From e67a9862d10ebaa97712f532eca1eb5e2e410a22 Mon Sep 17 00:00:00 2001
From: Alex Tutubalin <lexa@lexa.ru>
Date: Thu, 22 Nov 2018 16:24:54 +0300
Subject: [PATCH]  Fixed Secunia Advisory SA86384    - possible infinite loop
 in unpacked_load_raw()    - possible infinite loop in parse_rollei()    -
 possible infinite loop in parse_sinar_ia()

 Credits: Laurent Delosieres, Secunia Research at Flexera
---
 dcraw/dcraw.c             | 4 +++-
 internal/dcraw_common.cpp | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
index c71874c..a78e67a 100644
--- a/dcraw/dcraw.c
+++ b/dcraw/dcraw.c
@@ -6592,7 +6592,7 @@ void CLASS parse_rollei()
   fseek (ifp, 0, SEEK_SET);
   memset (&t, 0, sizeof t);
   do {
-    fgets (line, 128, ifp);
+    if(!fgets(line, 128, ifp)) break;
     if ((val = strchr(line,'=')))
       *val++ = 0;
     else
@@ -6630,6 +6630,7 @@ void CLASS parse_sinar_ia()
   order = 0x4949;
   fseek (ifp, 4, SEEK_SET);
   entries = get4();
+  if(entries < 1 || entries > 8192) return;
   fseek (ifp, get4(), SEEK_SET);
   while (entries--) {
     off = get4(); get4();
@@ -9621,6 +9622,7 @@ dng_skip:
   }
   if (!tiff_bps) tiff_bps = 12;
   if (!maximum) maximum = (1 << tiff_bps) - 1;
+  if(maximum > 0xffff) maximum = 0xffff;
   if (!load_raw || height < 22 || width < 22 ||
 	tiff_bps > 16 || tiff_samples > 6 || colors > 4)
     is_raw = 0;
diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
index 29cc72f..a8a8e0f 100644
--- a/internal/dcraw_common.cpp
+++ b/internal/dcraw_common.cpp
@@ -14851,7 +14851,7 @@ void CLASS parse_rollei()
   memset(&t, 0, sizeof t);
   do
   {
-    fgets(line, 128, ifp);
+    if(!fgets(line, 128, ifp)) break;
     if ((val = strchr(line, '=')))
       *val++ = 0;
     else
@@ -14889,6 +14889,7 @@ void CLASS parse_sinar_ia()
   order = 0x4949;
   fseek(ifp, 4, SEEK_SET);
   entries = get4();
+  if(entries < 1 || entries > 8192) return;
   fseek(ifp, get4(), SEEK_SET);
   while (entries--)
   {
@@ -19732,6 +19733,7 @@ dng_skip:
     if (maximum < 0x10000 && curve[maximum] > 0 && load_raw == &CLASS sony_arw2_load_raw)
       maximum = curve[maximum];
   }
+  if(maximum > 0xffff) maximum = 0xffff;
   if (!load_raw || height < 22 || width < 22 ||
 #ifdef LIBRAW_LIBRARY_BUILD
       (tiff_bps > 16 && load_raw != &LibRaw::deflate_dng_load_raw)
-- 
1.8.3.1