From 4d463048b9f27a3dc86b7010c198b32d995cd941 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Tue, 27 Apr 2021 17:44:09 +0200
Subject: [PATCH] Limit loops to MIN(colors,4)
This is a backport of commit 4feaed4dea636cee for CVE-2020-24870.
https://github.com/LibRaw/LibRaw/issues/330
---
internal/dcraw_common.cpp | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
index a36553208194..3e8c009eb08e 100644
--- a/internal/dcraw_common.cpp
+++ b/internal/dcraw_common.cpp
@@ -19598,17 +19598,18 @@ dng_skip:
if(calidx[colidx] == sidx)
{
- for (int i = 0; i < colors; i++)
+ for (int i = 0; i < colors && i < 4; i++)
FORCC
cc[i][c] = tiff_ifd[sidx].dng_color[colidx].calibration[i][c];
}
if(abidx == sidx)
- for (int i = 0; i < colors; i++)
+ for (int i = 0; i < colors && i < 4; i++)
FORCC cc[i][c] *= tiff_ifd[sidx].dng_levels.analogbalance[i];
int j;
- FORCC for (int i = 0; i < 3; i++) for (cam_xyz[c][i] = j = 0; j < colors; j++) cam_xyz[c][i] +=
- cc[c][j] * cm[j][i];// add AsShotXY later * xyz[i];
+ FORCC for (int i = 0; i < 3; i++)
+ for (cam_xyz[c][i] = j = 0; j < colors && j < 4; j++)
+ cam_xyz[c][i] += cc[c][j] * cm[j][i];// add AsShotXY later * xyz[i];
cam_xyz_coeff(cmatrix, cam_xyz);
}
}
--
2.30.2