diff options
Diffstat (limited to 'media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch')
-rw-r--r-- | media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch b/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch new file mode 100644 index 000000000000..c17c66c41ab7 --- /dev/null +++ b/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch @@ -0,0 +1,52 @@ +From 6b4ff65c6fc1a88eaa7bfc1ee5a25413d171b5f7 Mon Sep 17 00:00:00 2001 +From: Nils Philippsen <nils@redhat.com> +Date: Thu, 21 May 2015 13:47:29 +0200 +Subject: [PATCH] patch: CVE-2015-3885 + +Squashed commit of the following: + +commit 8f2a2348638f74e059069d98a6329fcc656ae4b5 +Author: Nils Philippsen <nils@redhat.com> +Date: Tue May 19 11:36:57 2015 +0200 + + CVE-2015-3885: avoid overflowing array + + When reading raw image files containing lossless JPEG data, headers + could be manipulated to make the signed int variable 'len' negative + which specifies how much actual data follows. Interpreted as unsigned, + this could lead to reading file data past the 64k boundary of the array + used for storing it. To avoid that, make 'len' unsigned short, and bail + out early if its value would become invalid (i.e. <= 0). +--- + dcraw.cc | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/dcraw.cc b/dcraw.cc +index 75ea121..d9f96ff 100644 +--- a/dcraw.cc ++++ b/dcraw.cc +@@ -934,7 +934,8 @@ struct jhead { + + int CLASS ljpeg_start (struct jhead *jh, int info_only) + { +- int c, tag, len; ++ int c, tag; ++ ushort len; + uchar data[0x10000]; + const uchar *dp; + +@@ -945,8 +946,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only) + do { + fread (data, 2, 2, ifp); + tag = data[0] << 8 | data[1]; +- len = (data[2] << 8 | data[3]) - 2; +- if (tag <= 0xff00) return 0; ++ len = (data[2] << 8 | data[3]); ++ if (tag <= 0xff00 || len <= 2) return 0; ++ len -= 2; + fread (data, 1, len, ifp); + switch (tag) { + case 0xffc3: +-- +2.4.1 + |