CVE-2017-1438 credits; fix for Kodak 65000 out of bounds access

LibRaw · Sep 13, 2017 · d13e8f6 · d13e8f6
1 parent 8303e74
commit d13e8f6
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 5 deletions.
diff --git a/Changelog.txt b/Changelog.txt
@@ -1,5 +1,9 @@
+2017-09-13  Alex Tutubalin <lexa@lexa.ru>
+ * Fixed possible out of bound access in Kodak 6500 loader
+
 2017-09-12  Alex Tutubalin <lexa@lexa.ru>
- * Fix for possible heap overrun in Canon makernotes parser
+ * CVE-2017-14348: Fix for possible heap overrun in Canon makernotes parser
+   Credit: Henri Salo from Nixu Corporation
  * LibRaw 0.18.4
 
 2017-09-09  Alex Tutubalin <lexa@lexa.ru>

diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
@@ -3528,8 +3528,15 @@ void CLASS kodak_65000_load_raw()
       len = MIN (256, width-col);
       ret = kodak_65000_decode (buf, len);
       for (i=0; i < len; i++)
-	if ((RAW(row,col+i) =	curve[ret ? buf[i] :
-		(pred[i & 1] += buf[i])]) >> 12) derror();
+      {
+	int idx = ret ? buf[i] : (pred[i & 1] += buf[i]);
+	if(idx >=0 && idx <= 0xffff)
+	 {
+	   if ((RAW(row,col+i) = curve[idx]) >> 12) derror();
+         }
+	 else
+	   derror();
+      }
     }
   }
 }

diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
@@ -3240,8 +3240,15 @@ void CLASS kodak_65000_load_raw()
       len = MIN (256, width-col);
       ret = kodak_65000_decode (buf, len);
       for (i=0; i < len; i++)
-	if ((RAW(row,col+i) =	curve[ret ? buf[i] :
-		(pred[i & 1] += buf[i])]) >> 12) derror();
+      {
+	int idx = ret ? buf[i] : (pred[i & 1] += buf[i]);
+	if(idx >=0 && idx <= 0xffff)
+	 {
+	   if ((RAW(row,col+i) = curve[idx]) >> 12) derror();
+         }
+	 else
+	   derror();
+      }
     }
   }
 }