Attachment #196875 for bug #231165




# $FreeBSD$

PORTNAME=	freeimage
PORTVERSION=	3.18.0
PORTREVISION=	6
# Version 3.17.0 is available, but does not build on i386 (and probably
# other 32-bit arches) without some not-quite-trivial patching.  If one
# decides to update the port, please make sure 32-bit builds are tested!
CATEGORIES=	graphics
MASTER_SITES=	SF/${PORTNAME}/Source%20Distribution/${PORTVERSION}
DISTNAME=	FreeImage${PORTVERSION:S/.//g}

MAINTAINER=	ports@FreeBSD.org
COMMENT=	Simple C/C++ bitmap graphics library

LICENSE=		FIPL GPLv2 GPLv3
LICENSE_COMB=		multi
LICENSE_NAME_FIPL=	FreeImage Public License
LICENSE_FILE_FIPL=	${WRKSRC}/license-fi.txt
LICENSE_FILE_GPLv2=	${WRKSRC}/license-gplv2.txt
LICENSE_FILE_GPLv3=	${WRKSRC}/license-gplv3.txt
LICENSE_PERMS_FIPL=	dist-mirror pkg-mirror auto-accept

BROKEN_mips=		fails to compile: opcode not supported on this processor: mips3 (mips3) `madd $16,$6'
BROKEN_mips64=		fails to compile: opcode not supported on this processor: mips3 (mips3) 'madd $4,$5'


USE_LDCONFIG=	yes
WRKSRC=		${WRKDIR}/FreeImage
MAKE_ARGS=	CC="${CC}" CPP="${CPP}" CXX="${CXX}"
CFLAGS+=	-DPNG_ARM_NEON_OPT=0 -fexceptions -fvisibility=hidden -fPIC

CFLAGS+=	-DPNG_ARM_NEON_OPT=0 -fexceptions -fvisibility=hidden
CFLAGS_aarch64=	-fPIC
CFLAGS_amd64=	-fPIC
CFLAGS_armv7=	-fPIC

PLIST_FILES=	include/FreeImage.h \
		include/FreeImagePlus.h \
		lib/libfreeimage.a \

		lib/libfreeimageplus.so.3 \
		lib/libfreeimageplus.so

.include <bsd.port.options.mk>

.if ${ARCH} == amd64 || ${ARCH} == powerpc || ${ARCH} == powerpc64 || ${ARCH} == sparc64
USES+=		compiler:c++0x
.endif

post-patch:
	@${REINPLACE_CMD} -e 's|/usr|${PREFIX}| ; s|-o root -g root ||' \
		${WRKSRC}/Makefile.gnu ${WRKSRC}/Makefile.fip

Lines 1-2 Link Here

(-)graphics/freeimage/distinfo (-2 / +3 lines)
1	SHA256 (FreeImage3160.zip) = 03af32dd60140d07515ddfe7b4f467baa3b888a72ea78828811aded7adb42f60	1	TIMESTAMP = 1536092886
2	SIZE (FreeImage3160.zip) = 5669228	2	SHA256 (FreeImage3180.zip) = f41379682f9ada94ea7b34fe86bf9ee00935a3147be41b6569c9605a53e438fd
		3	SIZE (FreeImage3180.zip) = 7415716




--- Source/FreeImage/PluginXPM.cpp.orig	2013-11-29 19:29:14 UTC
+++ Source/FreeImage/PluginXPM.cpp
@@ -181,6 +181,11 @@ Load(FreeImageIO *io, fi_handle handle, 
 		}
 		free(str);
 
+		// check info string
+		if((width <= 0) || (height <= 0) || (colors <= 0) || (cpp <= 0)) {
+			throw "Improperly formed info string";
+		}
+
         if (colors > 256) {
 			dib = FreeImage_AllocateHeader(header_only, width, height, 24, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
 		} else {
@@ -193,7 +198,7 @@ Load(FreeImageIO *io, fi_handle handle, 
 			FILE_RGBA rgba;
 
 			str = ReadString(io, handle);
-			if(!str)
+			if(!str || (strlen(str) < (size_t)cpp))
 				throw "Error reading color strings";
 
 			std::string chrs(str,cpp); //create a string for the color chars using the first cpp chars

