Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openexr.16838 for openSUSE:Leap:15.2:Update checked in at 2021-08-25 21:51:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/openexr.16838 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.openexr.16838.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openexr.16838" Wed Aug 25 21:51:43 2021 rev:1 rq:913324 version:2.2.1 Changes: -------- New Changes file: --- /dev/null 2021-07-22 10:06:18.349420535 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.openexr.16838.new.1899/openexr.changes 2021-08-25 21:51:50.612871818 +0200 @@ -0,0 +1,411 @@ +------------------------------------------------------------------- +Tue Aug 3 15:46:30 UTC 2021 - [email protected] + +- security update +- modified patches + % openexr-CVE-2021-3476.patch (refreshed) +- added patches + fix CVE-2021-20298 [bsc#1188460], Out-of-memory in B44Compressor + + openexr-CVE-2021-20298.patch + fix CVE-2021-20299 [bsc#1188459], Null-dereference READ in Imf_2_5:Header:operator + + openexr-CVE-2021-20299.patch + fix CVE-2021-20300 [bsc#1188458], Integer-overflow in Imf_2_5:hufUncompress + + openexr-CVE-2021-20300.patch + fix CVE-2021-20302 [bsc#1188462], Floating-point-exception in Imf_2_5:precalculateTileInfot + + openexr-CVE-2021-20302.patch + fix CVE-2021-20303 [bsc#1188457], Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer + + openexr-CVE-2021-20303.patch + fix CVE-2021-20304 [bsc#1188461], Undefined-shift in Imf_2_5:hufDecode + + openexr-CVE-2021-20304.patch + +------------------------------------------------------------------- +Wed Jun 16 12:28:09 UTC 2021 - [email protected] + +- security update +- added patches + fix CVE-2021-3605 [bsc#1187395], Heap buffer overflow in the rleUncompress function + + openexr-CVE-2021-3605.patch + +------------------------------------------------------------------- +Tue Jun 15 11:07:28 UTC 2021 - [email protected] + +- security update +- added patches + fix CVE-2021-3598 [bsc#1187310], Heap buffer overflow in Imf_3_1:CharPtrIO:readChars + + openexr-CVE-2021-3598.patch + +------------------------------------------------------------------- +Tue Apr 27 10:29:11 UTC 2021 - [email protected] + +- security update +- added patches + fix CVE-2021-23215 [bsc#1185216], Integer-overflow in Imf_2_5:DwaCompressor:initializeBuffers + fix CVE-2021-26260 [bsc#1185217], Integer-overflow in Imf_2_5:DwaCompressor:initializeBuffers + + openexr-CVE-2021-23215,26260.patch + +------------------------------------------------------------------- +Thu Apr 8 15:19:49 UTC 2021 - [email protected] + +- security update +- modified patches + % openexr-CVE-2021-3474.patch (splitted into openexr-CVE-2021-20296.patch) +- added patches + fix CVE-2021-20296 [bsc#1184355], Segv on unknown address in Imf_2_5:hufUncompress - Null Pointer dereference + + openexr-CVE-2021-20296.patch + fix CVE-2021-3477 [bsc#1184353], Heap-buffer-overflow in Imf_2_5::DeepTiledInputFile::readPixelSampleCounts + + openexr-CVE-2021-3477.patch + fix CVE-2021-3479 [bsc#1184354], Out-of-memory caused by allocation of a very large buffer + + openexr-CVE-2021-3479.patch + +------------------------------------------------------------------- +Wed Mar 31 15:37:36 UTC 2021 - [email protected] + +- security update +- added patches + fix CVE-2021-3474 [bsc#1184174], Undefined-shift in Imf_2_5::FastHufDecoder::FastHufDecoder + + openexr-CVE-2021-3474.patch + fix CVE-2021-3475 [bsc#1184173], Integer-overflow in Imf_2_5::calculateNumTiles + + openexr-CVE-2021-3475.patch + fix CVE-2021-3476 [bsc#1184172], Undefined-shift in Imf_2_5::unpack14 + + openexr-CVE-2021-3476.patch + +------------------------------------------------------------------- +Wed Dec 16 10:51:46 UTC 2020 - [email protected] + +- security update +- added patches + fix CVE-2020-16587, CVE-2020-16588, CVE-2020-16589 [bsc#1179879], multiple memory safety issues + + openexr-CVE-2020-16587.patch + + openexr-CVE-2020-16588.patch + + openexr-CVE-2020-16589.patch + +------------------------------------------------------------------- +Wed Jul 1 12:13:59 UTC 2020 - [email protected] + +- security update +- added patches + fix CVE-2020-15304 [bsc#1173466], NULL pointer dereference in TiledInputFile:TiledInputFile() + + openexr-CVE-2020-15304.patch + fix CVE-2020-15305 [bsc#1173467], use-after-free in DeepScanLineInputFile:DeepScanLineInputFile() + + openexr-CVE-2020-15305.patch + fix CVE-2020-15306 [bsc#1173469], invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() + + openexr-CVE-2020-15306.patch + +------------------------------------------------------------------- +Wed Apr 22 09:47:26 UTC 2020 - [email protected] + +- security update +- added patches + fix CVE-2020-11762 [bsc#1169549], out-of-bounds read and write in DwaCompressor:uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case + fix CVE-2020-11758 [bsc#1169573], out-of-bounds read in ImfOptimizedPixelReading.h. + fix CVE-2020-11764 [bsc#1169574], out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp + fix CVE-2020-11765 [bsc#1169575], off-by-one error in use of the ImfXdr.h read function by DwaCompressor:Classifier:Classifier + fix CVE-2020-11763 [bsc#1169576], out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp + fix CVE-2020-11761 [bsc#1169578], out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder:refill in ImfFastHuf.cpp + fix CVE-2020-11760 [bsc#1169580], out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp + + openexr-CVE-2020-11762,11758,11764,11765,11763,11761,11760.patch + +------------------------------------------------------------------- +Fri Sep 20 12:38:43 UTC 2019 - [email protected] + +- testsuite only for x86_64 [bsc#1146648] + +------------------------------------------------------------------- +Fri Sep 20 11:49:43 UTC 2019 - [email protected] + +- on behalf of Martin Pluskal: +- Enable tests on architectures with enough memory - boo#1146648 + * disable imffuzztest as it takes to much resources + +------------------------------------------------------------------- +Mon Jul 15 14:06:53 UTC 2019 - [email protected] + +- security update +- added patches + CVE-2017-14988 [bsc#1061305] + + openexr-CVE-2017-14988.patch + +------------------------------------------------------------------- +Fri Jun 14 19:50:35 UTC 2019 - [email protected] + +- security update +- added patches + CVE-2017-9111 [bsc#1040109], CVE-2017-9113 [bsc#1040113], CVE-2017-9115 [bsc#1040115] + + openexr-CVE-2017-9111,9113,9115.patch + +------------------------------------------------------------------- +Wed Nov 7 10:54:22 UTC 2018 - Petr Gajdos <[email protected]> + +- security update + * CVE-2018-18444 [bsc#1113455] + + openexr-CVE-2018-18444.patch + +------------------------------------------------------------------- +Tue Nov 6 13:35:33 UTC 2018 - Petr Gajdos <[email protected]> + +- asan_build: build ASAN included +- debug_build: build more suitable for debugging + +------------------------------------------------------------------- +Mon Jan 15 05:19:19 UTC 2018 - [email protected] + +- Update to 2.2.1 + * Fix reported OpenEXR security vulnerabilities: CVE-2017-9110, + CVE-2017-9111, CVE-2017-9112, CVE-2017-9113, CVE-2017-9114, + CVE-2017-9115 and CVE-2017-9116 +- [email protected]: but really seem to fix only: + CVE-2017-9110 [bsc#1040107], CVE-2017-9114 [bsc#1040114], + CVE-2017-9116 [bsc#1040116], CVE-2017-12596 [bsc#1052522]; for + the rest of issues see [bsc#1040109], [bsc#1040112], + [bsc#1040113], [bsc#1040114], [bsc#1040115], and [bsc#1061305] + +------------------------------------------------------------------- +Wed Jul 12 09:22:22 UTC 2017 - [email protected] + +- Cleanup a bit with spec-cleaner + +------------------------------------------------------------------- +Thu Jan 29 09:50:21 UTC 2015 - [email protected] + +- Update to 2.2.0 + * DreamWorks Lossy Compression A new high quality, high performance lossy + compression codec contributed by DreamWorks Animation. This codec allows + control over variable lossiness to balance visual quality and file size. + This contribution also includes performance improvements that speed up + the PIZ codec. + * IlmImfUtil A new library intended to aid in development of image file + manipulation utilities that support the many types of OpenEXR images. + * This release also includes improvements to cross-platform build support + using CMake. +- Bumped the soname, and now we have libIlmImf and libIlmImfUtil +- Removed openexr-2.1.0-headers.patch +- Updated openexr.keyring from the savannah project page. + +------------------------------------------------------------------- +Tue Aug 26 11:21:47 UTC 2014 - [email protected] + +- Add obsoletes to baselibs.conf. + +------------------------------------------------------------------- +Thu Apr 24 09:54:12 UTC 2014 - [email protected] + +- remove dependency on gpg-offline (blocks rebuilds and + tarball integrity is checked by source-validator anyway) + +------------------------------------------------------------------- +Thu Nov 28 10:22:05 UTC 2013 - [email protected] + ++++ 214 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.openexr.16838.new.1899/openexr.changes New: ---- baselibs.conf openexr-2.2.1.tar.gz openexr-2.2.1.tar.gz.sig openexr-CVE-2017-14988.patch openexr-CVE-2017-9111,9113,9115.patch openexr-CVE-2018-18444.patch openexr-CVE-2020-11762,11758,11764,11765,11763,11761,11760.patch openexr-CVE-2020-15304.patch openexr-CVE-2020-15305.patch openexr-CVE-2020-15306.patch openexr-CVE-2020-16587.patch openexr-CVE-2020-16588.patch openexr-CVE-2020-16589.patch openexr-CVE-2021-20296.patch openexr-CVE-2021-20298.patch openexr-CVE-2021-20299.patch openexr-CVE-2021-20300.patch openexr-CVE-2021-20302.patch openexr-CVE-2021-20303.patch openexr-CVE-2021-20304.patch openexr-CVE-2021-23215,26260.patch openexr-CVE-2021-3474.patch openexr-CVE-2021-3475.patch openexr-CVE-2021-3476.patch openexr-CVE-2021-3477.patch openexr-CVE-2021-3479.patch openexr-CVE-2021-3598.patch openexr-CVE-2021-3605.patch openexr.changes openexr.keyring openexr.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openexr.spec ++++++ # # spec file for package openexr # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # perhaps you want to build against corresponding ilmbase build %define asan_build 0 %define debug_build 0 %define sonum 23 %global so_suffix -2_2-23 Name: openexr Version: 2.2.1 Release: 0 Summary: Utilities for work with HDR images in OpenEXR format License: BSD-3-Clause Group: Productivity/Graphics/Other Url: http://www.openexr.com/ Source0: http://download.savannah.nongnu.org/releases/%{name}/%{name}-%{version}.tar.gz Source1: http://download.savannah.nongnu.org/releases/%{name}/%{name}-%{version}.tar.gz.sig Source2: baselibs.conf Source3: openexr.keyring Patch0: openexr-CVE-2018-18444.patch # CVE-2017-9111 [bsc#1040109], CVE-2017-9113 [bsc#1040113], CVE-2017-9115 [bsc#1040115] Patch1: openexr-CVE-2017-9111,9113,9115.patch # CVE-2017-14988 [bsc#1061305] Patch2: openexr-CVE-2017-14988.patch # CVE-2020-11762 [bsc#1169549], out-of-bounds read and write in DwaCompressor:uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case|CVE-2020-11758 [bsc#1169573], out-of-bounds read in ImfOptimizedPixelReading.h.