diff options
Diffstat (limited to 'dcraw-CVE-2018-19655.patch')
| -rw-r--r-- | dcraw-CVE-2018-19655.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/dcraw-CVE-2018-19655.patch b/dcraw-CVE-2018-19655.patch new file mode 100644 index 0000000..1d0b024 --- /dev/null +++ b/dcraw-CVE-2018-19655.patch @@ -0,0 +1,39 @@ +Author: Filip Hroch <hroch@physics.muni.cz> +Description: stack-based buffer overflow bug +--- a/dcraw.c ++++ b/dcraw.c +@@ -8345,9 +8345,15 @@ + { + UINT64 bitbuf=0; + int vbits, col, i, c; +- ushort img[2][2064]; ++ ushort *img; + double sum[]={0,0}; + ++#define IMG2D(row,col) \ ++ img[(row)*width+(col)] ++ ++ img = (ushort *) malloc(2*width*sizeof(ushort)); ++ merror (img, "find_green()"); ++ + FORC(2) { + fseek (ifp, c ? off1:off0, SEEK_SET); + for (vbits=col=0; col < width; col++) { +@@ -8356,13 +8362,14 @@ + for (i=0; i < bite; i+=8) + bitbuf |= (unsigned) (fgetc(ifp) << i); + } +- img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps); ++ IMG2D(c,col) = bitbuf << (64-bps-vbits) >> (64-bps); + } + } + FORC(width-1) { +- sum[ c & 1] += ABS(img[0][c]-img[1][c+1]); +- sum[~c & 1] += ABS(img[1][c]-img[0][c+1]); ++ sum[ c & 1] += ABS(IMG2D(0,c)-IMG2D(1,c+1)); ++ sum[~c & 1] += ABS(IMG2D(1,c)-IMG2D(0,c+1)); + } ++ free(img); + return 100 * log(sum[0]/sum[1]); + } + |