diff --git a/CVE-2025-43961_CVE-2025-43962.patch b/CVE-2025-43961_CVE-2025-43962.patch new file mode 100644 index 0000000000000000000000000000000000000000..4ff4aaa4af23162cfc78f9ff71a21ac6d9c4e5f3 --- /dev/null +++ b/CVE-2025-43961_CVE-2025-43962.patch @@ -0,0 +1,103 @@ +From 66fe663e02a4dd610b4e832f5d9af326709336c2 Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Sat, 1 Feb 2025 15:32:39 +0300 +Subject: [PATCH] Prevent out-of-bounds read in fuji 0xf00c tag parser + +Prevent out-of-bounds read in fuji 0xf00c tag parser + +prevent OOB reads in phase_one_correct +--- + Changelog.txt | 5 +++++ + src/decoders/load_mfbacks.cpp | 18 ++++++++++++++---- + src/metadata/tiff.cpp | 28 +++++++++++++++++----------- + 3 files changed, 36 insertions(+), 15 deletions(-) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index cddc33eb..1a1bdfb3 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -490,6 +490,9 @@ int LibRaw::phase_one_correct() + fseek(ifp, off_412, SEEK_SET); + for (i = 0; i < 9; i++) + head[i] = get4() & 0x7fff; ++ unsigned w0 = head[1] * head[3], w1 = head[2] * head[4]; ++ if (w0 > 10240000 || w1 > 10240000) ++ throw LIBRAW_EXCEPTION_ALLOC; + yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6); + yval[1] = (float *)(yval[0] + head[1] * head[3]); + xval[0] = (ushort *)(yval[1] + head[2] * head[4]); +@@ -514,10 +517,17 @@ int LibRaw::phase_one_correct() + for (k = j = 0; j < head[1]; j++) + if (num < xval[0][k = head[1] * i + j]) + break; +- frac = (j == 0 || j == head[1]) +- ? 0 +- : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]); +- mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac); ++ if (j == 0 || j == head[1] || k < 1 || k >= w0+w1) ++ frac = 0; ++ else ++ { ++ int xdiv = (xval[0][k] - xval[0][k - 1]); ++ frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0; ++ } ++ if (k < w0 + w1) ++ mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac); ++ else ++ mult[i - cip] = 0; + } + i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2; + RAW(row, col) = LIM(i, 0, 65535); +diff --git a/src/metadata/tiff.cpp b/src/metadata/tiff.cpp +index baacdcad..5ec07a20 100644 +--- a/src/metadata/tiff.cpp ++++ b/src/metadata/tiff.cpp +@@ -1036,31 +1036,37 @@ int LibRaw::parse_tiff_ifd(int base) + if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) && + (fwb[2] == rafdata[fi + 2])) // found Tungsten WB + { +- if (rafdata[fi - 15] != ++ if (fi > 14 && rafdata[fi - 15] != + fwb[0]) // 15 is offset of Tungsten WB from the first + // preset, Fine Weather WB + continue; +- for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size(); +- wb_ind++, ofst += 3) +- { +- icWBC[Fuji_wb_list1[wb_ind]][1] = +- icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst]; +- icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1]; +- icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2]; +- } ++ if (fi >= 15) ++ { ++ for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size(); ++ wb_ind++, ofst += 3) ++ { ++ icWBC[Fuji_wb_list1[wb_ind]][1] = ++ icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst]; ++ icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1]; ++ icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2]; ++ } ++ } + + if (is34) + fi += 24; + fi += 96; + for (fj = fi; fj < (fi + 15); fj += 3) // looking for the end of the WB table + { ++ if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3) ++ break; + if (rafdata[fj] != rafdata[fi]) + { + fj -= 93; + if (is34) + fj -= 9; +-// printf ("wb start in DNG: 0x%04x\n", fj*2-0x4e); +- for (int iCCT = 0, ofst = fj; iCCT < 31; ++//printf ("wb start in DNG: 0x%04x\n", fj*2-0x4e); ++ for (int iCCT = 0, ofst = fj; iCCT < 31 ++ && ofst < libraw_internal_data.unpacker_data.lenRAFData - 3; + iCCT++, ofst += 3) + { + icWBCCTC[iCCT][0] = FujiCCT_K[iCCT]; diff --git a/CVE-2025-43964.patch b/CVE-2025-43964.patch new file mode 100644 index 0000000000000000000000000000000000000000..95b2f2d0e1c8a8094a86f5cfb02ffada9dbcc090 --- /dev/null +++ b/CVE-2025-43964.patch @@ -0,0 +1,22 @@ +From a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0 Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Sun, 2 Mar 2025 11:35:43 +0300 +Subject: [PATCH] additional checks in PhaseOne correction tag 0x412 processing + +--- + src/decoders/load_mfbacks.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index f89aecce..95015d27 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -495,6 +495,8 @@ int LibRaw::phase_one_correct() + unsigned w0 = head[1] * head[3], w1 = head[2] * head[4]; + if (w0 > 10240000 || w1 > 10240000) + throw LIBRAW_EXCEPTION_ALLOC; ++ if (w0 < 1 || w1 < 1) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; + yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6); + yval[1] = (float *)(yval[0] + head[1] * head[3]); + xval[0] = (ushort *)(yval[1] + head[2] * head[4]); diff --git a/LibRaw.spec b/LibRaw.spec index b5094e2ac6ac38b3cc65ab6bb10ae09e328d29f4..199ea8bc0efb96fbb8e5e2025337d716fe328226 100644 --- a/LibRaw.spec +++ b/LibRaw.spec @@ -1,6 +1,6 @@ Name: LibRaw Version: 0.21.1 -Release: 3 +Release: 4 Summary: Library for reading RAW files obtained from digital photo cameras License: BSD-3-Clause and (CDDL-1.0 or LGPL-2.1-only) URL: http://www.libraw.org @@ -8,6 +8,8 @@ Source0: http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz Patch0: LibRaw-pkgconfig.patch Patch1: CVE-2023-1729.patch Patch2: backport-upstream_CVE-2025-43963.patch +Patch3: CVE-2025-43961_CVE-2025-43962.patch +Patch4: CVE-2025-43964.patch BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg) BuildRequires: autoconf automake libtool make @@ -66,6 +68,9 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o %exclude %{_docdir}/libraw/* %changelog +* Thu Apr 24 2025 yaoxin <1024769339@qq.com> - 0.21.1-4 +- Fix CVE-2025-43961,CVE-2025-43962 and CVE-2025-43964 + * Thu Apr 24 2025 hdliu - 0.21.1-3 - Fix CVE-2025-43963