!13 update to 0.20.2 and fix stack buffer overflow in parse_rollei

From: @zhanghua1831 Reviewed-by: @maminjie,@small_leek Signed-off-by: @small_leek
2020-12-03 11:38:12 +08:00 · 2020-12-03 11:38:12 +08:00 · fcb394cd51
commit fcb394cd51
parent 0f255f096b 37abcd1062
10 changed files with 31 additions and 224 deletions
--- a/0.20.2.tar.gz
+++ b/0.20.2.tar.gz
--- a/CVE-2018-20337.patch
+++ b/CVE-2018-20337.patch
@ -1,21 +0,0 @@
 From fbf60377c006eaea8d3eca3f5e4c654909dcdfd2 Mon Sep 17 00:00:00 2001
 From: Alex Tutubalin <lexa@lexa.ru>
 Date: Wed, 19 Dec 2018 11:15:08 +0300
 Subject: [PATCH] possible buffer overrun in Fuji makernotes parser
 ---
 internal/dcraw_common.cpp | 2 +-
 diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
 index 936aebf9..a0cd7226 100644
 --- a/internal/dcraw_common.cpp
 +++ b/internal/dcraw_common.cpp
@@ -10345,7 +10345,7 @@ void CLASS parse_makernote(int base, int uptag)
             else
               year += 1900;
 -            ynum_len = (int)strnlen(words[i], sizeof(imgdata.shootinginfo.InternalBodySerial) - 1) - 18;
 +            ynum_len = MIN((sizeof(ynum)-1), (int)strnlen(words[i], sizeof(imgdata.shootinginfo.InternalBodySerial) - 1) - 18);
             strncpy(ynum, words[i], ynum_len);
             ynum[ynum_len] = 0;
             for (int j = 0; ynum[j] && ynum[j + 1] && sscanf(ynum + j, "%2x", &c); j += 2)
--- a/CVE-2018-20363.patch
+++ b/CVE-2018-20363.patch
@ -1,31 +0,0 @@
 From 7e29b9f29449fde30cc878fbb137d61c14bba3a4 Mon Sep 17 00:00:00 2001
 From: Alex Tutubalin <lexa@lexa.ru>
 Date: Wed, 19 Dec 2018 14:17:51 +0300
 Subject: [PATCH] Possible write to NULL at raw2image
 ---
 src/libraw_cxx.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp
 index 1a8a2f25..074d81a4 100644
 --- a/src/libraw_cxx.cpp
 +++ b/src/libraw_cxx.cpp
@@ -3346,7 +3346,7 @@ int LibRaw::raw2image(void)
   {
     raw2image_start();
 -    if (is_phaseone_compressed())
 +    if (is_phaseone_compressed() && imgdata.rawdata.raw_image)
     {
       phase_one_allocate_tempbuffer();
       int rc = phase_one_subtract_black((ushort *)imgdata.rawdata.raw_alloc, imgdata.rawdata.raw_image);
@@ -3374,7 +3374,7 @@ int LibRaw::raw2image(void)
     get_decoder_info(&decoder_info);
     // Move saved bitmap to imgdata.image
 -    if (imgdata.idata.filters || P1.colors == 1)
 +    if ((imgdata.idata.filters || P1.colors == 1) && imgdata.rawdata.raw_image)
     {
       if (IO.fuji_width)
       {
--- a/CVE-2018-20364.patch
+++ b/CVE-2018-20364.patch
@ -1,41 +0,0 @@
 From 7903346bfd5f8c24e5bfd4df48f0e5cd1e7b65cb Mon Sep 17 00:00:00 2001
 From: Alex Tutubalin <lexa@lexa.ru>
 Date: Fri, 21 Dec 2018 09:37:05 +0300
 Subject: [PATCH] check for raw_image presence in raw2image_ex
 ---
 src/libraw_cxx.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp
 index 074d81a4..43aed1cc 100644
 --- a/src/libraw_cxx.cpp
 +++ b/src/libraw_cxx.cpp
@@ -3374,7 +3374,8 @@ int LibRaw::raw2image(void)
     get_decoder_info(&decoder_info);
     // Move saved bitmap to imgdata.image
 -    if ((imgdata.idata.filters || P1.colors == 1) && imgdata.rawdata.raw_image)
 +    if ((imgdata.idata.filters || P1.colors == 1) 
 +       && imgdata.rawdata.raw_image)
     {
       if (IO.fuji_width)
       {
@@ -3638,7 +3639,7 @@ int LibRaw::raw2image_ex(int do_subtract_black)
     raw2image_start();
     // Compressed P1 files with bl data!
