pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/graphics/libraw libraw: apply patch for CVE-2020-15503
details: https://anonhg.NetBSD.org/pkgsrc/rev/2a99156cfb5f
branches: trunk
changeset: 458761:2a99156cfb5f
user: nia <nia%pkgsrc.org@localhost>
date: Sun Sep 19 18:46:50 2021 +0000
description:
libraw: apply patch for CVE-2020-15503
diffstat:
graphics/libraw/Makefile | 3 +-
graphics/libraw/distinfo | 5 +-
graphics/libraw/patches/patch-libraw_libraw__const.h | 18 ++
graphics/libraw/patches/patch-src_libraw__cxx.cpp | 124 ++++++++++++++++++-
4 files changed, 142 insertions(+), 8 deletions(-)
diffs (184 lines):
diff -r 917cd85b701a -r 2a99156cfb5f graphics/libraw/Makefile
--- a/graphics/libraw/Makefile Sun Sep 19 18:32:44 2021 +0000
+++ b/graphics/libraw/Makefile Sun Sep 19 18:46:50 2021 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.34 2020/05/20 06:09:06 rillig Exp $
+# $NetBSD: Makefile,v 1.35 2021/09/19 18:46:50 nia Exp $
DISTNAME= LibRaw-0.19.5
PKGNAME= ${DISTNAME:tl}
+PKGREVISION= 1
CATEGORIES= graphics
MASTER_SITES= https://www.libraw.org/data/
diff -r 917cd85b701a -r 2a99156cfb5f graphics/libraw/distinfo
--- a/graphics/libraw/distinfo Sun Sep 19 18:32:44 2021 +0000
+++ b/graphics/libraw/distinfo Sun Sep 19 18:46:50 2021 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.26 2019/08/31 14:20:05 nia Exp $
+$NetBSD: distinfo,v 1.27 2021/09/19 18:46:50 nia Exp $
SHA1 (LibRaw-0.19.5.tar.gz) = c151995b6f17a0ccef7fbc1dcb982f0ccb04d934
RMD160 (LibRaw-0.19.5.tar.gz) = 051642cfdf713e1d981a1790f4d872d89ff6f02a
@@ -6,4 +6,5 @@
Size (LibRaw-0.19.5.tar.gz) = 1303806 bytes
SHA1 (patch-internal_libraw__x3f.cpp) = ec5d479a45d7fc25c884cc7259ad513857fa2711
SHA1 (patch-libraw__r.pc.in) = e691f79c69c5530c93262c270fe7e2f5b1c959d9
-SHA1 (patch-src_libraw__cxx.cpp) = cfbb3afbd0b44ce1bbc24e5af212ad5c53d251b7
+SHA1 (patch-libraw_libraw__const.h) = 91836dca7f9ba820417381bad53fe292b3e5f0ce
+SHA1 (patch-src_libraw__cxx.cpp) = fb2f16cb7a0798f499383bc06768ac0543049f66
diff -r 917cd85b701a -r 2a99156cfb5f graphics/libraw/patches/patch-libraw_libraw__const.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/libraw/patches/patch-libraw_libraw__const.h Sun Sep 19 18:46:50 2021 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-libraw_libraw__const.h,v 1.1 2021/09/19 18:46:50 nia Exp $
+
+Thumbnail size range check (CVE-2020-15503)
+
+--- libraw/libraw_const.h.orig 2019-08-20 17:34:30.000000000 +0000
++++ libraw/libraw_const.h
+@@ -24,6 +24,11 @@ it under the terms of the one of two lic
+ #define LIBRAW_MAX_ALLOC_MB 2048L
+ #endif
+
++/* limit thumbnail size, default is 512Mb*/
++#ifndef LIBRAW_MAX_THUMBNAIL_MB
++#define LIBRAW_MAX_THUMBNAIL_MB 512L
++#endif
++
+ /* Change to non-zero to allow (broken) CRW (and other) files metadata
+ loop prevention */
+ #ifndef LIBRAW_METADATA_LOOP_PREVENTION
diff -r 917cd85b701a -r 2a99156cfb5f graphics/libraw/patches/patch-src_libraw__cxx.cpp
--- a/graphics/libraw/patches/patch-src_libraw__cxx.cpp Sun Sep 19 18:32:44 2021 +0000
+++ b/graphics/libraw/patches/patch-src_libraw__cxx.cpp Sun Sep 19 18:46:50 2021 +0000
@@ -1,10 +1,124 @@
-$NetBSD: patch-src_libraw__cxx.cpp,v 1.1 2015/10/05 04:37:39 richard Exp $
-
-undefine DS if sys/regset.h is pulled in on SunOS
+$NetBSD: patch-src_libraw__cxx.cpp,v 1.2 2021/09/19 18:46:50 nia Exp $
+
+- Thumbnail size range check (CVE-2020-15503)
+- undefine DS if sys/regset.h is pulled in on SunOS
---- src/libraw_cxx.cpp.orig 2015-05-16 12:32:15.000000000 +0000
+--- src/libraw_cxx.cpp.orig 2019-08-20 17:34:30.000000000 +0000
+++ src/libraw_cxx.cpp
-@@ -3623,6 +3623,9 @@ void LibRaw::parse_x3f()