|CVE-2020-11764 [bsc#1169574], out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp|CVE-2020-11765 [bsc#1169575], off-by-one error in use of the ImfXdr.h read function by DwaCompressor:Classifier:Classifier|CVE-2020-11763 [bsc#1169576], out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp|CVE-2020-11761 [bsc#1169578], out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder:refill in ImfFastHuf.cpp|CVE-2020-11760 [bsc#1169580], out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp Patch3: openexr-CVE-2020-11762,11758,11764,11765,11763,11761,11760.patch # CVE-2020-15305 [bsc#1173467], use-after-free in DeepScanLineInputFile:DeepScanLineInputFile() Patch4: openexr-CVE-2020-15305.patch # CVE-2020-15306 [bsc#1173469], invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() Patch5: openexr-CVE-2020-15306.patch # CVE-2020-15304 [bsc#1173466], NULL pointer dereference in TiledInputFile:TiledInputFile() Patch6: openexr-CVE-2020-15304.patch # CVE-2020-16587 [bsc#1179879], multiple memory safety issues Patch7: openexr-CVE-2020-16587.patch Patch8: openexr-CVE-2020-16588.patch # CVE not found in bugzilla Patch9: openexr-CVE-2020-16589.patch # CVE-2021-3476 [bsc#1184172], Undefined-shift in Imf_2_5::unpack14 Patch10: openexr-CVE-2021-3476.patch # CVE-2021-3475 [bsc#1184173], Integer-overflow in Imf_2_5::calculateNumTiles Patch11: openexr-CVE-2021-3475.patch # CVE-2021-3474 [bsc#1184174], Undefined-shift in Imf_2_5::FastHufDecoder::FastHufDecoder Patch12: openexr-CVE-2021-3474.patch # CVE-2021-3477 [bsc#1184353], Heap-buffer-overflow in Imf_2_5::DeepTiledInputFile::readPixelSampleCounts Patch13: openexr-CVE-2021-3477.patch # CVE-2021-20296 [bsc#1184355], Segv on unknown address in Imf_2_5:hufUncompress - Null Pointer dereference Patch14: openexr-CVE-2021-20296.patch # CVE-2021-3479 [bsc#1184354], Out-of-memory caused by allocation of a very large buffer Patch15: openexr-CVE-2021-3479.patch # CVE-2021-23215 [bsc#1185216], Integer-overflow in Imf_2_5:DwaCompressor:initializeBuffers|CVE-2021-26260 [bsc#1185217], Integer-overflow in Imf_2_5:DwaCompressor:initializeBuffers Patch16: openexr-CVE-2021-23215,26260.patch # CVE-2021-3598 [bsc#1187310], Heap buffer overflow in Imf_3_1:CharPtrIO:readChars Patch17: openexr-CVE-2021-3598.patch # CVE-2021-3605 [bsc#1187395], Heap buffer overflow in the rleUncompress function Patch18: openexr-CVE-2021-3605.patch # CVE-2021-20300 [bsc#1188458], Integer-overflow in Imf_2_5:hufUncompress Patch19: openexr-CVE-2021-20300.patch # CVE-2021-20299 [bsc#1188459], Null-dereference READ in Imf_2_5:Header:operator Patch20: openexr-CVE-2021-20299.patch # CVE-2021-20304 [bsc#1188461], Undefined-shift in Imf_2_5:hufDecode Patch21: openexr-CVE-2021-20304.patch # CVE-2021-20302 [bsc#1188462], Floating-point-exception in Imf_2_5:precalculateTileInfot Patch22: openexr-CVE-2021-20302.patch # CVE-2021-20303 [bsc#1188457], Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer Patch23: openexr-CVE-2021-20303.patch # CVE-2021-20298 [bsc#1188460], Out-of-memory in B44Compressor Patch24: openexr-CVE-2021-20298.patch BuildRequires: automake BuildRequires: fltk-devel BuildRequires: freeglut-devel BuildRequires: gcc-c++ BuildRequires: pkgconfig BuildRequires: pkgconfig(IlmBase) >= 2.2.0 BuildRequires: pkgconfig(zlib) %if %{asan_build} || %{debug_build} BuildRequires: ilmbase-debugsource BuildRequires: libHalf%{sonum}-debuginfo BuildRequires: libIex%{so_suffix}-debuginfo