From: Luciano Bello <luciano@debian.org>
Date: Mon, 21 Aug 2017 12:45:31 -0400
Subject: Fix for CVE-2017-6886 and CVE-2017-6887
Origin: https://github.com/LibRaw/LibRaw/commit/d7c3d2cb460be10a3ea7b32e9443a83c243b2251
CVE: CVE-2017-6886, CVE-2017-6887

---
diff -rup LibRaw-0.17.2.orig/dcraw/dcraw.c LibRaw-0.17.2/dcraw/dcraw.c
--- LibRaw-0.17.2.orig/dcraw/dcraw.c	2016-05-10 21:40:17.000000000 +0000
+++ LibRaw-0.17.2/dcraw/dcraw.c	2017-09-05 10:23:42.100698094 +0000
@@ -5837,7 +5837,12 @@ int CLASS parse_tiff_ifd (int base)
 	if (!strcmp(model,"DSLR-A100") && tiff_ifd[ifd].width == 3872) {
 	  load_raw = &CLASS sony_arw_load_raw;
 	  data_offset = get4()+base;
-	  ifd++;  break;
+	  ifd++;
+#ifdef LIBRAW_LIBRARY_BUILD
+       if (ifd >= sizeof tiff_ifd / sizeof tiff_ifd[0])
+         throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif 
+          break;
 	}
 	while (len--) {
 	  i = ftell(ifp);
@@ -6001,7 +6006,7 @@ int CLASS parse_tiff_ifd (int base)
 	break;
       case 50454:			/* Sinar tag */
       case 50455:
-	if (!(cbuf = (char *) malloc(len))) break;
+	if (len < 1 || len > 2560000 || !(cbuf = (char *) malloc(len))) break;
 	fread (cbuf, 1, len, ifp);
 	for (cp = cbuf-1; cp && cp < cbuf+len; cp = strchr(cp,'\n'))
 	  if (!strncmp (++cp,"Neutral ",8))
@@ -6760,7 +6765,11 @@ int CLASS parse_jpeg (int offset)
     }
     order = get2();
     hlen  = get4();
-    if (get4() == 0x48454150)		/* "HEAP" */
+    if (get4() == 0x48454150
+#ifdef LIBRAW_LIBRARY_BUILD
+       && (save+hlen) >= 0 && (save+hlen)<=ifp->size()
+#endif
+       ) /* "HEAP" */
       parse_ciff (save+hlen, len-hlen, 0);
     if (parse_tiff (save+6)) apply_tiff();
     fseek (ifp, save+len, SEEK_SET);
diff -rup LibRaw-0.17.2.orig/internal/dcraw_common.cpp LibRaw-0.17.2/internal/dcraw_common.cpp
--- LibRaw-0.17.2.orig/internal/dcraw_common.cpp	2016-05-14 06:55:03.000000000 +0000
+++ LibRaw-0.17.2/internal/dcraw_common.cpp	2017-09-05 10:23:42.104031489 +0000
@@ -9060,7 +9060,12 @@ int CLASS parse_tiff_ifd (int base)
 	if (!strcmp(model,"DSLR-A100") && tiff_ifd[ifd].t_width == 3872) {
 	  load_raw = &CLASS sony_arw_load_raw;
 	  data_offset = get4()+base;
-	  ifd++;  break;
+	  ifd++;
+#ifdef LIBRAW_LIBRARY_BUILD
+       if (ifd >= sizeof tiff_ifd / sizeof tiff_ifd[0])
+         throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif 
+          break;
 	}
 #ifdef LIBRAW_LIBRARY_BUILD
 	if (!strncmp(make,"Hasselblad",10) && libraw_internal_data.unpacker_data.hasselblad_parser_flag) {
@@ -9312,7 +9317,7 @@ int CLASS parse_tiff_ifd (int base)
 	break;
       case 50454:			/* Sinar tag */
       case 50455:
-	if (!(cbuf = (char *) malloc(len))) break;
+	if (len < 1 || len > 2560000 || !(cbuf = (char *) malloc(len))) break;
 #ifndef LIBRAW_LIBRARY_BUILD
 	fread (cbuf, 1, len, ifp);
 #else
@@ -10379,7 +10384,11 @@ int CLASS parse_jpeg (int offset)
     }
     order = get2();
     hlen  = get4();
-    if (get4() == 0x48454150)		/* "HEAP" */
+    if (get4() == 0x48454150
+#ifdef LIBRAW_LIBRARY_BUILD
+       && (save+hlen) >= 0 && (save+hlen)<=ifp->size()
+#endif
+       ) /* "HEAP" */
 		{
 #ifdef LIBRAW_LIBRARY_BUILD
 			imgdata.lens.makernotes.CameraMount = LIBRAW_MOUNT_FixedLens;