From f88a2febbcee9877382a5ee1c78a91afcf6883fb Mon Sep 17 00:00:00 2001
From: zhanghua1831 <zhanghua1831@163.com>
Date: Fri, 4 Dec 2020 15:11:37 +0800
Subject: [PATCH] fix stack buffer overflow in LibRaw_buffer_datastream::gets()

---
 LibRaw.spec                                   |  6 ++-
 ...ow-in-LibRaw_buffer_datastream::gets.patch | 50 +++++++++++++++++++
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 fix-stack-buffer-overflow-in-LibRaw_buffer_datastream::gets.patch

diff --git a/LibRaw.spec b/LibRaw.spec
index 7a2fda8..7df458e 100644
--- a/LibRaw.spec
+++ b/LibRaw.spec
@@ -1,11 +1,12 @@
 Name:          LibRaw
 Version:       0.20.2
-Release:       1
+Release:       2
 Summary:       Library for reading RAW files obtained from digital photo cameras
 License:       BSD and (CDDL or LGPLv2)
 URL:           http://www.libraw.org
 Source0:       http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz
 Patch0000:     prevent-buffer-overrun-in-parse_rollei.patch
+Patch0001:     fix-stack-buffer-overflow-in-LibRaw_buffer_datastream::gets.patch
 BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg)
 BuildRequires: autoconf automake libtool
 Provides:      bundled(dcraw) = 9.25
@@ -66,6 +67,9 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o
 %exclude %{_docdir}/libraw/*
 
 %changelog
+* Fri Dec 4 2020 zhanghua <zhanghua40@huawei.com> - 0.20.2-2
+- fix stack buffer overflow in LibRaw_buffer_datastream::gets()
+
 * Tue Dec 1 2020 zhanghua <zhanghua40@huawei.com> - 0.20.2-1
 - update to 0.20.2 and fix stack buffer overflow in parse_rollei
 
diff --git a/fix-stack-buffer-overflow-in-LibRaw_buffer_datastream::gets.patch b/fix-stack-buffer-overflow-in-LibRaw_buffer_datastream::gets.patch
new file mode 100644
index 0000000..01c233d
--- /dev/null
+++ b/fix-stack-buffer-overflow-in-LibRaw_buffer_datastream::gets.patch
@@ -0,0 +1,50 @@
+From e70ded8b0bc231f7ed3fd5d2e83d61bd18ef5e94 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Thu, 3 Dec 2020 12:28:52 +0300
+Subject: [PATCH] LibRaw_buffer_datastream: gets() not always returns
+ 0-terminated string
+
+Reverted back parse_rollei change
+---
+ src/libraw_datastream.cpp     | 7 +++++--
+ src/metadata/misc_parsers.cpp | 1 -
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/libraw_datastream.cpp b/src/libraw_datastream.cpp
+index 606e5de7..eaf071ee 100644
+--- a/src/libraw_datastream.cpp
++++ b/src/libraw_datastream.cpp
+@@ -422,7 +422,7 @@ char *LibRaw_buffer_datastream::gets(char *s, int sz)
+   psrc = buf + streampos;
+   pdest = str;
+   if(streampos >= streamsize) return NULL;
+-  while ((size_t(psrc - buf) < streamsize) && ((pdest - str) < sz))
++  while ((size_t(psrc - buf) < streamsize) && ((pdest - str) < (sz-1)))
+   {
+     *pdest = *psrc;
+     if (*psrc == '\n')
+@@ -432,8 +432,11 @@ char *LibRaw_buffer_datastream::gets(char *s, int sz)
+   }
+   if (size_t(psrc - buf) < streamsize)
+     psrc++;
+-  if ((pdest - str) < sz)
++  if ((pdest - str) < sz-1)
+     *(++pdest) = 0;
++  else
++    s[sz - 1] = 0; // ensure trailing zero
++
+   streampos = psrc - buf;
+   return s;
+ }
+diff --git a/src/metadata/misc_parsers.cpp b/src/metadata/misc_parsers.cpp
+index 4e36e940..7a74c9f1 100644
+--- a/src/metadata/misc_parsers.cpp
++++ b/src/metadata/misc_parsers.cpp
+@@ -304,7 +304,6 @@ void LibRaw::parse_rollei()
+     line[0] = 0;
+     if (!fgets(line, 128, ifp))
+       break;
+-    line[127] = 0;
+     if(!line[0]) break; // zero-length
+     if ((val = strchr(line, '=')))
+       *val++ = 0;
-- 
Gitee