Fix included dcraw vulnability.

Fix integer overflow in PluginPCX.cpp. [1] Add dcraw files to dos2unix so patching is easier. Obtained from: Debian freeimage package (both patches) Security: 33459061-a1d6-11e5-8794-bcaec565249c [1]
svn path=/head/; revision=403688
2015-12-13 20:26:24 +00:00 · 2015-12-13 20:26:24 +00:00 · 1efaab2644 · 2021-03-31 03:12:20 +00:00
commit 1efaab2644
parent 3970d847b0
3 changed files with 167 additions and 1 deletions
--- a/graphics/freeimage/Makefile
+++ b/graphics/freeimage/Makefile
@ -3,6 +3,7 @@

 PORTNAME=	freeimage
 PORTVERSION=	3.16.0
+PORTREVISION=	1
 # Version 3.17.0 is available, but does not build on i386 (and probably
 # other 32-bit arches) without some not-quite-trivial patching.  If one
 # decides to update the port, please make sure 32-bit builds are tested!
@ -14,7 +15,9 @@ MAINTAINER=	ports@FreeBSD.org
 COMMENT=	Simple C/C++ bitmap graphics library

 USES=		dos2unix gmake zip
-DOS2UNIX_FILES=	Source/LibOpenJPEG/opj_malloc.h
+DOS2UNIX_FILES=	Source/LibOpenJPEG/opj_malloc.h \
+		Source/LibRawLite/dcraw/dcraw.c \
+		Source/LibRawLite/internal/dcraw_common.cpp
 USE_LDCONFIG=	yes
 WRKSRC=		${WRKDIR}/FreeImage
 MAKE_ARGS=	CC="${CC}" CPP="${CPP}" CXX="${CXX}"
--- a/graphics/freeimage/files/patch-integer_overflow
+++ b/graphics/freeimage/files/patch-integer_overflow
@ -0,0 +1,129 @@
+CVE-2015-0852
+
+Description: fix integer overflow
+Origin: upstream
+ http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.17&r2=1.18&pathrev=MAIN
+ http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.18&r2=1.19&pathrev=MAIN
+Bug-Debian: https://bugs.debian.org/797165
+Last-Update: 2015-09-14
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: freeimage/Source/FreeImage/PluginPCX.cpp
+===================================================================
+--- freeimage.orig/Source/FreeImage/PluginPCX.cpp
+++ Source/FreeImage/PluginPCX.cpp
+@@ -347,12 +347,14 @@ Load(FreeImageIO *io, fi_handle handle,
+ 
+ 	try {
+ 		// check PCX identifier
+-
+-		long start_pos = io->tell_proc(handle);
+-		BOOL validated = pcx_validate(io, handle);		
+-		io->seek_proc(handle, start_pos, SEEK_SET);
+-		if(!validated) {
+-			throw FI_MSG_ERROR_MAGIC_NUMBER;
+		// (note: should have been already validated using FreeImage_GetFileType but check again)
+		{
+			long start_pos = io->tell_proc(handle);
+			BOOL validated = pcx_validate(io, handle);
+			io->seek_proc(handle, start_pos, SEEK_SET);
+			if(!validated) {
+				throw FI_MSG_ERROR_MAGIC_NUMBER;
+			}
+ 		}
+ 
+ 		// process the header
+@@ -366,20 +368,38 @@ Load(FreeImageIO *io, fi_handle handle,
+ 		SwapHeader(&header);
+ #endif
+ 
+-		// allocate a new DIB
+		// process the window
+		const WORD *window = header.window;	// left, upper, right,lower pixel coord.
+		const int left		= window[0];
+		const int top		= window[1];
+		const int right		= window[2];
+		const int bottom	= window[3];
+ 
+-		unsigned width = header.window[2] - header.window[0] + 1;
+-		unsigned height = header.window[3] - header.window[1] + 1;
+-		unsigned bitcount = header.bpp * header.planes;
+-
+-		if (bitcount == 24) {
+-			dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
+-		} else {
+-			dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);			
+		// check image size