Lines 1-11 Link Here

(-)graphics/freeimage/files/patch-Source-OpenEXR-IlmImf_ImfAutoArray.h (-11 lines)
1	--- Source/OpenEXR/IlmImf/ImfAutoArray.h.orig 2013-01-30 11:10:28.000000000 +0100
2	+++ Source/OpenEXR/IlmImf/ImfAutoArray.h 2013-01-30 12:05:10.000000000 +0100
3	@@ -46,6 +46,8 @@
4
5	#include "OpenEXRConfig.h"
6
7	+#include <string.h>
8	+
9	namespace Imf {
10
11

Line 0 Link Here

(-)graphics/freeimage/files/patch-Source_FreeImage_PluginPSD.cpp (+11 lines)
	1	--- Source/FreeImage/PluginPSD.cpp.orig 2018-09-04 20:32:27 UTC
	2	+++ Source/FreeImage/PluginPSD.cpp
	3	@@ -127,7 +127,7 @@ Load(FreeImageIO *io, fi_handle handle, int page, int
	4	static BOOL DLL_CALLCONV
	5	Save(FreeImageIO io, FIBITMAP dib, fi_handle handle, int page, int flags, void *data) {
	6	if(!handle) {
	7	- return NULL;
	8	+ //return NULL;
	9	}
	10	try {
	11	psdParser parser;

