File libraw-CVE-2020-15503.patch of Package libraw.openSUSE_Leap_15.2_Update
Index: LibRaw-0.18.9/libraw/libraw_const.h
===================================================================
--- LibRaw-0.18.9.orig/libraw/libraw_const.h 2020-07-07 14:55:39.414381456 +0200
+++ LibRaw-0.18.9/libraw/libraw_const.h 2020-07-07 14:57:32.407049474 +0200
@@ -25,6 +25,11 @@ it under the terms of the one of two lic
#define LIBRAW_MAX_ALLOC_MB 2048L
#endif
+/* limit thumbnail size, default is 512Mb*/
+#ifndef LIBRAW_MAX_THUMBNAIL_MB
+#define LIBRAW_MAX_THUMBNAIL_MB 512L
+#endif
+
enum LibRaw_whitebalance_code
{
/*
Index: LibRaw-0.18.9/src/libraw_cxx.cpp
===================================================================
--- LibRaw-0.18.9.orig/src/libraw_cxx.cpp 2020-07-07 14:55:39.386381290 +0200
+++ LibRaw-0.18.9/src/libraw_cxx.cpp 2020-07-07 16:59:40.986748813 +0200
@@ -3281,6 +3281,20 @@ libraw_processed_image_t * LibRaw::dcraw
return NULL;
}
+ if (T.tlength < 64u)
+ {
+ if (errcode)
+ *errcode = EINVAL;
+ return NULL;
+ }
+
+ if (INT64(T.tlength) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB)
+ {
+ if (errcode)
+ *errcode = LIBRAW_DATA_ERROR;
+ return NULL;
+ }
+
if (T.tformat == LIBRAW_THUMBNAIL_BITMAP)
{
libraw_processed_image_t * ret =
@@ -3533,6 +3547,12 @@ void LibRaw::kodak_thumb_loader()
if (ID.toffset + est_datasize > ID.input->size() + THUMB_READ_BEYOND)
throw LIBRAW_EXCEPTION_IO_EOF;
+ if(INT64(T.theight) * INT64(T.twidth) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+
+ if (INT64(T.theight) * INT64(T.twidth) < 64ULL)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+
// some kodak cameras
ushort s_height = S.height, s_width = S.width,s_iwidth = S.iwidth,s_iheight=S.iheight;
ushort s_flags = libraw_internal_data.unpacker_data.load_flags;
@@ -3763,6 +3783,25 @@ int LibRaw::unpack_thumb(void)
CHECK_ORDER_LOW(LIBRAW_PROGRESS_IDENTIFY);
CHECK_ORDER_BIT(LIBRAW_PROGRESS_THUMB_LOAD);
+#define THUMB_SIZE_CHECKT(A) \
+ do { \
+ if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+ if (INT64(A) > 0 && INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+ } while (0)
+
+#define THUMB_SIZE_CHECKTNZ(A) \
+ do { \
+ if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+ if (INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+ } while (0)
+
+
+#define THUMB_SIZE_CHECKWH(W,H) \
+ do { \
+ if (INT64(W)*INT64(H) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+ if (INT64(W)*INT64(H) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+ } while (0)
+
try {
if (!libraw_internal_data.internal_data.input)
return LIBRAW_INPUT_CLOSED;
@@ -3790,6 +3829,7 @@ int LibRaw::unpack_thumb(void)
if (INT64(ID.toffset) + tsize > ID.input->size() + THUMB_READ_BEYOND)
throw LIBRAW_EXCEPTION_IO_EOF;
+ THUMB_SIZE_CHECKT(tsize);
}
else
{
@@ -3803,6 +3843,7 @@ int LibRaw::unpack_thumb(void)
ID.input->seek(ID.toffset, SEEK_SET);
if ( write_thumb == &LibRaw::jpeg_thumb)
{
+ THUMB_SIZE_CHECKTNZ(T.tlength);
if(T.thumb) free(T.thumb);
T.thumb = (char *) malloc (T.tlength);
merror (T.thumb, "jpeg_thumb()");
@@ -3816,7 +3857,9 @@ int LibRaw::unpack_thumb(void)
}
else if (write_thumb == &LibRaw::ppm_thumb)
{
+ THUMB_SIZE_CHECKWH(T.twidth, T.theight);
T.tlength = T.twidth * T.theight*3;
+ THUMB_SIZE_CHECKTNZ(T.tlength);
if(T.thumb) free(T.thumb);
T.thumb = (char *) malloc (T.tlength);
@@ -3832,6 +3875,7 @@ int LibRaw::unpack_thumb(void)
else if (write_thumb == &LibRaw::ppm16_thumb)
{
T.tlength = T.twidth * T.theight*3;
+ THUMB_SIZE_CHECKTNZ(T.tlength);
ushort *t_thumb = (ushort*)calloc(T.tlength,2);
ID.input->read(t_thumb,2,T.tlength);
if ((libraw_internal_data.unpacker_data.order == 0x4949) == (ntohs(0x1234) == 0x1234))