Skip to content
Permalink
Browse files

Fixed Secunia Advisory SA86384

   - possible infinite loop in unpacked_load_raw()
   - possible infinite loop in parse_rollei()
   - possible infinite loop in parse_sinar_ia()

 Credits: Laurent Delosieres, Secunia Research at Flexera
  • Loading branch information...
alextutubalin committed Nov 22, 2018
1 parent 269f90b commit e67a9862d10ebaa97712f532eca1eb5e2e410a22
Showing with 6 additions and 2 deletions.
  1. +3 −1 dcraw/dcraw.c
  2. +3 −1 internal/dcraw_common.cpp
memset(&t, 0, sizeof t);
do
{
fgets(line, 128, ifp);
if(!fgets(line, 128, ifp)) break;
if ((val = strchr(line, '=')))
*val++ = 0;
else
order = 0x4949;
fseek(ifp, 4, SEEK_SET);
entries = get4();
if(entries < 1 || entries > 8192) return;
fseek(ifp, get4(), SEEK_SET);
while (entries--)
{
if (maximum < 0x10000 && curve[maximum] > 0 && load_raw == &CLASS sony_arw2_load_raw)
maximum = curve[maximum];
}
if(maximum > 0xffff) maximum = 0xffff;
if (!load_raw || height < 22 || width < 22 ||
#ifdef LIBRAW_LIBRARY_BUILD
(tiff_bps > 16 && (load_raw != &LibRaw::deflate_dng_load_raw && load_raw != &LibRaw::float_dng_load_raw_placeholder))
@@ -15352,7 +15352,7 @@ void CLASS parse_rollei()
memset(&t, 0, sizeof t);
do
{
fgets(line, 128, ifp);
if(!fgets(line, 128, ifp)) break;
if ((val = strchr(line, '=')))
*val++ = 0;
else
@@ -15390,6 +15390,7 @@ void CLASS parse_sinar_ia()
order = 0x4949;
fseek(ifp, 4, SEEK_SET);
entries = get4();
if(entries < 1 || entries > 8192) return;
fseek(ifp, get4(), SEEK_SET);
while (entries--)
{
if (maximum < 0x10000 && curve[maximum] > 0 && load_raw == &CLASS sony_arw2_load_raw)
maximum = curve[maximum];
}
if(maximum > 0xffff) maximum = 0xffff;
if (!load_raw || height < 22 || width < 22 ||
#ifdef LIBRAW_LIBRARY_BUILD
(tiff_bps > 16 && (load_raw != &LibRaw::deflate_dng_load_raw && load_raw != &LibRaw::float_dng_load_raw_placeholder))

0 comments on commit e67a986

Please sign in to comment.
You can’t perform that action at this time.