Lines 1-60 Link Here

(-)graphics/freeimage/files/patch-Source_LibRawLite_internal_dcraw__common.cpp (-60 lines)
1	https://github.com/LibRaw/LibRaw/commit/f4c0b98581a6
2	https://github.com/LibRaw/LibRaw/commit/2cef10389486
3
4	--- Source/LibRawLite/internal/dcraw_common.cpp.orig 2014-02-07 19:48:10 UTC
5	+++ Source/LibRawLite/internal/dcraw_common.cpp
6	@@ -2027,7 +2027,7 @@ void CLASS quicktake_100_load_raw()
7
8	void CLASS kodak_radc_load_raw()
9	{
10	- static const char src[] = {
11	+ static const signed char src[] = {
12	1,1, 2,3, 3,4, 4,2, 5,7, 6,5, 7,6, 7,8,
13	1,0, 2,1, 3,3, 4,4, 5,2, 6,7, 7,6, 8,5, 8,8,
14	2,1, 2,3, 3,0, 3,2, 3,4, 4,6, 5,5, 6,7, 6,8,
15	@@ -3782,22 +3782,22 @@ void CLASS vng_interpolate()
16	-2,+0,+0,-1,0,0x06, -2,+0,+0,+0,1,0x02, -2,+0,+0,+1,0,0x03,
17	-2,+1,-1,+0,0,0x04, -2,+1,+0,-1,1,0x04, -2,+1,+0,+0,0,0x06,
18	-2,+1,+0,+1,0,0x02, -2,+2,+0,+0,1,0x04, -2,+2,+0,+1,0,0x04,
19	- -1,-2,-1,+0,0,0x80, -1,-2,+0,-1,0,0x01, -1,-2,+1,-1,0,0x01,
20	- -1,-2,+1,+0,1,0x01, -1,-1,-1,+1,0,0x88, -1,-1,+1,-2,0,0x40,
21	+ -1,-2,-1,+0,0,-128, -1,-2,+0,-1,0,0x01, -1,-2,+1,-1,0,0x01,
22	+ -1,-2,+1,+0,1,0x01, -1,-1,-1,+1,0,-120, -1,-1,+1,-2,0,0x40,
23	-1,-1,+1,-1,0,0x22, -1,-1,+1,+0,0,0x33, -1,-1,+1,+1,1,0x11,
24	-1,+0,-1,+2,0,0x08, -1,+0,+0,-1,0,0x44, -1,+0,+0,+1,0,0x11,
25	-1,+0,+1,-2,1,0x40, -1,+0,+1,-1,0,0x66, -1,+0,+1,+0,1,0x22,
26	-1,+0,+1,+1,0,0x33, -1,+0,+1,+2,1,0x10, -1,+1,+1,-1,1,0x44,
27	-1,+1,+1,+0,0,0x66, -1,+1,+1,+1,0,0x22, -1,+1,+1,+2,0,0x10,
28	-1,+2,+0,+1,0,0x04, -1,+2,+1,+0,1,0x04, -1,+2,+1,+1,0,0x04,
29	- +0,-2,+0,+0,1,0x80, +0,-1,+0,+1,1,0x88, +0,-1,+1,-2,0,0x40,
30	+ +0,-2,+0,+0,1,-128, +0,-1,+0,+1,1,-120, +0,-1,+1,-2,0,0x40,
31	+0,-1,+1,+0,0,0x11, +0,-1,+2,-2,0,0x40, +0,-1,+2,-1,0,0x20,
32	+0,-1,+2,+0,0,0x30, +0,-1,+2,+1,1,0x10, +0,+0,+0,+2,1,0x08,
33	+0,+0,+2,-2,1,0x40, +0,+0,+2,-1,0,0x60, +0,+0,+2,+0,1,0x20,
34	+0,+0,+2,+1,0,0x30, +0,+0,+2,+2,1,0x10, +0,+1,+1,+0,0,0x44,
35	+0,+1,+1,+2,0,0x10, +0,+1,+2,-1,1,0x40, +0,+1,+2,+0,0,0x60,
36	- +0,+1,+2,+1,0,0x20, +0,+1,+2,+2,0,0x10, +1,-2,+1,+0,0,0x80,
37	- +1,-1,+1,+1,0,0x88, +1,+0,+1,+2,0,0x08, +1,+0,+2,-1,0,0x40,
38	+ +0,+1,+2,+1,0,0x20, +0,+1,+2,+2,0,0x10, +1,-2,+1,+0,0,-128,
39	+ +1,-1,+1,+1,0,-120, +1,+0,+1,+2,0,0x08, +1,+0,+2,-1,0,0x40,
40	+1,+0,+2,+1,0,0x10
41	}, chood[] = { -1,-1, -1,0, -1,+1, 0,+1, +1,+1, +1,0, +1,-1, 0,-1 };
42	ushort (brow[5])[4], pix;
43	@@ -7380,7 +7380,7 @@ void CLASS adobe_coeff (const char *t_make, const char
44	{ 8035,435,-962,-6001,13872,2320,-1159,3065,5434 } },
45	{ "Phase One P65", 0, 0,
46	{ 8035,435,-962,-6001,13872,2320,-1159,3065,5434 } },
47	- { "Red One", 704, 0xffff, /* DJC */
48	+ { "Red One", 704, -1, /* DJC */
49	{ 21014,-7891,-2613,-3056,12201,856,-2203,5125,8042 } },
50	{ "Samsung EK-GN120", 0, 0, /* Adobe; Galaxy NX */
51	{ 7557,-2522,-739,-4679,12949,1894,-840,1777,5311 } },
52	@@ -9235,7 +9235,7 @@ void CLASS tiff_head (struct tiff_hdr *th, int full)
53	strncpy (th->t_desc, desc, 512);
54	strncpy (th->t_make, make, 64);
55	strncpy (th->t_model, model, 64);
56	- strcpy (th->soft, "dcraw v"DCRAW_VERSION);
57	+ strcpy (th->soft, "dcraw v" DCRAW_VERSION);
58	t = localtime (&timestamp);
59	sprintf (th->date, "%04d:%02d:%02d %02d:%02d:%02d",
60	t->tm_year+1900,t->tm_mon+1,t->tm_mday,t->tm_hour,t->tm_min,t->tm_sec);




CVE-2015-0852

Description: fix integer overflow
Origin: upstream
 http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.17&r2=1.18&pathrev=MAIN
 http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.18&r2=1.19&pathrev=MAIN
Bug-Debian: https://bugs.debian.org/797165
Last-Update: 2015-09-14
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: freeimage/Source/FreeImage/PluginPCX.cpp
===================================================================
--- freeimage.orig/Source/FreeImage/PluginPCX.cpp
+++ Source/FreeImage/PluginPCX.cpp
@@ -347,12 +347,14 @@ Load(FreeImageIO *io, fi_handle handle,
 
 	try {
 		// check PCX identifier
-
-		long start_pos = io->tell_proc(handle);
-		BOOL validated = pcx_validate(io, handle);		
-		io->seek_proc(handle, start_pos, SEEK_SET);
-		if(!validated) {
-			throw FI_MSG_ERROR_MAGIC_NUMBER;
+		// (note: should have been already validated using FreeImage_GetFileType but check again)
+		{
+			long start_pos = io->tell_proc(handle);
+			BOOL validated = pcx_validate(io, handle);
+			io->seek_proc(handle, start_pos, SEEK_SET);
+			if(!validated) {
+				throw FI_MSG_ERROR_MAGIC_NUMBER;
+			}
 		}
 
