Fix CVE-2025-43961,CVE-2025-43962 and CVE-2025-43964
(cherry picked from commit 923f6434029482e74c79ebe1c191a1bebe7f9719)
This commit is contained in:
starlet-dx
openeuler-sync-bot
parent
31559cb2d3
commit
06bc2e72a2
103
CVE-2025-43961_CVE-2025-43962.patch
Normal file
103
CVE-2025-43961_CVE-2025-43962.patch
Normal file
@ -0,0 +1,103 @@
|
|||||||
|
From 66fe663e02a4dd610b4e832f5d9af326709336c2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alex Tutubalin <lexa@lexa.ru>
|
||||||
|
Date: Sat, 1 Feb 2025 15:32:39 +0300
|
||||||
|
Subject: [PATCH] Prevent out-of-bounds read in fuji 0xf00c tag parser
|
||||||
|
|
||||||
|
Prevent out-of-bounds read in fuji 0xf00c tag parser
|
||||||
|
|
||||||
|
prevent OOB reads in phase_one_correct
|
||||||
|
---
|
||||||
|
Changelog.txt | 5 +++++
|
||||||
|
src/decoders/load_mfbacks.cpp | 18 ++++++++++++++----
|
||||||
|
src/metadata/tiff.cpp | 28 +++++++++++++++++-----------
|
||||||
|
3 files changed, 36 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
|
||||||
|
index cddc33eb..1a1bdfb3 100644
|
||||||
|
--- a/src/decoders/load_mfbacks.cpp
|
||||||
|
+++ b/src/decoders/load_mfbacks.cpp
|
||||||
|
@@ -490,6 +490,9 @@ int LibRaw::phase_one_correct()
|
||||||
|
fseek(ifp, off_412, SEEK_SET);
|
||||||
|
for (i = 0; i < 9; i++)
|
||||||
|
head[i] = get4() & 0x7fff;
|
||||||
|
+ unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
|
||||||
|
+ if (w0 > 10240000 || w1 > 10240000)
|
||||||
|
+ throw LIBRAW_EXCEPTION_ALLOC;
|
||||||
|
yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
|
||||||
|
yval[1] = (float *)(yval[0] + head[1] * head[3]);
|
||||||
|
xval[0] = (ushort *)(yval[1] + head[2] * head[4]);
|
||||||
|
@@ -514,10 +517,17 @@ int LibRaw::phase_one_correct()
|
||||||
|
for (k = j = 0; j < head[1]; j++)
|
||||||
|
if (num < xval[0][k = head[1] * i + j])
|
||||||
|
break;
|
||||||
|
- frac = (j == 0 || j == head[1])
|
||||||
|
- ? 0
|
||||||
|
- : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]);
|
||||||
|
- mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac);
|
||||||
|
+ if (j == 0 || j == head[1] || k < 1 || k >= w0+w1)
|
||||||
|
+ frac = 0;
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ int xdiv = (xval[0][k] - xval[0][k - 1]);
|
||||||
|
+ frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0;
|
||||||
|
+ }
|
||||||
|
+ if (k < w0 + w1)
|
||||||
|
+ mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac);
|
||||||
|
+ else
|
||||||
|
+ mult[i - cip] = 0;
|
||||||
|
}
|
||||||
|
i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2;
|
||||||
|
RAW(row, col) = LIM(i, 0, 65535);
|
||||||
|
diff --git a/src/metadata/tiff.cpp b/src/metadata/tiff.cpp
|
||||||
|
index baacdcad..5ec07a20 100644
|
||||||
|
--- a/src/metadata/tiff.cpp
|
||||||
|
+++ b/src/metadata/tiff.cpp
|
||||||
|
@@ -1036,31 +1036,37 @@ int LibRaw::parse_tiff_ifd(int base)
|
||||||
|
if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) &&
|
||||||
|
(fwb[2] == rafdata[fi + 2])) // found Tungsten WB
|
||||||
|
{
|
||||||
|
- if (rafdata[fi - 15] !=
|
||||||
|
+ if (fi > 14 && rafdata[fi - 15] !=
|
||||||
|
fwb[0]) // 15 is offset of Tungsten WB from the first
|
||||||
|
// preset, Fine Weather WB
|
||||||
|
continue;
|
||||||
|
- for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size();
|
||||||
|
- wb_ind++, ofst += 3)
|
||||||
|
- {
|
||||||
|
- icWBC[Fuji_wb_list1[wb_ind]][1] =
|
||||||
|
- icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
|
||||||
|
- icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
|
||||||
|
- icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
|
||||||
|
- }
|
||||||
|
+ if (fi >= 15)
|
||||||
|
+ {
|
||||||
|
+ for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size();
|
||||||
|
+ wb_ind++, ofst += 3)
|
||||||
|
+ {
|
||||||
|
