From 6b4ff65c6fc1a88eaa7bfc1ee5a25413d171b5f7 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Thu, 21 May 2015 13:47:29 +0200
Subject: [PATCH] patch: CVE-2015-3885

Squashed commit of the following:

commit 8f2a2348638f74e059069d98a6329fcc656ae4b5
Author: Nils Philippsen <nils@redhat.com>
Date:   Tue May 19 11:36:57 2015 +0200

    CVE-2015-3885: avoid overflowing array

    When reading raw image files containing lossless JPEG data, headers
    could be manipulated to make the signed int variable 'len' negative
    which specifies how much actual data follows. Interpreted as unsigned,
    this could lead to reading file data past the 64k boundary of the array
    used for storing it. To avoid that, make 'len' unsigned short, and bail
    out early if its value would become invalid (i.e. <= 0).
---
 dcraw.cc | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/dcraw.cc b/dcraw.cc
index 75ea121..d9f96ff 100644
--- a/dcraw.cc
+++ b/dcraw.cc
@@ -934,7 +934,8 @@ struct jhead {
 
 int CLASS ljpeg_start (struct jhead *jh, int info_only)
 {
-  int c, tag, len;
+  int c, tag;
+  ushort len;
   uchar data[0x10000];
   const uchar *dp;
 
@@ -945,8 +946,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
   do {
     fread (data, 2, 2, ifp);
     tag =  data[0] << 8 | data[1];
-    len = (data[2] << 8 | data[3]) - 2;
-    if (tag <= 0xff00) return 0;
+    len = (data[2] << 8 | data[3]);
+    if (tag <= 0xff00 || len <= 2) return 0;
+    len -= 2;
     fread (data, 1, len, ifp);
     switch (tag) {
       case 0xffc3:
-- 
2.4.1