 		// process the header
@@ -366,20 +368,38 @@ Load(FreeImageIO *io, fi_handle handle,
 		SwapHeader(&header);
 #endif
 
-		// allocate a new DIB
+		// process the window
+		const WORD *window = header.window;	// left, upper, right,lower pixel coord.
+		const int left		= window[0];
+		const int top		= window[1];
+		const int right		= window[2];
+		const int bottom	= window[3];
 
-		unsigned width = header.window[2] - header.window[0] + 1;
-		unsigned height = header.window[3] - header.window[1] + 1;
-		unsigned bitcount = header.bpp * header.planes;
-
-		if (bitcount == 24) {
-			dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
-		} else {
-			dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);			
+		// check image size
+		if((left >= right) || (top >= bottom)) {
+			throw FI_MSG_ERROR_PARSING;
 		}
 
-		// if the dib couldn't be allocated, throw an error
+		const unsigned width = right - left + 1;
+		const unsigned height = bottom - top + 1;
+		const unsigned bitcount = header.bpp * header.planes;
+
+		// allocate a new DIB
+		switch(bitcount) {
+			case 1:
+			case 4:
+			case 8:
+				dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);
+				break;
+			case 24:
+				dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
+				break;
+			default:
+				throw FI_MSG_ERROR_DIB_MEMORY;
+				break;
+		}
 
+		// if the dib couldn't be allocated, throw an error
 		if (!dib) {
 			throw FI_MSG_ERROR_DIB_MEMORY;
 		}
@@ -426,19 +446,23 @@ Load(FreeImageIO *io, fi_handle handle,
 
 				if (palette_id == 0x0C) {
 					BYTE *cmap = (BYTE*)malloc(768 * sizeof(BYTE));
-					io->read_proc(cmap, 768, 1, handle);
 
-					pal = FreeImage_GetPalette(dib);
-					BYTE *pColormap = &cmap[0];
+					if(cmap) {
+						io->read_proc(cmap, 768, 1, handle);
 
-					for(int i = 0; i < 256; i++) {
-						pal[i].rgbRed   = pColormap[0];
-						pal[i].rgbGreen = pColormap[1];
-						pal[i].rgbBlue  = pColormap[2];
-						pColormap += 3;
+						pal = FreeImage_GetPalette(dib);
+						BYTE *pColormap = &cmap[0];
+
+						for(int i = 0; i < 256; i++) {
+							pal[i].rgbRed   = pColormap[0];
+							pal[i].rgbGreen = pColormap[1];
+							pal[i].rgbBlue  = pColormap[2];
+							pColormap += 3;
+						}
+
+						free(cmap);
 					}
 
-					free(cmap);
 				}
 
 				// wrong palette ID, perhaps a gray scale is needed ?
@@ -466,9 +490,9 @@ Load(FreeImageIO *io, fi_handle handle,
 		// calculate the line length for the PCX and the DIB
 
 		// length of raster line in bytes
-		unsigned linelength = header.bytes_per_line * header.planes;
+		const unsigned linelength = header.bytes_per_line * header.planes;
 		// length of DIB line (rounded to DWORD) in bytes
-		unsigned pitch = FreeImage_GetPitch(dib);
+		const unsigned pitch = FreeImage_GetPitch(dib);
 
 		// run-length encoding ?
 




Description: Fix integer overflow in the ljpeg_start function in dcraw
Author: Alex Tutubalin <lexa@lexa.ru>
Bug-Debian: https://bugs.debian.org/786790
Origin: https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
	https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
Bug: https://security-tracker.debian.org/tracker/CVE-2015-3885
Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885
Reviewed-By: Anton Gladky <gladk@debian.org>
Last-Update: 2015-10-29

--- freeimage-3.15.4.orig/Source/LibRawLite/dcraw/dcraw.c
+++ Source/LibRawLite/dcraw/dcraw.c
@@ -768,7 +768,8 @@ struct jhead {

 int CLASS ljpeg_start (struct jhead *jh, int info_only)
 {
-  int c, tag, len;
+  int c, tag;
+  ushort len;
   uchar data[0x10000];
   const uchar *dp;

