Commit 502e9bf8 authored by Natanael Copa's avatar Natanael Copa

community/libraw: backport fix for CVE-2020-15503

fixes #11771
parent b6012b2b
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libraw
pkgver=0.19.5
pkgrel=0
pkgrel=1
pkgdesc="Library for reading RAW files obtained from digital photo cameras"
url="https://www.libraw.org"
arch="all"
license="CDDL-1.0 OR LGPL-2.1-only"
subpackages="$pkgname-dev $pkgname-tools"
source="https://www.libraw.org/data/LibRaw-$pkgver.tar.gz"
source="https://www.libraw.org/data/LibRaw-$pkgver.tar.gz
CVE-2020-15503.patch
"
builddir="$srcdir"/LibRaw-$pkgver
# secfixes:
# 0.19.5-r1:
# - CVE-2020-15503
# 0.19.2-r0:
# - CVE-2018-20363
# - CVE-2018-20364
......@@ -47,4 +51,5 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr
}
sha512sums="4560045f75e6d2ab0d1d8686075f3a0e26a5d7ce693b48508110a2c31d19055d58983c24852da0abb64fa90db5e20f24b87aa7537ed04d958c38c8b265a7e826 LibRaw-0.19.5.tar.gz"
sha512sums="4560045f75e6d2ab0d1d8686075f3a0e26a5d7ce693b48508110a2c31d19055d58983c24852da0abb64fa90db5e20f24b87aa7537ed04d958c38c8b265a7e826 LibRaw-0.19.5.tar.gz
5a2ac4434df206887b3971f945c2a33a38f1ce8d3224055c957be66f2d8c4f87fef93a57b248ce04b651c808cdedaab7913a26174424491c9ab9842fd563a770 CVE-2020-15503.patch"
From 1b8b5890879c9b2b155f6fc769d8814b67c657d0 Mon Sep 17 00:00:00 2001
From: Alex Tutubalin <lexa@lexa.ru>
Date: Mon, 22 Jun 2020 19:26:22 +0300
Subject: [PATCH] Thumbnail size range check
---
libraw/libraw_const.h | 5 +++++
src/libraw_cxx.cpp | 50 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 55 insertions(+)
diff --git a/libraw/libraw_const.h b/libraw/libraw_const.h
index 66fae4d4..11c40435 100644
--- a/libraw/libraw_const.h
+++ b/libraw/libraw_const.h
@@ -24,6 +24,11 @@ it under the terms of the one of two licenses as you choose:
#define LIBRAW_MAX_ALLOC_MB 2048L
#endif
+/* limit thumbnail size, default is 512Mb*/
+#ifndef LIBRAW_MAX_THUMBNAIL_MB
+#define LIBRAW_MAX_THUMBNAIL_MB 512L
+#endif
+
/* Change to non-zero to allow (broken) CRW (and other) files metadata
loop prevention */
#ifndef LIBRAW_METADATA_LOOP_PREVENTION
diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp
index 51d0ebbc..64332656 100644
--- a/src/libraw_cxx.cpp
+++ b/src/libraw_cxx.cpp
@@ -3712,6 +3712,20 @@ libraw_processed_image_t *LibRaw::dcraw_make_mem_thumb(int *errcode)
return NULL;
}
+ if (T.tlength < 64u)
+ {
+ if (errcode)
+ *errcode = EINVAL;
+ return NULL;
+ }
+
+ if (INT64(T.tlength) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB)
+ {
+ if (errcode)
+ *errcode = LIBRAW_TOO_BIG;
+ return NULL;
+ }
+
if (T.tformat == LIBRAW_THUMBNAIL_BITMAP)
{
libraw_processed_image_t *ret = (libraw_processed_image_t *)::malloc(sizeof(libraw_processed_image_t) + T.tlength);
@@ -3976,6 +3990,12 @@ void LibRaw::kodak_thumb_loader()
if (ID.toffset + est_datasize > ID.input->size() + THUMB_READ_BEYOND)
throw LIBRAW_EXCEPTION_IO_EOF;
+ if(INT64(T.theight) * INT64(T.twidth) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+
+ if (INT64(T.theight) * INT64(T.twidth) < 64ULL)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+
// some kodak cameras
ushort s_height = S.height, s_width = S.width, s_iwidth = S.iwidth, s_iheight = S.iheight;
ushort s_flags = libraw_internal_data.unpacker_data.load_flags;
@@ -4237,6 +4257,25 @@ int LibRaw::unpack_thumb(void)
CHECK_ORDER_LOW(LIBRAW_PROGRESS_IDENTIFY);
CHECK_ORDER_BIT(LIBRAW_PROGRESS_THUMB_LOAD);
+#define THUMB_SIZE_CHECKT(A) \
+ do { \
+ if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+ if (INT64(A) > 0 && INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+ } while (0)
+
+#define THUMB_SIZE_CHECKTNZ(A) \
+ do { \
+ if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+ if (INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+ } while (0)
+
+
+#define THUMB_SIZE_CHECKWH(W,H) \
+ do { \
+ if (INT64(W)*INT64(H) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+ if (INT64(W)*INT64(H) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
+ } while (0)
+
try
{
if (!libraw_internal_data.internal_data.input)
@@ -4267,6 +4306,7 @@ int LibRaw::unpack_thumb(void)
if (INT64(ID.toffset) + tsize > ID.input->size() + THUMB_READ_BEYOND)
throw LIBRAW_EXCEPTION_IO_EOF;
+ THUMB_SIZE_CHECKT(tsize);
}
else
{
@@ -4280,6 +4320,8 @@ int LibRaw::unpack_thumb(void)
ID.input->seek(ID.toffset, SEEK_SET);
if (write_thumb == &LibRaw::jpeg_thumb)
{
+ THUMB_SIZE_CHECKTNZ(T.tlength);
+
if (T.thumb)
free(T.thumb);
T.thumb = (char *)malloc(T.tlength);
@@ -4326,6 +4368,7 @@ int LibRaw::unpack_thumb(void)
{
if (t_bytesps > 1)
throw LIBRAW_EXCEPTION_IO_CORRUPT; // 8-bit thumb, but parsed for more bits
+ THUMB_SIZE_CHECKWH(T.twidth, T.theight);
int t_length = T.twidth * T.theight * t_colors;
if (T.tlength && T.tlength < t_length) // try to find tiff ifd with needed offset
@@ -4351,6 +4394,7 @@ int LibRaw::unpack_thumb(void)
T.tcolors = 1;
}
T.tlength = total_size;
+ THUMB_SIZE_CHECKTNZ(T.tlength);
if (T.thumb)
free(T.thumb);
T.thumb = (char *)malloc(T.tlength);
@@ -4384,6 +4428,8 @@ int LibRaw::unpack_thumb(void)
if (T.thumb)
free(T.thumb);
+ THUMB_SIZE_CHECKTNZ(T.tlength);
+
T.thumb = (char *)malloc(T.tlength);
if (!T.tcolors)
T.tcolors = t_colors;
@@ -4404,6 +4450,10 @@ int LibRaw::unpack_thumb(void)
int i_length = T.twidth * T.theight * t_colors * 2;
if (!T.tlength)
T.tlength = o_length;
+ THUMB_SIZE_CHECKTNZ(o_length);
+ THUMB_SIZE_CHECKTNZ(i_length);
+ THUMB_SIZE_CHECKTNZ(T.tlength);
+
ushort *t_thumb = (ushort *)calloc(i_length, 1);
ID.input->read(t_thumb, 1, i_length);
if ((libraw_internal_data.unpacker_data.order == 0x4949) == (ntohs(0x1234) == 0x1234))
--
2.27.0
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment