You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The reason will be displayed to describe this comment to others. Learn more.
The patch was the one received from David Coffin (author of dcraw) off channel before making the vulnerability public if I remember correctly.
I think the len < 2 check is related to the line
len = (data[2] << 8 | data[3]) - 2;
where len can be USHORT-MAX-1, which may result in a possible read error in the following fread() call - but you can easily trigger a read error even without underflowing. I don't see any security related bugs triggered by omitting the check, len is an unsigned integer, and the data array is of size USHORT_MAX+1. Neither overflow nor underflow can occur.
The fix in netpbm and Fedora is somewhat cleaner than the upstream fix in dcraw, but all are good from a security perspective.
For the interested: Rawstudio plans to remove dcraw completely from a future version and rely solely on RawSpeed - and maybe calling an external dcraw binary as a fall-back option to support ancient file formats.
983bda1There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The patch was the one received from David Coffin (author of dcraw) off channel before making the vulnerability public if I remember correctly.
I think the
len < 2check is related to the linewhere len can be USHORT-MAX-1, which may result in a possible read error in the following
fread()call - but you can easily trigger a read error even without underflowing. I don't see any security related bugs triggered by omitting the check, len is an unsigned integer, and the data array is of size USHORT_MAX+1. Neither overflow nor underflow can occur.The fix in netpbm and Fedora is somewhat cleaner than the upstream fix in dcraw, but all are good from a security perspective.
For the interested: Rawstudio plans to remove dcraw completely from a future version and rely solely on RawSpeed - and maybe calling an external dcraw binary as a fall-back option to support ancient file formats.