--- freeimage-3.15.4.orig/Source/LibRawLite/internal/dcraw_common.cpp
+++ Source/LibRawLite/internal/dcraw_common.cpp
@@ -630,7 +630,8 @@ void CLASS canon_compressed_load_raw()

 int CLASS ljpeg_start (struct jhead *jh, int info_only)
 {
-  int c, tag, len;
+  int c, tag;
+  ushort len;
   uchar data[0x10000];
   const uchar *dp;


Return to bug 231165

Lines 2-12 Link Here

(-)graphics/freeimage/Makefile (-16 / +10 lines)
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= freeimage	4	PORTNAME= freeimage
5	PORTVERSION= 3.16.0	5	PORTVERSION= 3.18.0
6	PORTREVISION= 6
7	# Version 3.17.0 is available, but does not build on i386 (and probably
8	# other 32-bit arches) without some not-quite-trivial patching. If one
9	# decides to update the port, please make sure 32-bit builds are tested!
10	CATEGORIES= graphics	6	CATEGORIES= graphics
11	MASTER_SITES= SF/${PORTNAME}/Source%20Distribution/${PORTVERSION}	7	MASTER_SITES= SF/${PORTNAME}/Source%20Distribution/${PORTVERSION}
12	DISTNAME= FreeImage${PORTVERSION:S/.//g}	8	DISTNAME= FreeImage${PORTVERSION:S/.//g}
Lines 14-19 Link Here
14	MAINTAINER= ports@FreeBSD.org	10	MAINTAINER= ports@FreeBSD.org
15	COMMENT= Simple C/C++ bitmap graphics library	11	COMMENT= Simple C/C++ bitmap graphics library
16		12
		13	LICENSE= FIPL GPLv2 GPLv3
		14	LICENSE_COMB= multi
		15	LICENSE_NAME_FIPL= FreeImage Public License
		16	LICENSE_FILE_FIPL= ${WRKSRC}/license-fi.txt
		17	LICENSE_FILE_GPLv2= ${WRKSRC}/license-gplv2.txt
		18	LICENSE_FILE_GPLv3= ${WRKSRC}/license-gplv3.txt
		19	LICENSE_PERMS_FIPL= dist-mirror pkg-mirror auto-accept
		20
17	BROKEN_mips= fails to compile: opcode not supported on this processor: mips3 (mips3) `madd $16,$6'	21	BROKEN_mips= fails to compile: opcode not supported on this processor: mips3 (mips3) `madd $16,$6'
18	BROKEN_mips64= fails to compile: opcode not supported on this processor: mips3 (mips3) 'madd $4,$5'	22	BROKEN_mips64= fails to compile: opcode not supported on this processor: mips3 (mips3) 'madd $4,$5'
19		23
Lines 24-35 Link Here
24	USE_LDCONFIG= yes	28	USE_LDCONFIG= yes
25	WRKSRC= ${WRKDIR}/FreeImage	29	WRKSRC= ${WRKDIR}/FreeImage
26	MAKE_ARGS= CC="${CC}" CPP="${CPP}" CXX="${CXX}"	30	MAKE_ARGS= CC="${CC}" CPP="${CPP}" CXX="${CXX}"
		31	CFLAGS+= -DPNG_ARM_NEON_OPT=0 -fexceptions -fvisibility=hidden -fPIC
27		32
28	CFLAGS+= -DPNG_ARM_NEON_OPT=0 -fexceptions -fvisibility=hidden
29	CFLAGS_aarch64= -fPIC
30	CFLAGS_amd64= -fPIC
31	CFLAGS_armv7= -fPIC
32
33	PLIST_FILES= include/FreeImage.h \	33	PLIST_FILES= include/FreeImage.h \
34	include/FreeImagePlus.h \	34	include/FreeImagePlus.h \
35	lib/libfreeimage.a \	35	lib/libfreeimage.a \
Lines 41-52 Link Here
41	lib/libfreeimageplus.so.3 \	41	lib/libfreeimageplus.so.3 \
42	lib/libfreeimageplus.so	42	lib/libfreeimageplus.so
43		43
44	.include <bsd.port.options.mk>
45
46	.if ${ARCH} == amd64 \|\| ${ARCH} == powerpc \|\| ${ARCH} == powerpc64 \|\| ${ARCH} == sparc64
47	USES+= compiler:c++0x
48	.endif
49
50	post-patch:	44	post-patch:
51	@${REINPLACE_CMD} -e 's\|/usr\|${PREFIX}\| ; s\|-o root -g root \|\|' \	45	@${REINPLACE_CMD} -e 's\|/usr\|${PREFIX}\| ; s\|-o root -g root \|\|' \
52	${WRKSRC}/Makefile.gnu ${WRKSRC}/Makefile.fip	46	${WRKSRC}/Makefile.gnu ${WRKSRC}/Makefile.fip

