From 841172fd07b8d1eff5397e3f64cd41c48c99e9cf Mon Sep 17 00:00:00 2001
From: zhanghua1831 <zhanghua1831@163.com>
Date: Thu, 17 Sep 2020 16:12:40 +0800
Subject: [PATCH] Fix CVE-2018-20363, CVE-2018-20364, CVE-2018-20365

---
 CVE-2018-20363.patch | 31 +++++++++++++++++++++++++++++++
 CVE-2018-20364.patch | 41 +++++++++++++++++++++++++++++++++++++++++
 CVE-2018-20365.patch | 33 +++++++++++++++++++++++++++++++++
 LibRaw.spec          |  9 +++++++--
 4 files changed, 112 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2018-20363.patch
 create mode 100644 CVE-2018-20364.patch
 create mode 100644 CVE-2018-20365.patch

diff --git a/CVE-2018-20363.patch b/CVE-2018-20363.patch
new file mode 100644
index 0000000..c5e55d1
--- /dev/null
+++ b/CVE-2018-20363.patch
@@ -0,0 +1,31 @@
+From 7e29b9f29449fde30cc878fbb137d61c14bba3a4 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Wed, 19 Dec 2018 14:17:51 +0300
+Subject: [PATCH] Possible write to NULL at raw2image
+
+---
+ src/libraw_cxx.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp
+index 1a8a2f25..074d81a4 100644
+--- a/src/libraw_cxx.cpp
++++ b/src/libraw_cxx.cpp
+@@ -3346,7 +3346,7 @@ int LibRaw::raw2image(void)
+   {
+     raw2image_start();
+ 
+-    if (is_phaseone_compressed())
++    if (is_phaseone_compressed() && imgdata.rawdata.raw_image)
+     {
+       phase_one_allocate_tempbuffer();
+       int rc = phase_one_subtract_black((ushort *)imgdata.rawdata.raw_alloc, imgdata.rawdata.raw_image);
+@@ -3374,7 +3374,7 @@ int LibRaw::raw2image(void)
+     get_decoder_info(&decoder_info);
+ 
+     // Move saved bitmap to imgdata.image
+-    if (imgdata.idata.filters || P1.colors == 1)
++    if ((imgdata.idata.filters || P1.colors == 1) && imgdata.rawdata.raw_image)
+     {
+       if (IO.fuji_width)
+       {
diff --git a/CVE-2018-20364.patch b/CVE-2018-20364.patch
new file mode 100644
index 0000000..689b944
--- /dev/null
+++ b/CVE-2018-20364.patch
@@ -0,0 +1,41 @@
+From 7903346bfd5f8c24e5bfd4df48f0e5cd1e7b65cb Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Fri, 21 Dec 2018 09:37:05 +0300
+Subject: [PATCH] check for raw_image presence in raw2image_ex
+
+---
+ src/libraw_cxx.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp
+index 074d81a4..43aed1cc 100644
+--- a/src/libraw_cxx.cpp
++++ b/src/libraw_cxx.cpp
+@@ -3374,7 +3374,8 @@ int LibRaw::raw2image(void)
+     get_decoder_info(&decoder_info);
+ 
+     // Move saved bitmap to imgdata.image
+-    if ((imgdata.idata.filters || P1.colors == 1) && imgdata.rawdata.raw_image)
++    if ((imgdata.idata.filters || P1.colors == 1) 
++       && imgdata.rawdata.raw_image)
+     {
+       if (IO.fuji_width)
+       {
+@@ -3638,7 +3639,7 @@ int LibRaw::raw2image_ex(int do_subtract_black)
+     raw2image_start();
+ 
+     // Compressed P1 files with bl data!
+-    if (is_phaseone_compressed())
++    if (is_phaseone_compressed() && imgdata.rawdata.raw_image)
+     {
+       phase_one_allocate_tempbuffer();
+       int rc = phase_one_subtract_black((ushort *)imgdata.rawdata.raw_alloc, imgdata.rawdata.raw_image);
+@@ -3745,7 +3746,7 @@ int LibRaw::raw2image_ex(int do_subtract_black)
+     }
+ 
+     // Move saved bitmap to imgdata.image
+-    if (imgdata.idata.filters || P1.colors == 1)
++    if ((imgdata.idata.filters || P1.colors == 1) && imgdata.rawdata.raw_image)
+     {
+       if (IO.fuji_width)
+       {
diff --git a/CVE-2018-20365.patch b/CVE-2018-20365.patch
new file mode 100644
index 0000000..cbe1985
--- /dev/null
+++ b/CVE-2018-20365.patch
@@ -0,0 +1,33 @@
+From 561ec9a7fb5ec694104a22b7b6cd820bfa449784 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Thu, 10 Jan 2019 09:22:39 +0300
+Subject: [PATCH] Sinar 4shot: zero filters for multi-shot images
+
+---
+ internal/dcraw_common.cpp | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
+index 29cc72f..1ca70cf 100644
+--- a/internal/dcraw_common.cpp
++++ b/internal/dcraw_common.cpp
+@@ -18969,10 +18969,15 @@ void CLASS identify()
+   {
+     if (!load_raw)
+       load_raw = &CLASS unpacked_load_raw;
+-    if (is_raw > 1 && !shot_select && !half_size)
++    if (is_raw > 1 && !shot_select)
+       filters = 0;
+     maximum = 0x3fff;
+   }
++  else if(load_raw == &LibRaw::sinar_4shot_load_raw)
++  {
++    if (is_raw > 1 && !shot_select)
++      filters = 0;
++  }
+   else if (!strncmp(make, "Leaf", 4))
+   {
+     maximum = 0x3fff;
+-- 
+2.23.0
+
diff --git a/LibRaw.spec b/LibRaw.spec
index fde0692..d82e81e 100644
--- a/LibRaw.spec
+++ b/LibRaw.spec
@@ -1,6 +1,6 @@
 Name:          LibRaw
 Version:       0.19.0
-Release:       9
+Release:       10
 Summary:       Library for reading RAW files obtained from digital photo cameras
 License:       BSD and (CDDL or LGPLv2)
 URL:           http://www.libraw.org
@@ -8,7 +8,9 @@ Source0:       http://www.libraw.org/data/%{name}-%{version}.tar.gz
 Patch0002:     LibRaw-0.17.1-CVE-2015-8366-8367.patch
 Patch6000:     LibRaw-0.19.2-CVE-2018-5817,5818,5819.patch
 Patch6001:     CVE-2018-20337.patch 
-
+Patch6002:     CVE-2018-20363.patch
+Patch6003:     CVE-2018-20364.patch
+Patch6004:     CVE-2018-20365.patch
 BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg)
 Provides:      bundled(dcraw) = 9.25
 %description
@@ -67,6 +69,9 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o
 %exclude %{_docdir}/libraw/*
 
 %changelog
+* Wed Sep 16 2020 zhanghua <zhanghua40@huawei.com> - 0.19.0-10
+- Fix CVE-2018-20363, CVE-2018-20364, CVE-2018-20365
+
 * Mon Jul 13 2020 wangyue <wangyue92@huawei.com> - 0.19.0-9
 - Fix CVE-2018-20337.
  
-- 
Gitee