A patch is attached. Please check that I got everything.
Thanks,
SvenPS: were can I find the signatures for the 0.8.9 tarball?
Description: Fix CVE-2013-1438 Author: Sven Eckelmann <[email protected]> --- diff --git a/codecs/dcraw.h b/codecs/dcraw.h index 476f3a2fac6264f6a07804c2680c249687168e7d..b115191c2f8f049e8ad933e0f83de52568413ec2 100644 --- a/codecs/dcraw.h +++ b/codecs/dcraw.h @@ -835,6 +835,9 @@ int CLASS ljpeg_diff (ushort *huff) { int len, diff; + if(!huff) + longjmp (failure, 2); + len = gethuff(huff); if (len == 16 && (!dng_version || dng_version >= 0x1010000)) return -32768; @@ -889,6 +892,9 @@ void CLASS lossless_jpeg_load_raw() struct jhead jh; ushort *rp; + if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1) + longjmp (failure, 2); + if (!ljpeg_start (&jh, 0)) return; jwide = jh.wide * jh.clrs; @@ -909,6 +915,8 @@ void CLASS lossless_jpeg_load_raw() } if (raw_width == 3984 && (col -= 2) < 0) col += (row--,raw_width); + if(row>raw_height) + longjmp (failure, 3); if ((unsigned) row < raw_height) RAW(row,col) = val; if (++col >= raw_width) col = (row++,0); @@ -5463,6 +5471,7 @@ int CLASS parse_tiff_ifd (int base) data_offset = get4()+base; ifd++; break; } + if(len > 1000) len=1000; /* 1000 SubIFDs is enough */ while (len--) { i = ftell(ifp); fseek (ifp, get4()+base, SEEK_SET); @@ -5681,7 +5690,7 @@ guess_cfa_pc: break; case 50715: /* BlackLevelDeltaH */ case 50716: /* BlackLevelDeltaV */ - for (num=i=0; i < len; i++) + for (num=i=0; i < len && i < 65536; i++) num += getreal(type); black += num/len + 0.5; break; @@ -5806,9 +5815,12 @@ void CLASS apply_tiff() if (thumb_offset) { fseek (ifp, thumb_offset, SEEK_SET); if (ljpeg_start (&jh, 1)) { - thumb_misc = jh.bits; - thumb_width = jh.wide; - thumb_height = jh.high; + if((unsigned)jh.bits<17 && (unsigned)jh.wide < 0x10000 && (unsigned)jh.high < 0x10000) + { + thumb_misc = jh.bits; + thumb_width = jh.wide; + thumb_height = jh.high; + } } } for (i=0; i < tiff_nifds; i++) { @@ -5816,7 +5828,8 @@ void CLASS apply_tiff() max_samp = tiff_ifd[i].samples; if (max_samp > 3) max_samp = 3; if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) && - (tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 && + unsigned(tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 && + (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 && tiff_ifd[i].width*tiff_ifd[i].height > raw_width*raw_height) { raw_width = tiff_ifd[i].width; raw_height = tiff_ifd[i].height; @@ -5903,6 +5916,8 @@ void CLASS apply_tiff() is_raw = 0; for (i=0; i < tiff_nifds; i++) if (i != raw && tiff_ifd[i].samples == max_samp && + tiff_ifd[i].bps>0 && tiff_ifd[i].bps < 33 && + unsigned(tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 && tiff_ifd[i].width * tiff_ifd[i].height / (SQR(tiff_ifd[i].bps)+1) > thumb_width * thumb_height / (SQR(thumb_misc)+1) && tiff_ifd[i].comp != 34892) {
signature.asc
Description: This is a digitally signed message part.
----------------------------------------------------------- If you wish to unsubscribe from this mailing, send mail to [email protected] with a subject of: unsubscribe exact-image