 -    if (is_phaseone_compressed())
 +    if (is_phaseone_compressed() && imgdata.rawdata.raw_image)
     {
       phase_one_allocate_tempbuffer();
       int rc = phase_one_subtract_black((ushort *)imgdata.rawdata.raw_alloc, imgdata.rawdata.raw_image);
@@ -3745,7 +3746,7 @@ int LibRaw::raw2image_ex(int do_subtract_black)
     }
     // Move saved bitmap to imgdata.image
 -    if (imgdata.idata.filters || P1.colors == 1)
 +    if ((imgdata.idata.filters || P1.colors == 1) && imgdata.rawdata.raw_image)
     {
       if (IO.fuji_width)
       {
--- a/CVE-2018-20365.patch
+++ b/CVE-2018-20365.patch
@ -1,33 +0,0 @@
 From 561ec9a7fb5ec694104a22b7b6cd820bfa449784 Mon Sep 17 00:00:00 2001
 From: Alex Tutubalin <lexa@lexa.ru>
 Date: Thu, 10 Jan 2019 09:22:39 +0300
 Subject: [PATCH] Sinar 4shot: zero filters for multi-shot images
 ---
 internal/dcraw_common.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
 index 29cc72f..1ca70cf 100644
 --- a/internal/dcraw_common.cpp
 +++ b/internal/dcraw_common.cpp
@@ -18969,10 +18969,15 @@ void CLASS identify()
   {
     if (!load_raw)
       load_raw = &CLASS unpacked_load_raw;
 -    if (is_raw > 1 && !shot_select && !half_size)
 +    if (is_raw > 1 && !shot_select)
       filters = 0;
     maximum = 0x3fff;
   }
 +  else if(load_raw == &LibRaw::sinar_4shot_load_raw)
 +  {
 +    if (is_raw > 1 && !shot_select)
 +      filters = 0;
 +  }
   else if (!strncmp(make, "Leaf", 4))
   {
     maximum = 0x3fff;
 -- 
 2.23.0
--- a/LibRaw-0.17.1-CVE-2015-8366-8367.patch
+++ b/LibRaw-0.17.1-CVE-2015-8366-8367.patch
@ -1,14 +0,0 @@
 diff -r -U3 LibRaw-0.17.1.orig/dcraw/dcraw.c LibRaw-0.17.1/dcraw/dcraw.c
 --- LibRaw-0.17.1.orig/dcraw/dcraw.c	2015-05-24 21:30:26.000000000 -0500
 +++ LibRaw-0.17.1/dcraw/dcraw.c	2015-12-01 07:47:00.086513959 -0600
@@ -2901,6 +2901,10 @@
       diff = diff ? -diff : 0x80;
     if (ftell(ifp) + 12 >= seg[1][1])
       diff = 0;
 +#ifdef LIBRAW_LIBRARY_BUILD
 +    if(pix>=raw_width*raw_height)
 +      throw LIBRAW_EXCEPTION_IO_CORRUPT;
 +#endif
     raw_image[pix] = pred[pix & 1] += diff;
     if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
   }
--- a/LibRaw-0.19.0.tar.gz
+++ b/LibRaw-0.19.0.tar.gz
--- a/LibRaw-0.19.2-CVE-2018-5817,5818,5819.patch
+++ b/LibRaw-0.19.2-CVE-2018-5817,5818,5819.patch
@ -1,74 +0,0 @@
 From e67a9862d10ebaa97712f532eca1eb5e2e410a22 Mon Sep 17 00:00:00 2001
 From: Alex Tutubalin <lexa@lexa.ru>
 Date: Thu, 22 Nov 2018 16:24:54 +0300
 Subject: [PATCH]  Fixed Secunia Advisory SA86384    - possible infinite loop
 in unpacked_load_raw()    - possible infinite loop in parse_rollei()    -
 possible infinite loop in parse_sinar_ia()
 Credits: Laurent Delosieres, Secunia Research at Flexera
 ---
 dcraw/dcraw.c             | 4 +++-
 internal/dcraw_common.cpp | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)
 diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
 index c71874c..a78e67a 100644
 --- a/dcraw/dcraw.c
 +++ b/dcraw/dcraw.c
@@ -6592,7 +6592,7 @@ void CLASS parse_rollei()
   fseek (ifp, 0, SEEK_SET);
   memset (&t, 0, sizeof t);
   do {
 -    fgets (line, 128, ifp);
 +    if(!fgets(line, 128, ifp)) break;
     if ((val = strchr(line,'=')))
       *val++ = 0;
     else
@@ -6630,6 +6630,7 @@ void CLASS parse_sinar_ia()
   order = 0x4949;
   fseek (ifp, 4, SEEK_SET);
   entries = get4();
 +  if(entries < 1 || entries > 8192) return;
   fseek (ifp, get4(), SEEK_SET);
   while (entries--) {
     off = get4(); get4();
@@ -9621,6 +9622,7 @@ dng_skip:
   }
   if (!tiff_bps) tiff_bps = 12;
   if (!maximum) maximum = (1 << tiff_bps) - 1;
 +  if(maximum > 0xffff) maximum = 0xffff;
   if (!load_raw || height < 22 || width < 22 ||
 	tiff_bps > 16 || tiff_samples > 6 || colors > 4)