Lines 1-23 Link Here

(-)graphics/freeimage/files/patch-Source-FreeImage-PluginXPM.cpp (-23 lines)
1	--- Source/FreeImage/PluginXPM.cpp.orig 2013-11-29 19:29:14 UTC
2	+++ Source/FreeImage/PluginXPM.cpp
3	@@ -181,6 +181,11 @@ Load(FreeImageIO *io, fi_handle handle,
4	}
5	free(str);
6
7	+ // check info string
8	+ if((width <= 0) \|\| (height <= 0) \|\| (colors <= 0) \|\| (cpp <= 0)) {
9	+ throw "Improperly formed info string";
10	+ }
11	+
12	if (colors > 256) {
13	dib = FreeImage_AllocateHeader(header_only, width, height, 24, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
14	} else {
15	@@ -193,7 +198,7 @@ Load(FreeImageIO *io, fi_handle handle,
16	FILE_RGBA rgba;
17
18	str = ReadString(io, handle);
19	- if(!str)
20	+ if(!str \|\| (strlen(str) < (size_t)cpp))
21	throw "Error reading color strings";
22
23	std::string chrs(str,cpp); //create a string for the color chars using the first cpp chars

Lines 1-129 Link Here

(-)graphics/freeimage/files/patch-integer_overflow (-129 lines)
1	CVE-2015-0852
2
3	Description: fix integer overflow
4	Origin: upstream
5	http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.17&r2=1.18&pathrev=MAIN
6	http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.18&r2=1.19&pathrev=MAIN
7	Bug-Debian: https://bugs.debian.org/797165
8	Last-Update: 2015-09-14
9	---
10	This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
11	Index: freeimage/Source/FreeImage/PluginPCX.cpp
12	===================================================================
13	--- freeimage.orig/Source/FreeImage/PluginPCX.cpp
14	+++ Source/FreeImage/PluginPCX.cpp
15	@@ -347,12 +347,14 @@ Load(FreeImageIO *io, fi_handle handle,
16
17	try {
18	// check PCX identifier
19	-
20	- long start_pos = io->tell_proc(handle);
21	- BOOL validated = pcx_validate(io, handle);
22	- io->seek_proc(handle, start_pos, SEEK_SET);
23	- if(!validated) {
24	- throw FI_MSG_ERROR_MAGIC_NUMBER;
25	+ // (note: should have been already validated using FreeImage_GetFileType but check again)
26	+ {
27	+ long start_pos = io->tell_proc(handle);
28	+ BOOL validated = pcx_validate(io, handle);
29	+ io->seek_proc(handle, start_pos, SEEK_SET);
30	+ if(!validated) {
31	+ throw FI_MSG_ERROR_MAGIC_NUMBER;
32	+ }
33	}
34
35	// process the header
36	@@ -366,20 +368,38 @@ Load(FreeImageIO *io, fi_handle handle,
37	SwapHeader(&header);
38	#endif
39
40	- // allocate a new DIB
41	+ // process the window
42	+ const WORD *window = header.window; // left, upper, right,lower pixel coord.
43	+ const int left = window[0];
44	+ const int top = window[1];
45	+ const int right = window[2];
46	+ const int bottom = window[3];
47
48	- unsigned width = header.window[2] - header.window[0] + 1;
49	- unsigned height = header.window[3] - header.window[1] + 1;
50	- unsigned bitcount = header.bpp * header.planes;
51	-
52	- if (bitcount == 24) {
53	- dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
54	- } else {
55	- dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);
56	+ // check image size
57	+ if((left >= right) \|\| (top >= bottom)) {
58	+ throw FI_MSG_ERROR_PARSING;
59	}
60
61	- // if the dib couldn't be allocated, throw an error
62	+ const unsigned width = right - left + 1;
