Description: Fix integer overflow in the ljpeg_start function in dcraw
Author: Alex Tutubalin <lexa@lexa.ru>
Bug-Debian: https://bugs.debian.org/786790
Origin: https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
	https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
Bug: https://security-tracker.debian.org/tracker/CVE-2015-3885
Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885
Reviewed-By: Anton Gladky <gladk@debian.org>
Last-Update: 2015-10-29

--- freeimage-3.15.4.orig/Source/LibRawLite/dcraw/dcraw.c
+++ Source/LibRawLite/dcraw/dcraw.c
@@ -768,7 +768,8 @@ struct jhead {

 int CLASS ljpeg_start (struct jhead *jh, int info_only)
 {
-  int c, tag, len;
+  int c, tag;
+  ushort len;
   uchar data[0x10000];
   const uchar *dp;

--- freeimage-3.15.4.orig/Source/LibRawLite/internal/dcraw_common.cpp
+++ Source/LibRawLite/internal/dcraw_common.cpp
@@ -630,7 +630,8 @@ void CLASS canon_compressed_load_raw()

 int CLASS ljpeg_start (struct jhead *jh, int info_only)
 {
-  int c, tag, len;
+  int c, tag;
+  ushort len;
   uchar data[0x10000];
   const uchar *dp;