+		if((left >= right) || (top >= bottom)) {
+			throw FI_MSG_ERROR_PARSING;
+ 		}
+ 
+-		// if the dib couldn't be allocated, throw an error
+		const unsigned width = right - left + 1;
+		const unsigned height = bottom - top + 1;
+		const unsigned bitcount = header.bpp * header.planes;
+
+		// allocate a new DIB
+		switch(bitcount) {
+			case 1:
+			case 4:
+			case 8:
+				dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);
+				break;
+			case 24:
+				dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
+				break;
+			default:
+				throw FI_MSG_ERROR_DIB_MEMORY;
+				break;
+		}
+ 
+		// if the dib couldn't be allocated, throw an error
+ 		if (!dib) {
+ 			throw FI_MSG_ERROR_DIB_MEMORY;
+ 		}
+@@ -426,19 +446,23 @@ Load(FreeImageIO *io, fi_handle handle,
+ 
+ 				if (palette_id == 0x0C) {
+ 					BYTE *cmap = (BYTE*)malloc(768 * sizeof(BYTE));
+-					io->read_proc(cmap, 768, 1, handle);
+ 
+-					pal = FreeImage_GetPalette(dib);
+-					BYTE *pColormap = &cmap[0];
+					if(cmap) {
+						io->read_proc(cmap, 768, 1, handle);
+ 
+-					for(int i = 0; i < 256; i++) {
+-						pal[i].rgbRed   = pColormap[0];
+-						pal[i].rgbGreen = pColormap[1];
+-						pal[i].rgbBlue  = pColormap[2];
+-						pColormap += 3;
+						pal = FreeImage_GetPalette(dib);
+						BYTE *pColormap = &cmap[0];
+
+						for(int i = 0; i < 256; i++) {
+							pal[i].rgbRed   = pColormap[0];
+							pal[i].rgbGreen = pColormap[1];
+							pal[i].rgbBlue  = pColormap[2];
+							pColormap += 3;
+						}
+
+						free(cmap);
+ 					}
+ 
+-					free(cmap);
+ 				}
+ 
+ 				// wrong palette ID, perhaps a gray scale is needed ?
+@@ -466,9 +490,9 @@ Load(FreeImageIO *io, fi_handle handle,
+ 		// calculate the line length for the PCX and the DIB
+ 
+ 		// length of raster line in bytes
+-		unsigned linelength = header.bytes_per_line * header.planes;
+		const unsigned linelength = header.bytes_per_line * header.planes;
+ 		// length of DIB line (rounded to DWORD) in bytes
+-		unsigned pitch = FreeImage_GetPitch(dib);
+		const unsigned pitch = FreeImage_GetPitch(dib);
+ 
+ 		// run-length encoding ?
+ 
--- a/graphics/freeimage/files/patch-integer_overflow_ljpeg_start
+++ b/graphics/freeimage/files/patch-integer_overflow_ljpeg_start
@ -0,0 +1,34 @@
+Description: Fix integer overflow in the ljpeg_start function in dcraw
+Author: Alex Tutubalin <lexa@lexa.ru>
+Bug-Debian: https://bugs.debian.org/786790
+Origin: https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
+	https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
+Bug: https://security-tracker.debian.org/tracker/CVE-2015-3885
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885
+Reviewed-By: Anton Gladky <gladk@debian.org>
+Last-Update: 2015-10-29
+
+--- freeimage-3.15.4.orig/Source/LibRawLite/dcraw/dcraw.c
+++ Source/LibRawLite/dcraw/dcraw.c
+@@ -768,7 +768,8 @@ struct jhead {
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
+  int c, tag;
+  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+
+--- freeimage-3.15.4.orig/Source/LibRawLite/internal/dcraw_common.cpp
+++ Source/LibRawLite/internal/dcraw_common.cpp
+@@ -630,7 +630,8 @@ void CLASS canon_compressed_load_raw()
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
+  int c, tag;
+  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+