+ icWBC[Fuji_wb_list1[wb_ind]][1] =
|
||||||
|
+ icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
|
||||||
|
+ icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
|
||||||
|
+ icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (is34)
|
||||||
|
fi += 24;
|
||||||
|
fi += 96;
|
||||||
|
for (fj = fi; fj < (fi + 15); fj += 3) // looking for the end of the WB table
|
||||||
|
{
|
||||||
|
+ if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3)
|
||||||
|
+ break;
|
||||||
|
if (rafdata[fj] != rafdata[fi])
|
||||||
|
{
|
||||||
|
fj -= 93;
|
||||||
|
if (is34)
|
||||||
|
fj -= 9;
|
||||||
|
-// printf ("wb start in DNG: 0x%04x\n", fj*2-0x4e);
|
||||||
|
- for (int iCCT = 0, ofst = fj; iCCT < 31;
|
||||||
|
+//printf ("wb start in DNG: 0x%04x\n", fj*2-0x4e);
|
||||||
|
+ for (int iCCT = 0, ofst = fj; iCCT < 31
|
||||||
|
+ && ofst < libraw_internal_data.unpacker_data.lenRAFData - 3;
|
||||||
|
iCCT++, ofst += 3)
|
||||||
|
{
|
||||||
|
icWBCCTC[iCCT][0] = FujiCCT_K[iCCT];
|
||||||
22
CVE-2025-43964.patch
Normal file
22
CVE-2025-43964.patch
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
From a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alex Tutubalin <lexa@lexa.ru>
|
||||||
|
Date: Sun, 2 Mar 2025 11:35:43 +0300
|
||||||
|
Subject: [PATCH] additional checks in PhaseOne correction tag 0x412 processing
|
||||||
|
|
||||||
|
---
|
||||||
|
src/decoders/load_mfbacks.cpp | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
|
||||||
|
index f89aecce..95015d27 100644
|
||||||
|
--- a/src/decoders/load_mfbacks.cpp
|
||||||
|
+++ b/src/decoders/load_mfbacks.cpp
|
||||||
|
@@ -495,6 +495,8 @@ int LibRaw::phase_one_correct()
|
||||||
|
unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
|
||||||
|
if (w0 > 10240000 || w1 > 10240000)
|
||||||
|
throw LIBRAW_EXCEPTION_ALLOC;
|
||||||
|
+ if (w0 < 1 || w1 < 1)
|
||||||
|
+ throw LIBRAW_EXCEPTION_IO_CORRUPT;
|
||||||
|
yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
|
||||||
|
yval[1] = (float *)(yval[0] + head[1] * head[3]);
|
||||||
|
xval[0] = (ushort *)(yval[1] + head[2] * head[4]);
|
||||||
@ -1,6 +1,6 @@
|
|||||||
Name: LibRaw
|
Name: LibRaw
|
||||||
Version: 0.21.1
|
Version: 0.21.1
|
||||||
Release: 3
|
Release: 4
|
||||||
Summary: Library for reading RAW files obtained from digital photo cameras
|
Summary: Library for reading RAW files obtained from digital photo cameras
|
||||||
License: BSD-3-Clause and (CDDL-1.0 or LGPL-2.1-only)
|
License: BSD-3-Clause and (CDDL-1.0 or LGPL-2.1-only)
|
||||||
URL: http://www.libraw.org
|
URL: http://www.libraw.org
|
||||||
@ -8,6 +8,8 @@ Source0: http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz
|
|||||||
Patch0: LibRaw-pkgconfig.patch
|
Patch0: LibRaw-pkgconfig.patch
|
||||||
Patch1: CVE-2023-1729.patch
|
Patch1: CVE-2023-1729.patch
|
||||||
Patch2: backport-upstream_CVE-2025-43963.patch
|
Patch2: backport-upstream_CVE-2025-43963.patch
|
||||||
|
Patch3: CVE-2025-43961_CVE-2025-43962.patch
|
||||||
|
Patch4: CVE-2025-43964.patch
|
||||||
|
|
||||||
BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg)
|
BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg)
|
||||||
BuildRequires: autoconf automake libtool make
|
BuildRequires: autoconf automake libtool make
|
||||||
@ -66,6 +68,9 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o
|
|||||||
%exclude %{_docdir}/libraw/*
|
%exclude %{_docdir}/libraw/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 24 2025 yaoxin <1024769339@qq.com> - 0.21.1-4
|
||||||
|
- Fix CVE-2025-43961,CVE-2025-43962 and CVE-2025-43964
|
||||||
|
|
||||||
* Thu Apr 24 2025 hdliu <dev03108@linx-info.com> - 0.21.1-3
|
* Thu Apr 24 2025 hdliu <dev03108@linx-info.com> - 0.21.1-3
|
||||||
- Fix CVE-2025-43963
|
- Fix CVE-2025-43963
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user