Skip to content

Commit 9f26ce3

Browse files
committed
SA81000: LibRaw 0.18.8
1 parent 1583986 commit 9f26ce3

File tree

4 files changed

+63
-17
lines changed

4 files changed

+63
-17
lines changed

Diff for: Changelog.txt

+8
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,11 @@
1+
2018-02-23 Alex Tutubalin <lexa@lexa.ru>
2+
Secunia #81000:
3+
Credit: Laurent Delosieres, Secunia Research at Flexera
4+
* leaf_hdr_load_raw: check for image pointer for demosaiced raw
5+
* NOKIARAW parser: check image dimensions readed from file
6+
* quicktake_100_load_raw: check width/height limits
7+
* LibRaw 0.18.8
8+
19
2018-01-29 Alex Tutubalin <lexa@lexa.ru>
210
* Checks for width+left_margin/height+top_margin not larger than 64k
311
* LIBRAW_MAX_ALLOC_MB define limits maximum image/raw_image allocation

Diff for: dcraw/dcraw.c

+27-8
Original file line numberDiff line numberDiff line change
@@ -2365,6 +2365,10 @@ void CLASS leaf_hdr_load_raw()
23652365
unsigned tile=0, r, c, row, col;
23662366

23672367
if (!filters) {
2368+
#ifdef LIBRAW_LIBRARY_BUILD
2369+
if(!image)
2370+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
2371+
#endif
23682372
pixel = (ushort *) calloc (raw_width, sizeof *pixel);
23692373
merror (pixel, "leaf_hdr_load_raw()");
23702374
}
@@ -2894,7 +2898,11 @@ void CLASS quicktake_100_load_raw()
28942898
654,665,676,687,698,710,721,732,743,754,766,777,788,799,810,822,833,844,
28952899
855,866,878,889,900,911,922,933,945,956,967,978,989,1001,1012,1023 };
28962900
int rb, row, col, sharp, val=0;
2897-
2901+
#ifdef LIBRAW_LIBRARY_BUILD
2902+
if(width>640 || height > 480)
2903+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
2904+
#endif
2905+
28982906
getbits(-1);
28992907
memset (pixel, 0x80, sizeof pixel);
29002908
for (row=2; row < height+2; row++) {
@@ -15649,13 +15657,24 @@ void CLASS identify()
1564915657
i = get4();
1565015658
width = get2();
1565115659
height = get2();
15652-
switch (tiff_bps = i*8 / (width * height)) {
15653-
case 8: load_raw = &CLASS eight_bit_load_raw; break;
15654-
case 10: load_raw = &CLASS nokia_load_raw;
15655-
}
15656-
raw_height = height + (top_margin = i / (width * tiff_bps/8) - height);
15657-
mask[0][3] = 1;
15658-
filters = 0x61616161;
15660+
#ifdef LIBRAW_LIBRARY_BUILD
15661+
// data length should be in range w*h..w*h*2
15662+
if(width*height < (LIBRAW_MAX_ALLOC_MB*1024*512L) && width*height>1
15663+
&& i >= width * height && i <= width*height*2)
15664+
{
15665+
#endif
15666+
switch (tiff_bps = i*8 / (width * height)) {
15667+
case 8: load_raw = &CLASS eight_bit_load_raw; break;
15668+
case 10: load_raw = &CLASS nokia_load_raw;
15669+
}
15670+
raw_height = height + (top_margin = i / (width * tiff_bps/8) - height);
15671+
mask[0][3] = 1;
15672+
filters = 0x61616161;
15673+
#ifdef LIBRAW_LIBRARY_BUILD
15674+
}
15675+
else
15676+
is_raw = 0;
15677+
#endif
1565915678
} else if (!memcmp (head,"ARRI",4)) {
1566015679
order = 0x4949;
1566115680
fseek (ifp, 20, SEEK_SET);

Diff for: internal/dcraw_common.cpp

+27-8
Original file line numberDiff line numberDiff line change
@@ -2077,6 +2077,10 @@ void CLASS leaf_hdr_load_raw()
20772077
unsigned tile=0, r, c, row, col;
20782078

20792079
if (!filters) {
2080+
#ifdef LIBRAW_LIBRARY_BUILD
2081+
if(!image)
2082+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
2083+
#endif
20802084
pixel = (ushort *) calloc (raw_width, sizeof *pixel);
20812085
merror (pixel, "leaf_hdr_load_raw()");
20822086
}
@@ -2606,7 +2610,11 @@ void CLASS quicktake_100_load_raw()
26062610
654,665,676,687,698,710,721,732,743,754,766,777,788,799,810,822,833,844,
26072611
855,866,878,889,900,911,922,933,945,956,967,978,989,1001,1012,1023 };
26082612
int rb, row, col, sharp, val=0;
2609-
2613+
#ifdef LIBRAW_LIBRARY_BUILD
2614+
if(width>640 || height > 480)
2615+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
2616+
#endif
2617+
26102618
getbits(-1);
26112619
memset (pixel, 0x80, sizeof pixel);
26122620
for (row=2; row < height+2; row++) {
@@ -14311,13 +14319,24 @@ void CLASS identify()
1431114319
i = get4();
1431214320
width = get2();
1431314321
height = get2();
14314-
switch (tiff_bps = i*8 / (width * height)) {
14315-
case 8: load_raw = &CLASS eight_bit_load_raw; break;
14316-
case 10: load_raw = &CLASS nokia_load_raw;
14317-
}
14318-
raw_height = height + (top_margin = i / (width * tiff_bps/8) - height);
14319-
mask[0][3] = 1;
14320-
filters = 0x61616161;
14322+
#ifdef LIBRAW_LIBRARY_BUILD
14323+
// data length should be in range w*h..w*h*2
14324+
if(width*height < (LIBRAW_MAX_ALLOC_MB*1024*512L) && width*height>1
14325+
&& i >= width * height && i <= width*height*2)
14326+
{
14327+
#endif
14328+
switch (tiff_bps = i*8 / (width * height)) {
14329+
case 8: load_raw = &CLASS eight_bit_load_raw; break;
14330+
case 10: load_raw = &CLASS nokia_load_raw;
14331+
}
14332+
raw_height = height + (top_margin = i / (width * tiff_bps/8) - height);
14333+
mask[0][3] = 1;
14334+
filters = 0x61616161;
14335+
#ifdef LIBRAW_LIBRARY_BUILD
14336+
}
14337+
else
14338+
is_raw = 0;
14339+
#endif
1432114340
} else if (!memcmp (head,"ARRI",4)) {
1432214341
order = 0x4949;
1432314342
fseek (ifp, 20, SEEK_SET);

Diff for: libraw/libraw_version.h

+1-1
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ it under the terms of the one of two licenses as you choose:
2222

2323
#define LIBRAW_MAJOR_VERSION 0
2424
#define LIBRAW_MINOR_VERSION 18
25-
#define LIBRAW_PATCH_VERSION 7
25+
#define LIBRAW_PATCH_VERSION 8
2626
#define LIBRAW_VERSION_TAIL Release
2727

2828
#define LIBRAW_SHLIB_CURRENT 16

0 commit comments

Comments
 (0)