     is_raw = 0;
 diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
 index 29cc72f..a8a8e0f 100644
 --- a/internal/dcraw_common.cpp
 +++ b/internal/dcraw_common.cpp
@@ -14851,7 +14851,7 @@ void CLASS parse_rollei()
   memset(&t, 0, sizeof t);
   do
   {
 -    fgets(line, 128, ifp);
 +    if(!fgets(line, 128, ifp)) break;
     if ((val = strchr(line, '=')))
       *val++ = 0;
     else
@@ -14889,6 +14889,7 @@ void CLASS parse_sinar_ia()
   order = 0x4949;
   fseek(ifp, 4, SEEK_SET);
   entries = get4();
 +  if(entries < 1 || entries > 8192) return;
   fseek(ifp, get4(), SEEK_SET);
   while (entries--)
   {
@@ -19732,6 +19733,7 @@ dng_skip:
     if (maximum < 0x10000 && curve[maximum] > 0 && load_raw == &CLASS sony_arw2_load_raw)
       maximum = curve[maximum];
   }
 +  if(maximum > 0xffff) maximum = 0xffff;
   if (!load_raw || height < 22 || width < 22 ||
 #ifdef LIBRAW_LIBRARY_BUILD
       (tiff_bps > 16 && load_raw != &LibRaw::deflate_dng_load_raw)
 -- 
 1.8.3.1
--- a/LibRaw.spec
+++ b/LibRaw.spec
@ -1,17 +1,13 @@
 Name:          LibRaw
-Version:       0.19.0
+Version:       0.20.2
-Release:       10
+Release:       1
 Summary:       Library for reading RAW files obtained from digital photo cameras
 License:       BSD and (CDDL or LGPLv2)
 URL:           http://www.libraw.org
-Source0:       http://www.libraw.org/data/%{name}-%{version}.tar.gz
+Source0:       http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz
-Patch0002:     LibRaw-0.17.1-CVE-2015-8366-8367.patch
+Patch0000:     prevent-buffer-overrun-in-parse_rollei.patch
 Patch6000:     LibRaw-0.19.2-CVE-2018-5817,5818,5819.patch
 Patch6001:     CVE-2018-20337.patch 
 Patch6002:     CVE-2018-20363.patch
 Patch6003:     CVE-2018-20364.patch
 Patch6004:     CVE-2018-20365.patch
 BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg)
 BuildRequires: autoconf automake libtool
 Provides:      bundled(dcraw) = 9.25
 %description
 LibRaw is a library for reading RAW files from digital photo cameras (CRW/CR2, NEF,
@ -34,6 +30,7 @@ The LibRaw-devel package contains development and header files.
 %autosetup -n %{name}-%{version} -p1
 %build
 autoreconf -if
 %configure --enable-examples=yes --disable-jasper --enable-jpeg \
           --enable-lcms --enable-openmp
@ -57,7 +54,7 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o
 %files
 %doc Changelog.txt
 %license LICENSE.CDDL LICENSE.LGPL COPYRIGHT
-%{_libdir}/{libraw,libraw_r}.so.19*
+%{_libdir}/{libraw,libraw_r}.so.20*
 %files devel
 %doc manual samples
@ -69,6 +66,9 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o
 %exclude %{_docdir}/libraw/*
 %changelog
 * Tue Dec 1 2020 zhanghua <zhanghua40@huawei.com> - 0.20.2-1
 - update to 0.20.2 and fix stack buffer overflow in parse_rollei
 * Wed Sep 16 2020 zhanghua <zhanghua40@huawei.com> - 0.19.0-10
 - Fix CVE-2018-20363, CVE-2018-20364, CVE-2018-20365
--- a/prevent-buffer-overrun-in-parse_rollei.patch
+++ b/prevent-buffer-overrun-in-parse_rollei.patch
@ -0,0 +1,21 @@
 From 539d07dcaa64aed706c5bb4ada7213e3e1cd07d6 Mon Sep 17 00:00:00 2001
 From: Alex Tutubalin <lexa@lexa.ru>
 Date: Mon, 30 Nov 2020 13:13:19 +0300
 Subject: [PATCH] prevent buffer overrun in parse_rollei
 ---
 src/metadata/misc_parsers.cpp | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/metadata/misc_parsers.cpp b/src/metadata/misc_parsers.cpp
 index 7a74c9f1..4e36e940 100644
 --- a/src/metadata/misc_parsers.cpp
 +++ b/src/metadata/misc_parsers.cpp
@@ -304,6 +304,7 @@ void LibRaw::parse_rollei()
     line[0] = 0;
     if (!fgets(line, 128, ifp))
       break;
 +    line[127] = 0;
     if(!line[0]) break; // zero-length
     if ((val = strchr(line, '=')))
       *val++ = 0;