forked from Lainports/opnsense-ports
34 lines
1.1 KiB
Text
34 lines
1.1 KiB
Text
Description: Fix integer overflow in the ljpeg_start function in dcraw
|
|
Author: Alex Tutubalin <lexa@lexa.ru>
|
|
Bug-Debian: https://bugs.debian.org/786790
|
|
Origin: https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
|
|
https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
|
|
Bug: https://security-tracker.debian.org/tracker/CVE-2015-3885
|
|
Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885
|
|
Reviewed-By: Anton Gladky <gladk@debian.org>
|
|
Last-Update: 2015-10-29
|
|
|
|
--- freeimage-3.15.4.orig/Source/LibRawLite/dcraw/dcraw.c
|
|
+++ Source/LibRawLite/dcraw/dcraw.c
|
|
@@ -768,7 +768,8 @@ struct jhead {
|
|
|
|
int CLASS ljpeg_start (struct jhead *jh, int info_only)
|
|
{
|
|
- int c, tag, len;
|
|
+ int c, tag;
|
|
+ ushort len;
|
|
uchar data[0x10000];
|
|
const uchar *dp;
|
|
|
|
--- freeimage-3.15.4.orig/Source/LibRawLite/internal/dcraw_common.cpp
|
|
+++ Source/LibRawLite/internal/dcraw_common.cpp
|
|
@@ -630,7 +630,8 @@ void CLASS canon_compressed_load_raw()
|
|
|
|
int CLASS ljpeg_start (struct jhead *jh, int info_only)
|
|
{
|
|
- int c, tag, len;
|
|
+ int c, tag;
|
|
+ ushort len;
|
|
uchar data[0x10000];
|
|
const uchar *dp;
|
|
|