, sizeof t);
do
{
fgets(line, 128, ifp);
if(!fgets(line, 128, ifp)) break;
if ((val = strchr(line, '=')))
*val++ = 0;
else
@@ -16249,6 +16249,7 @@ void CLASS parse_sinar_ia()
order = 0x4949;
fseek(ifp, 4, SEEK_SET);
entries = get4();
if(entries < 1 || entries > 8192) return;
fseek(ifp, get4(), SEEK_SET);
while (entries--)
{
if (maximum < 0x10000 && curve[maximum] > 0 && load_raw == &CLASS sony_arw2_load_raw)
maximum = curve[maximum];
}
if(maximum > 0xffff) maximum = 0xffff;
if (!load_raw || height < 22 || width < 22 ||
#ifdef LIBRAW_LIBRARY_BUILD
(tiff_bps > 16 && load_raw != &LibRaw::deflate_dng_load_raw)
@@ -14873,7 +14873,7 @@ void CLASS parse_rollei()
memset(&t, 0, sizeof t);
do
{
fgets(line, 128, ifp);
if(!fgets(line, 128, ifp)) break;
if ((val = strchr(line, '=')))
*val++ = 0;
else
@@ -14911,6 +14911,7 @@ void CLASS parse_sinar_ia()
order = 0x4949;
fseek(ifp, 4, SEEK_SET);
entries = get4();
if(entries < 1 || entries > 8192) return;
fseek(ifp, get4(), SEEK_SET);
while (entries--)
{
if (maximum < 0x10000 && curve[maximum] > 0 && load_raw == &CLASS sony_arw2_load_raw)
maximum = curve[maximum];
}
if(maximum > 0xffff) maximum = 0xffff;
if (!load_raw || height < 22 || width < 22 ||
#ifdef LIBRAW_LIBRARY_BUILD
(tiff_bps > 16 && load_raw != &LibRaw::deflate_dng_load_raw)

0 comments on commit 9eb76dc

Please sign in to comment.
You can’t perform that action at this time.