63	+ const unsigned height = bottom - top + 1;
64	+ const unsigned bitcount = header.bpp * header.planes;
65	+
66	+ // allocate a new DIB
67	+ switch(bitcount) {
68	+ case 1:
69	+ case 4:
70	+ case 8:
71	+ dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);
72	+ break;
73	+ case 24:
74	+ dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
75	+ break;
76	+ default:
77	+ throw FI_MSG_ERROR_DIB_MEMORY;
78	+ break;
79	+ }
80
81	+ // if the dib couldn't be allocated, throw an error
82	if (!dib) {
83	throw FI_MSG_ERROR_DIB_MEMORY;
84	}
85	@@ -426,19 +446,23 @@ Load(FreeImageIO *io, fi_handle handle,
86
87	if (palette_id == 0x0C) {
88	BYTE cmap = (BYTE)malloc(768 * sizeof(BYTE));
89	- io->read_proc(cmap, 768, 1, handle);
90
91	- pal = FreeImage_GetPalette(dib);
92	- BYTE *pColormap = &cmap[0];
93	+ if(cmap) {
94	+ io->read_proc(cmap, 768, 1, handle);
95
96	- for(int i = 0; i < 256; i++) {
97	- pal[i].rgbRed = pColormap[0];
98	- pal[i].rgbGreen = pColormap[1];
99	- pal[i].rgbBlue = pColormap[2];
100	- pColormap += 3;
101	+ pal = FreeImage_GetPalette(dib);
102	+ BYTE *pColormap = &cmap[0];
103	+
104	+ for(int i = 0; i < 256; i++) {
105	+ pal[i].rgbRed = pColormap[0];
106	+ pal[i].rgbGreen = pColormap[1];
107	+ pal[i].rgbBlue = pColormap[2];
108	+ pColormap += 3;
109	+ }
110	+
111	+ free(cmap);
112	}
113
114	- free(cmap);
115	}
116
117	// wrong palette ID, perhaps a gray scale is needed ?
118	@@ -466,9 +490,9 @@ Load(FreeImageIO *io, fi_handle handle,
119	// calculate the line length for the PCX and the DIB
120
121	// length of raster line in bytes
122	- unsigned linelength = header.bytes_per_line * header.planes;
123	+ const unsigned linelength = header.bytes_per_line * header.planes;
124	// length of DIB line (rounded to DWORD) in bytes
125	- unsigned pitch = FreeImage_GetPitch(dib);
126	+ const unsigned pitch = FreeImage_GetPitch(dib);
127
128	// run-length encoding ?
129

Lines 1-34 Link Here

(-)graphics/freeimage/files/patch-integer_overflow_ljpeg_start (-34 lines)
1	Description: Fix integer overflow in the ljpeg_start function in dcraw
2	Author: Alex Tutubalin <lexa@lexa.ru>
3	Bug-Debian: https://bugs.debian.org/786790
4	Origin: https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
5	https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
6	Bug: https://security-tracker.debian.org/tracker/CVE-2015-3885
7	Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885
8	Reviewed-By: Anton Gladky <gladk@debian.org>
9	Last-Update: 2015-10-29
10
11	--- freeimage-3.15.4.orig/Source/LibRawLite/dcraw/dcraw.c
12	+++ Source/LibRawLite/dcraw/dcraw.c
13	@@ -768,7 +768,8 @@ struct jhead {
14
15	int CLASS ljpeg_start (struct jhead *jh, int info_only)
16	{
17	- int c, tag, len;
18	+ int c, tag;
19	+ ushort len;
20	uchar data[0x10000];
21	const uchar *dp;
22
23	--- freeimage-3.15.4.orig/Source/LibRawLite/internal/dcraw_common.cpp
24	+++ Source/LibRawLite/internal/dcraw_common.cpp
25	@@ -630,7 +630,8 @@ void CLASS canon_compressed_load_raw()
26
27	int CLASS ljpeg_start (struct jhead *jh, int info_only)
28	{
29	- int c, tag, len;
30	+ int c, tag;
31	+ ushort len;
32	uchar data[0x10000];
33	const uchar *dp;
34