Skip to content

Commit d7c3d2c

Browse files
committed
Secunia SA75000 advisory: several buffer overruns
1 parent d4c4f5c commit d7c3d2c

File tree

2 files changed

+20
-4
lines changed

2 files changed

+20
-4
lines changed

Diff for: dcraw/dcraw.c

+10-2
Original file line numberDiff line numberDiff line change
@@ -12870,6 +12870,10 @@ int CLASS parse_tiff_ifd(int base)
1287012870
load_raw = &CLASS sony_arw_load_raw;
1287112871
data_offset = get4() + base;
1287212872
ifd++;
12873+
#ifdef LIBRAW_LIBRARY_BUILD
12874+
if (ifd >= sizeof tiff_ifd / sizeof tiff_ifd[0])
12875+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
12876+
#endif
1287312877
break;
1287412878
}
1287512879
#ifdef LIBRAW_LIBRARY_BUILD
@@ -13177,7 +13181,7 @@ int CLASS parse_tiff_ifd(int base)
1317713181
break;
1317813182
case 50454: /* Sinar tag */
1317913183
case 50455:
13180-
if (len > 2560000 || !(cbuf = (char *)malloc(len)))
13184+
if (len < 1 || len > 2560000 || !(cbuf = (char *)malloc(len)))
1318113185
break;
1318213186
#ifndef LIBRAW_LIBRARY_BUILD
1318313187
fread(cbuf, 1, len, ifp);
@@ -14795,7 +14799,11 @@ int CLASS parse_jpeg(int offset)
1479514799
}
1479614800
order = get2();
1479714801
hlen = get4();
14798-
if (get4() == 0x48454150) /* "HEAP" */
14802+
if (get4() == 0x48454150
14803+
#ifdef LIBRAW_LIBRARY_BUILD
14804+
&& (save+hlen) >= 0 && (save+hlen)<=ifp->size()
14805+
#endif
14806+
) /* "HEAP" */
1479914807
{
1480014808
#ifdef LIBRAW_LIBRARY_BUILD
1480114809
imgdata.lens.makernotes.CameraMount = LIBRAW_MOUNT_FixedLens;

Diff for: internal/dcraw_common.cpp

+10-2
Original file line numberDiff line numberDiff line change
@@ -11542,6 +11542,10 @@ int CLASS parse_tiff_ifd(int base)
1154211542
load_raw = &CLASS sony_arw_load_raw;
1154311543
data_offset = get4() + base;
1154411544
ifd++;
11545+
#ifdef LIBRAW_LIBRARY_BUILD
11546+
if (ifd >= sizeof tiff_ifd / sizeof tiff_ifd[0])
11547+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
11548+
#endif
1154511549
break;
1154611550
}
1154711551
#ifdef LIBRAW_LIBRARY_BUILD
@@ -11849,7 +11853,7 @@ int CLASS parse_tiff_ifd(int base)
1184911853
break;
1185011854
case 50454: /* Sinar tag */
1185111855
case 50455:
11852-
if (len > 2560000 || !(cbuf = (char *)malloc(len)))
11856+
if (len < 1 || len > 2560000 || !(cbuf = (char *)malloc(len)))
1185311857
break;
1185411858
#ifndef LIBRAW_LIBRARY_BUILD
1185511859
fread(cbuf, 1, len, ifp);
@@ -13467,7 +13471,11 @@ int CLASS parse_jpeg(int offset)
1346713471
}
1346813472
order = get2();
1346913473
hlen = get4();
13470-
if (get4() == 0x48454150) /* "HEAP" */
13474+
if (get4() == 0x48454150
13475+
#ifdef LIBRAW_LIBRARY_BUILD
13476+
&& (save+hlen) >= 0 && (save+hlen)<=ifp->size()
13477+
#endif
13478+
) /* "HEAP" */
1347113479
{
1347213480
#ifdef LIBRAW_LIBRARY_BUILD
1347313481
imgdata.lens.makernotes.CameraMount = LIBRAW_MOUNT_FixedLens;

0 commit comments

Comments
 (0)