+@@ -3712,6 +3712,20 @@ libraw_processed_image_t *LibRaw::dcraw_
+ return NULL;
+ }
+
++ if (T.tlength < 64u)
++ {
++ if (errcode)
++ *errcode = EINVAL;
++ return NULL;
++ }
++
++ if (INT64(T.tlength) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB)
++ {
++ if (errcode)
++ *errcode = LIBRAW_TOO_BIG;
++ return NULL;
++ }
++
+ if (T.tformat == LIBRAW_THUMBNAIL_BITMAP)
+ {
+ libraw_processed_image_t *ret = (libraw_processed_image_t *)::malloc(sizeof(libraw_processed_image_t) + T.tlength);
+@@ -3976,6 +3990,12 @@ void LibRaw::kodak_thumb_loader()
+ if (ID.toffset + est_datasize > ID.input->size() + THUMB_READ_BEYOND)
+ throw LIBRAW_EXCEPTION_IO_EOF;
+
++ if(INT64(T.theight) * INT64(T.twidth) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB)
++ throw LIBRAW_EXCEPTION_IO_CORRUPT;
++
++ if (INT64(T.theight) * INT64(T.twidth) < 64ULL)
++ throw LIBRAW_EXCEPTION_IO_CORRUPT;
++
+ // some kodak cameras
+ ushort s_height = S.height, s_width = S.width, s_iwidth = S.iwidth, s_iheight = S.iheight;
+ ushort s_flags = libraw_internal_data.unpacker_data.load_flags;
+@@ -4237,6 +4257,25 @@ int LibRaw::unpack_thumb(void)
+ CHECK_ORDER_LOW(LIBRAW_PROGRESS_IDENTIFY);
+ CHECK_ORDER_BIT(LIBRAW_PROGRESS_THUMB_LOAD);
+
++#define THUMB_SIZE_CHECKT(A) \
++ do { \
++ if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++ if (INT64(A) > 0 && INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++ } while (0)
++
++#define THUMB_SIZE_CHECKTNZ(A) \
++ do { \
++ if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++ if (INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++ } while (0)
++
++
++#define THUMB_SIZE_CHECKWH(W,H) \
++ do { \
++ if (INT64(W)*INT64(H) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++ if (INT64(W)*INT64(H) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \
++ } while (0)
++
+ try
+ {
+ if (!libraw_internal_data.internal_data.input)
+@@ -4267,6 +4306,7 @@ int LibRaw::unpack_thumb(void)
+
+ if (INT64(ID.toffset) + tsize > ID.input->size() + THUMB_READ_BEYOND)
+ throw LIBRAW_EXCEPTION_IO_EOF;
++ THUMB_SIZE_CHECKT(tsize);
+ }
+ else
+ {
+@@ -4280,6 +4320,8 @@ int LibRaw::unpack_thumb(void)
+ ID.input->seek(ID.toffset, SEEK_SET);
+ if (write_thumb == &LibRaw::jpeg_thumb)
+ {
++ THUMB_SIZE_CHECKTNZ(T.tlength);
++
+ if (T.thumb)
+ free(T.thumb);
+ T.thumb = (char *)malloc(T.tlength);
+@@ -4326,6 +4368,7 @@ int LibRaw::unpack_thumb(void)
+ {
+ if (t_bytesps > 1)
+ throw LIBRAW_EXCEPTION_IO_CORRUPT; // 8-bit thumb, but parsed for more bits
++ THUMB_SIZE_CHECKWH(T.twidth, T.theight);
+ int t_length = T.twidth * T.theight * t_colors;
+
+ if (T.tlength && T.tlength < t_length) // try to find tiff ifd with needed offset
+@@ -4351,6 +4394,7 @@ int LibRaw::unpack_thumb(void)
+ T.tcolors = 1;
+ }
+ T.tlength = total_size;
++ THUMB_SIZE_CHECKTNZ(T.tlength);
+ if (T.thumb)
+ free(T.thumb);
+ T.thumb = (char *)malloc(T.tlength);
+@@ -4384,6 +4428,8 @@ int LibRaw::unpack_thumb(void)
+ if (T.thumb)
+ free(T.thumb);
+
++ THUMB_SIZE_CHECKTNZ(T.tlength);
++
+ T.thumb = (char *)malloc(T.tlength);
+ if (!T.tcolors)
+ T.tcolors = t_colors;
+@@ -4404,6 +4450,10 @@ int LibRaw::unpack_thumb(void)
+ int i_length = T.twidth * T.theight * t_colors * 2;
+ if (!T.tlength)
+ T.tlength = o_length;
++ THUMB_SIZE_CHECKTNZ(o_length);
++ THUMB_SIZE_CHECKTNZ(i_length);
++ THUMB_SIZE_CHECKTNZ(T.tlength);
++
+ ushort *t_thumb = (ushort *)calloc(i_length, 1);
+ ID.input->read(t_thumb, 1, i_length);
+ if ((libraw_internal_data.unpacker_data.order == 0x4949) == (ntohs(0x1234) == 0x1234))
+@@ -6183,6 +6233,9 @@ void LibRaw::parse_x3f()
_x3f_data = x3f;
x3f_header_t *H = NULL;
Home |
Main Index |
Thread Index |
Old Index