fixed two more problems found by fuzzer

LibRaw · Nov 24, 2015 · 89d0654 · 89d0654
1 parent 490ef94
commit 89d0654
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
@@ -3759,6 +3759,10 @@ void CLASS smal_decode_segment (unsigned seg[2][2], int holes)
       diff = diff ? -diff : 0x80;
     if (ftell(ifp) + 12 >= seg[1][1])
       diff = 0;
+#ifdef LIBRAW_LIBRARY_BUILD
+    if(pix>=raw_width*raw_height)
+      throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
     raw_image[pix] = pred[pix & 1] += diff;
     if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
   }

diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
@@ -3475,6 +3475,10 @@ void CLASS smal_decode_segment (unsigned seg[2][2], int holes)
       diff = diff ? -diff : 0x80;
     if (ftell(ifp) + 12 >= seg[1][1])
       diff = 0;
+#ifdef LIBRAW_LIBRARY_BUILD
+    if(pix>=raw_width*raw_height)
+      throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
     raw_image[pix] = pred[pix & 1] += diff;
     if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
   }

diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp
@@ -1449,7 +1449,8 @@ int LibRaw::unpack(void)
 #endif
     if(!imgdata.rawdata.raw_image && !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image) //RawSpeed failed!
       {
-        // Not allocated on RawSpeed call, try call LibRaw
+        // Not allocated on RawSpeed call, try call LibRaow
+	int zero_rawimage = 0;
         if(decoder_info.decoder_flags &  LIBRAW_DECODER_OWNALLOC)
           {
             // x3f foveon decoder
@@ -1472,13 +1473,17 @@ int LibRaw::unpack(void)
             // allocate image as temporary buffer, size
             imgdata.rawdata.raw_alloc = 0;
             imgdata.image = (ushort (*)[4]) calloc(S.iwidth*S.iheight,sizeof(*imgdata.image));
+	    imgdata.rawdata.raw_image = (ushort*) imgdata.image ;
+	    zero_rawimage = 1;
           }
         ID.input->seek(libraw_internal_data.unpacker_data.data_offset, SEEK_SET);
 
         unsigned m_save = C.maximum;
         if(load_raw == &LibRaw::unpacked_load_raw && !strcasecmp(imgdata.idata.make,"Nikon"))
           C.maximum=65535;
         (this->*load_raw)();
+	if(zero_rawimage)
+	  imgdata.rawdata.raw_image = 0;
         if(load_raw == &LibRaw::unpacked_load_raw && !strcasecmp(imgdata.idata.make,"Nikon"))
           C.maximum = m_save;
         if(decoder_info.decoder_flags &  LIBRAW_DECODER_OWNALLOC)