1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
Description: stack-based buffer overflow bug
Bug-Debian: https://bugs.debian.org/890086
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-19655
Author: Filip Hroch <hroch@physics.muni.cz>
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2018-12-02
--- a/dcraw.cc
+++ b/dcraw.cc
@@ -8505,9 +8505,15 @@ float CLASS find_green (int bps, int bit
{
UINT64 bitbuf=0;
int vbits, col, i, c;
- ushort img[2][2064];
+ ushort *img;
double sum[]={0,0};
+#define IMG2D(row,col) \
+ img[(row)*width+(col)]
+
+ img = (ushort *) malloc(2*width*sizeof(ushort));
+ merror (img, "find_green()");
+
FORC(2) {
fseek (ifp, c ? off1:off0, SEEK_SET);
for (vbits=col=0; col < width; col++) {
@@ -8516,13 +8522,14 @@ float CLASS find_green (int bps, int bit
for (i=0; i < bite; i+=8)
bitbuf |= (unsigned) (fgetc(ifp) << i);
}
- img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps);
+ IMG2D(c,col) = bitbuf << (64-bps-vbits) >> (64-bps);
}
}
FORC(width-1) {
- sum[ c & 1] += ABS(img[0][c]-img[1][c+1]);
- sum[~c & 1] += ABS(img[1][c]-img[0][c+1]);
+ sum[ c & 1] += ABS(IMG2D(0,c)-IMG2D(1,c+1));
+ sum[~c & 1] += ABS(IMG2D(1,c)-IMG2D(0,c+1));
}
+ free(img);
return 100 * log(sum[0]/sum[1]);
}
|
