From 35c276a51e96fd25c976d70a762e76dd2e048331 Mon Sep 17 00:00:00 2001
From: Andreas Sturmlechner <asturm@gentoo.org>
Date: Mon, 16 Sep 2019 01:34:26 +0200
Subject: media-gfx/ufraw: Fix CVE-2015-8366 and CVE-2018-19655

Thanks to openSUSE for the patches.

Package-Manager: Portage-2.3.76, Repoman-2.3.17
Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
---
 .../ufraw/files/ufraw-0.22-CVE-2015-8366.patch     | 17 +++++++++
 .../ufraw/files/ufraw-0.22-CVE-2018-19655.patch    | 44 ++++++++++++++++++++++
 media-gfx/ufraw/ufraw-0.22-r3.ebuild               |  2 +
 3 files changed, 63 insertions(+)
 create mode 100644 media-gfx/ufraw/files/ufraw-0.22-CVE-2015-8366.patch
 create mode 100644 media-gfx/ufraw/files/ufraw-0.22-CVE-2018-19655.patch

(limited to 'media-gfx/ufraw')

diff --git a/media-gfx/ufraw/files/ufraw-0.22-CVE-2015-8366.patch b/media-gfx/ufraw/files/ufraw-0.22-CVE-2015-8366.patch
new file mode 100644
index 000000000000..9d59ca413fbe
--- /dev/null
+++ b/media-gfx/ufraw/files/ufraw-0.22-CVE-2015-8366.patch
@@ -0,0 +1,17 @@
+Fix a buffer overflow bug.  See
+https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2
+
+--- a/dcraw.cc
++++ b/dcraw.cc
+@@ -3013,7 +3013,10 @@
+       diff = diff ? -diff : 0x80;
+     if (ftell(ifp) + 12 >= (int) seg[1][1])
+       diff = 0;
+-    raw_image[pix] = pred[pix & 1] += diff;
++    if(pix>=raw_width*raw_height)
++      derror();
++    else
++      raw_image[pix] = pred[pix & 1] += diff;
+     if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
+   }
+   maximum = 0xff;
diff --git a/media-gfx/ufraw/files/ufraw-0.22-CVE-2018-19655.patch b/media-gfx/ufraw/files/ufraw-0.22-CVE-2018-19655.patch
new file mode 100644
index 000000000000..78b46b4452e0
--- /dev/null
+++ b/media-gfx/ufraw/files/ufraw-0.22-CVE-2018-19655.patch
@@ -0,0 +1,44 @@
+Description: stack-based buffer overflow bug
+Bug-Debian: https://bugs.debian.org/890086
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-19655
+Author: Filip Hroch <hroch@physics.muni.cz>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2018-12-02
+
+--- a/dcraw.cc
++++ b/dcraw.cc
+@@ -8505,9 +8505,15 @@ float CLASS find_green (int bps, int bit
+ {
+   UINT64 bitbuf=0;
+   int vbits, col, i, c;
+-  ushort img[2][2064];
++  ushort *img;
+   double sum[]={0,0};
+ 
++#define IMG2D(row,col) \
++  img[(row)*width+(col)]
++
++  img = (ushort *) malloc(2*width*sizeof(ushort));
++  merror (img, "find_green()");
++
+   FORC(2) {
+     fseek (ifp, c ? off1:off0, SEEK_SET);
+     for (vbits=col=0; col < width; col++) {
+@@ -8516,13 +8522,14 @@ float CLASS find_green (int bps, int bit
+ 	for (i=0; i < bite; i+=8)
+ 	  bitbuf |= (unsigned) (fgetc(ifp) << i);
+       }
+-      img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps);
++      IMG2D(c,col) = bitbuf << (64-bps-vbits) >> (64-bps);
+     }
+   }
+   FORC(width-1) {
+-    sum[ c & 1] += ABS(img[0][c]-img[1][c+1]);
+-    sum[~c & 1] += ABS(img[1][c]-img[0][c+1]);
++    sum[ c & 1] += ABS(IMG2D(0,c)-IMG2D(1,c+1));
++    sum[~c & 1] += ABS(IMG2D(1,c)-IMG2D(0,c+1));
+   }
++  free(img);
+   return 100 * log(sum[0]/sum[1]);
+ }
+ 
diff --git a/media-gfx/ufraw/ufraw-0.22-r3.ebuild b/media-gfx/ufraw/ufraw-0.22-r3.ebuild
index b43d97d6022b..f31268404678 100644
--- a/media-gfx/ufraw/ufraw-0.22-r3.ebuild
+++ b/media-gfx/ufraw/ufraw-0.22-r3.ebuild
@@ -44,6 +44,8 @@ PATCHES=(
 	"${FILESDIR}"/${P}-jpeg9.patch
 	"${FILESDIR}"/${P}-exiv2-0.27.patch
 	"${FILESDIR}"/${P}-gcc9.patch
+	"${FILESDIR}"/${P}-CVE-2015-8366.patch
+	"${FILESDIR}"/${P}-CVE-2018-19655.patch
 )
 
 src_prepare() {
-- 
cgit v1.2.3-65-gdbad