Add new comment

LibRaw 0.18.13 (update: was 0.18.3...0.18.12)

LibRaw 0.18.13 released and available on both download page and on Github repository.

This is bugfix release, changes are (compared to 0.18.2):

  • changed wrong fix for Canon D30 white balance
  • fixed possible stack overrun while reading zero-sized strings
  • fixed possible integer overflow
  • Secunia Advisory SA83507, credits Kasper Leigh Haabb, Secunia Research at Flexera
    • parse_qt: possible integer overflow
    • reject broken/crafted NOKIARAW files
    • Backported 0.19-patch to recover read position if TIFF/EXIF tag is too long
  • Secunia Advisory SA83050: possible infinite loop in parse_minolta()
  • Fixed stack overrun in kodak_radc_load_raw
  • restored static for utf2char() lost in previous bugfix
  • Fixed possible div by zero in EOS D30 WB data parse
  • packed_load_raw(): EOF check on each row
  • Exceptions was not caught in x3f_new_from_file resulting in x3f handle leak
  • CVE-2018-10529 fixed: out of bounds read in X3F parser
  • CVE-2018-10528 fixed: possible stack overrun in X3F parser
  • samsung_load_raw: possible buffer overrun
  • rollei_load_raw: possible buffer overrun
  • nikon_coolscan_load_raw: possible buffer overrun, possible NULL pointer
  • find_green: possible stack overrun
  • parse_exif: possible stack overrun
  • leaf_hdr_load_raw: check for image pointer for demosaiced raw
  • NOKIARAW parser: check image dimensions readed from file
  • quicktake_100_load_raw: check width/height limits
  • All legacy (RGB raw) image loaders checks for imgdata.image is not NULL
  • kodak_radc_load_raw: check image size before processing
  • legacy memory allocator: allocate max(widh,raw_width)*max(height,raw_height)
  • Fixed fuji_width handling if file is neither fuji nor DNG
  • Fixed xtrans interpolate for broken xtrans pattern
  • Fixed panasonic decoder
  • Fix for possible buffer overrun in kodak_65000 decoder
  • Fix for possible heap overrun in Canon makernotes parser
  • Fix for CVE-2017-13735
  • CVE-2017-14265: Additional check for X-Trans CFA pattern data
Please note: fixed bugs do not affect real from-camera files processing, you need to feed LibRaw by specially crafted files (e.g. run online service that accepts any file) to be affected by these problems.