fix stack buffer overflow in LibRaw_buffer_datastream::gets()

2020-12-04 15:21:57 +08:00 · 2020-12-04 15:21:57 +08:00 · f23223aaa8
commit f23223aaa8
parent fcb394cd51
2 changed files with 55 additions and 1 deletions
--- a/LibRaw.spec
+++ b/LibRaw.spec
@ -1,11 +1,12 @@
 Name:          LibRaw
 Version:       0.20.2
-Release:       1
+Release:       2
 Summary:       Library for reading RAW files obtained from digital photo cameras
 License:       BSD and (CDDL or LGPLv2)
 URL:           http://www.libraw.org
 Source0:       http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz
 Patch0000:     prevent-buffer-overrun-in-parse_rollei.patch
 Patch0001:     fix-stack-buffer-overflow-in-LibRaw_buffer_datastream::gets.patch
 BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg)
 BuildRequires: autoconf automake libtool
 Provides:      bundled(dcraw) = 9.25
@ -66,6 +67,9 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o
 %exclude %{_docdir}/libraw/*
 %changelog
 * Fri Dec 4 2020 zhanghua <zhanghua40@huawei.com> - 0.20.2-2
 - fix stack buffer overflow in LibRaw_buffer_datastream::gets()
 * Tue Dec 1 2020 zhanghua <zhanghua40@huawei.com> - 0.20.2-1
 - update to 0.20.2 and fix stack buffer overflow in parse_rollei
--- a/fix-stack-buffer-overflow-in-LibRaw_buffer_datastream::gets.patch
+++ b/fix-stack-buffer-overflow-in-LibRaw_buffer_datastream::gets.patch
@ -0,0 +1,50 @@
 From e70ded8b0bc231f7ed3fd5d2e83d61bd18ef5e94 Mon Sep 17 00:00:00 2001
 From: Alex Tutubalin <lexa@lexa.ru>
 Date: Thu, 3 Dec 2020 12:28:52 +0300
 Subject: [PATCH] LibRaw_buffer_datastream: gets() not always returns
 0-terminated string
 Reverted back parse_rollei change
 ---
 src/libraw_datastream.cpp     | 7 +++++--
 src/metadata/misc_parsers.cpp | 1 -
 2 files changed, 5 insertions(+), 3 deletions(-)
 diff --git a/src/libraw_datastream.cpp b/src/libraw_datastream.cpp
 index 606e5de7..eaf071ee 100644
 --- a/src/libraw_datastream.cpp
 +++ b/src/libraw_datastream.cpp
@@ -422,7 +422,7 @@ char *LibRaw_buffer_datastream::gets(char *s, int sz)
   psrc = buf + streampos;
   pdest = str;
   if(streampos >= streamsize) return NULL;
 -  while ((size_t(psrc - buf) < streamsize) && ((pdest - str) < sz))
 +  while ((size_t(psrc - buf) < streamsize) && ((pdest - str) < (sz-1)))
   {
     *pdest = *psrc;
     if (*psrc == '\n')
@@ -432,8 +432,11 @@ char *LibRaw_buffer_datastream::gets(char *s, int sz)
   }
   if (size_t(psrc - buf) < streamsize)
     psrc++;
 -  if ((pdest - str) < sz)
 +  if ((pdest - str) < sz-1)
     *(++pdest) = 0;
 +  else
 +    s[sz - 1] = 0; // ensure trailing zero
 +
   streampos = psrc - buf;
   return s;
 }
 diff --git a/src/metadata/misc_parsers.cpp b/src/metadata/misc_parsers.cpp
 index 4e36e940..7a74c9f1 100644
 --- a/src/metadata/misc_parsers.cpp
 +++ b/src/metadata/misc_parsers.cpp
@@ -304,7 +304,6 @@ void LibRaw::parse_rollei()
     line[0] = 0;
     if (!fgets(line, 128, ifp))
       break;
 -    line[127] = 0;
     if(!line[0]) break; // zero-length
     if ((val = strchr(line, '=')))
       *val++ = 0;