From 66fe663e02a4dd610b4e832f5d9af326709336c2 Mon Sep 17 00:00:00 2001 From: Alex Tutubalin Date: Sat, 1 Feb 2025 15:32:39 +0300 Subject: [PATCH] Prevent out-of-bounds read in fuji 0xf00c tag parser Prevent out-of-bounds read in fuji 0xf00c tag parser prevent OOB reads in phase_one_correct --- Changelog.txt | 5 +++++ src/decoders/load_mfbacks.cpp | 18 ++++++++++++++---- src/metadata/tiff.cpp | 28 +++++++++++++++++----------- 3 files changed, 36 insertions(+), 15 deletions(-) diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp index cddc33eb..1a1bdfb3 100644 --- a/src/decoders/load_mfbacks.cpp +++ b/src/decoders/load_mfbacks.cpp @@ -490,6 +490,9 @@ int LibRaw::phase_one_correct() fseek(ifp, off_412, SEEK_SET); for (i = 0; i < 9; i++) head[i] = get4() & 0x7fff; + unsigned w0 = head[1] * head[3], w1 = head[2] * head[4]; + if (w0 > 10240000 || w1 > 10240000) + throw LIBRAW_EXCEPTION_ALLOC; yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6); yval[1] = (float *)(yval[0] + head[1] * head[3]); xval[0] = (ushort *)(yval[1] + head[2] * head[4]); @@ -514,10 +517,17 @@ int LibRaw::phase_one_correct() for (k = j = 0; j < head[1]; j++) if (num < xval[0][k = head[1] * i + j]) break; - frac = (j == 0 || j == head[1]) - ? 0 - : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]); - mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac); + if (j == 0 || j == head[1] || k < 1 || k >= w0+w1) + frac = 0; + else + { + int xdiv = (xval[0][k] - xval[0][k - 1]); + frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0; + } + if (k < w0 + w1) + mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac); + else + mult[i - cip] = 0; } i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2; RAW(row, col) = LIM(i, 0, 65535); diff --git a/src/metadata/tiff.cpp b/src/metadata/tiff.cpp index baacdcad..5ec07a20 100644 --- a/src/metadata/tiff.cpp +++ b/src/metadata/tiff.cpp @@ -1036,31 +1036,37 @@ int LibRaw::parse_tiff_ifd(int base) if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) && (fwb[2] == rafdata[fi + 2])) // found Tungsten WB { - if (rafdata[fi - 15] != + if (fi > 14 && rafdata[fi - 15] != fwb[0]) // 15 is offset of Tungsten WB from the first // preset, Fine Weather WB continue; - for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size(); - wb_ind++, ofst += 3) - { - icWBC[Fuji_wb_list1[wb_ind]][1] = - icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst]; - icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1]; - icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2]; - } + if (fi >= 15) + { + for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size(); + wb_ind++, ofst += 3) + { + icWBC[Fuji_wb_list1[wb_ind]][1] = + icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst]; + icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1]; + icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2]; + } + } if (is34) fi += 24; fi += 96; for (fj = fi; fj < (fi + 15); fj += 3) // looking for the end of the WB table { + if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3) + break; if (rafdata[fj] != rafdata[fi]) { fj -= 93; if (is34) fj -= 9; -// printf ("wb start in DNG: 0x%04x\n", fj*2-0x4e); - for (int iCCT = 0, ofst = fj; iCCT < 31; +//printf ("wb start in DNG: 0x%04x\n", fj*2-0x4e); + for (int iCCT = 0, ofst = fj; iCCT < 31 + && ofst < libraw_internal_data.unpacker_data.lenRAFData - 3; iCCT++, ofst += 3) { icWBCCTC[iCCT][0] = FujiCCT_K[iCCT];