Permalink
1 comment
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Avoid overflow in ljpeg_start().
- Loading branch information
Showing
1 changed file
with
2 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
983bda1There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The patch was the one received from David Coffin (author of dcraw) off channel before making the vulnerability public if I remember correctly.
I think the
len < 2check is related to the linewhere len can be USHORT-MAX-1, which may result in a possible read error in the following
fread()call - but you can easily trigger a read error even without underflowing. I don't see any security related bugs triggered by omitting the check, len is an unsigned integer, and the data array is of size USHORT_MAX+1. Neither overflow nor underflow can occur.The fix in netpbm and Fedora is somewhat cleaner than the upstream fix in dcraw, but all are good from a security perspective.
For the interested: Rawstudio plans to remove dcraw completely from a future version and rely solely on RawSpeed - and maybe calling an external dcraw binary as a fall-back option to support ancient file formats.