1 files changed, 52 insertions, 0 deletions

diff --git a/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch b/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch
new file mode 100644
index 000000000000..c17c66c41ab7
--- /dev/null
+++ b/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch
@@ -0,0 +1,52 @@
+From 6b4ff65c6fc1a88eaa7bfc1ee5a25413d171b5f7 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils@redhat.com>
+Date: Thu, 21 May 2015 13:47:29 +0200
+Subject: [PATCH] patch: CVE-2015-3885
+
+Squashed commit of the following:
+
+commit 8f2a2348638f74e059069d98a6329fcc656ae4b5
+Author: Nils Philippsen <nils@redhat.com>
+Date:   Tue May 19 11:36:57 2015 +0200
+
+    CVE-2015-3885: avoid overflowing array
+
+    When reading raw image files containing lossless JPEG data, headers
+    could be manipulated to make the signed int variable 'len' negative
+    which specifies how much actual data follows. Interpreted as unsigned,
+    this could lead to reading file data past the 64k boundary of the array
+    used for storing it. To avoid that, make 'len' unsigned short, and bail
+    out early if its value would become invalid (i.e. <= 0).
+---
+ dcraw.cc | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/dcraw.cc b/dcraw.cc
+index 75ea121..d9f96ff 100644
+--- a/dcraw.cc
++++ b/dcraw.cc
+@@ -934,7 +934,8 @@ struct jhead {
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+ 
+@@ -945,8 +946,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+   do {
+     fread (data, 2, 2, ifp);
+     tag =  data[0] << 8 | data[1];
+-    len = (data[2] << 8 | data[3]) - 2;
+-    if (tag <= 0xff00) return 0;
++    len = (data[2] << 8 | data[3]);
++    if (tag <= 0xff00 || len <= 2) return 0;
++    len -= 2;
+     fread (data, 1, len, ifp);
+     switch (tag) {
+       case 0xffc3:
+-- 
+2.4.1
+