File libraw-CVE-2025-43962,43961.patch of Package libraw.38397

Index: LibRaw-0.18.9/internal/dcraw_common.cpp
===================================================================
--- LibRaw-0.18.9.orig/internal/dcraw_common.cpp
+++ LibRaw-0.18.9/internal/dcraw_common.cpp
@@ -1804,6 +1804,9 @@ int CLASS phase_one_correct()
   if (off_412) {
     fseek (ifp, off_412, SEEK_SET);
     for (i=0; i < 9; i++) head[i] = get4() & 0x7fff;
+    unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
+    if (w0 > 10240000 || w1 > 10240000)
+       throw LIBRAW_EXCEPTION_ALLOC;
     yval[0] = (float *) calloc (head[1]*head[3] + head[2]*head[4], 6);
     merror (yval[0], "phase_one_correct()");
     yval[1] = (float  *) (yval[0] + head[1]*head[3]);
@@ -1828,9 +1831,17 @@ int CLASS phase_one_correct()
 	for (i=cip; i < cip+2; i++) {
 	  for (k=j=0; j < head[1]; j++)
 	    if (num < xval[0][k = head[1]*i+j]) break;
-	  frac = (j == 0 || j == head[1]) ? 0 :
-		(xval[0][k] - num) / (xval[0][k] - xval[0][k-1]);
-	  mult[i-cip] = yval[0][k-1] * frac + yval[0][k] * (1-frac);
+              if (j == 0 || j == head[1] || k < 1 || k >= w0+w1)
+                      frac = 0;
+              else
+              {
+                      int xdiv = (xval[0][k] - xval[0][k - 1]);
+                      frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0;
+              }
+              if (k < w0 + w1)
+                      mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac);
+              else
+                      mult[i - cip] = 0;
 	}
 	i = ((mult[0] * (1-cfrac) + mult[1] * cfrac) * row + num) * 2;
 	RAW(row,col) = LIM(i,0,65535);
@@ -11053,7 +11064,10 @@ guess_cfa_pc:
 			{
 			  if ((fwb[0]==rafdata[fi]) && (fwb[1]==rafdata[fi+1]) && (fwb[2]==rafdata[fi+2]))
 			  {
-			    if (rafdata[fi-15] != fwb[0]) continue;
+                            if (fi > 14)
+                            {
+			    if (rafdata[fi - 15] != fwb[0]) continue;
+
 			    fi = fi - 15;
                             imgdata.color.WB_Coeffs[LIBRAW_WBI_FineWeather][1] = imgdata.color.WB_Coeffs[LIBRAW_WBI_FineWeather][3] = rafdata[fi];
                             imgdata.color.WB_Coeffs[LIBRAW_WBI_FineWeather][0] = rafdata[fi+1];
@@ -11078,9 +11092,12 @@ guess_cfa_pc:
                             imgdata.color.WB_Coeffs[LIBRAW_WBI_Tungsten][1] = imgdata.color.WB_Coeffs[LIBRAW_WBI_Tungsten][3] = rafdata[fi+15];
                             imgdata.color.WB_Coeffs[LIBRAW_WBI_Tungsten][0] = rafdata[fi+16];
                             imgdata.color.WB_Coeffs[LIBRAW_WBI_Tungsten][2] = rafdata[fi+17];
+                            }
 
                 fi += 111;
                 for (fj = fi; fj<(fi+15); fj+=3)
+                  if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3)
+                    break;
                   if (rafdata[fj] != rafdata[fi])
                   {
                     found = 1;
@@ -11090,7 +11107,7 @@ guess_cfa_pc:
                 {
                   int FujiCCT_K [31] = {2500,2550,2650,2700,2800,2850,2950,3000,3100,3200,3300,3400,3600,3700,3800,4000,4200,4300,4500,4800,5000,5300,5600,5900,6300,6700,7100,7700,8300,9100,10000};
                   fj = fj - 93;
-                  for (int iCCT=0; iCCT < 31; iCCT++)
+                  for (int iCCT=0; iCCT < 31 && fj < libraw_internal_data.unpacker_data.lenRAFData - 3; iCCT++)
                   {
                     imgdata.color.WBCT_Coeffs[iCCT][0] = FujiCCT_K[iCCT];
                     imgdata.color.WBCT_Coeffs[iCCT][1] = rafdata[iCCT*3+1+fj];