BuildRequires: libIexMath%{so_suffix}-debuginfo BuildRequires: libIlmThread%{so_suffix}-debuginfo BuildRequires: libImath%{so_suffix}-debuginfo %endif Obsoletes: OpenEXR <= 1.6.1 Provides: OpenEXR = %{version} %description OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains a set of utilities to work with this format. * exrheader, a utility for dumping header information * exrstdattr, a utility for modifying OpenEXR standard attributes * exrmaketiled, for generating tiled and rip/mipmapped images * exrenvmap, for creating OpenEXR environment maps * exrmakepreview, for creating preview images for OpenEXR files * exr2aces, converter to ACES format * exrmultiview, combine two or more images into one multi-view %package -n libIlmImf%{so_suffix} Summary: Library to Handle EXR Pictures in 16-Bit Floating-Point Format Group: Development/Libraries/C and C++ %description -n libIlmImf%{so_suffix} OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains shared library libIlmImf %post -n libIlmImf%{so_suffix} -p /sbin/ldconfig %postun -n libIlmImf%{so_suffix} -p /sbin/ldconfig %files -n libIlmImf%{so_suffix} %doc COPYING %{_libdir}/libIlmImf-*.so.* %package -n libIlmImfUtil%{so_suffix} Summary: Library to simplify development of OpenEXR utilities Group: Development/Libraries/C and C++ %description -n libIlmImfUtil%{so_suffix} OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains shared library libIlmImfUtil %post -n libIlmImfUtil%{so_suffix} -p /sbin/ldconfig %postun -n libIlmImfUtil%{so_suffix} -p /sbin/ldconfig %files -n libIlmImfUtil%{so_suffix} %doc COPYING %{_libdir}/libIlmImfUtil-*.so.* %package devel Summary: Library to Handle EXR Pictures (16-bit floating-point format) Group: Development/Libraries/C and C++ Requires: libIlmImf%{so_suffix} = %{version} Requires: libIlmImfUtil%{so_suffix} = %{version} Requires: libilmbase-devel Requires: pkgconfig Requires: pkgconfig(zlib) Obsoletes: OpenEXR-devel <= 1.6.1 Provides: OpenEXR-devel = %{version} Obsoletes: libopenexr-devel <= 1.7.0 Provides: libopenexr-devel = %{version} %description devel OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains header files. %package doc Summary: Library to Handle EXR Pictures in 16-Bit Floating-Point Format Group: Development/Libraries/C and C++ Obsoletes: OpenEXR-doc <= 1.6.1 Provides: OpenEXR-doc = %{version} %description doc OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains a documentation %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 %patch22 -p1 %patch23 -p1 %patch24 -p1 # poor man's fdupes if cmp COPYING LICENSE; then rm -rf LICENSE ln -sf COPYING LICENSE fi # remove non-linux file rm README.OSX %build export PTHREAD_LIBS="-lpthread" %if %{debug_build} export CXXFLAGS="%{optflags} -O0" %endif %configure \ --disable-static \ --with-pic \ %if %{asan_build} --disable-ilmbasetest \ %endif --enable-large-stack \ --enable-imfexamples \ --enable-imfhugetest %if %{asan_build} vmemlimit=$(ulimit -v) if [ $vmemlimit != unlimited ]; then echo "ulimit -v has to be unlimited (currently $vmemlimit) to run ASAN build" exit 1 fi for i in $(find -name Makefile); do sed -i -e 's/\(^CXXFLAGS.*\)/\1 -fsanitize=address/' \ -e 's/\(^LIBS =.*\)/\1 -lasan/' \ $i done %endif make %{?_smp_mflags} %install %make_install find %{buildroot} -type f -name "*.la" -delete -print install -d -m 0755 %{buildroot}%{_defaultdocdir}/ mv %{buildroot}%{_datadir}/doc/OpenEXR-2* %{buildroot}%{_defaultdocdir}/%{name}-%{version} %check %ifarch x86_64 make %{?_smp_mflags} check %endif %files %doc AUTHORS ChangeLog COPYING LICENSE NEWS README* %{_bindir}/exrenvmap %{_bindir}/exrheader %{_bindir}/exrmakepreview %{_bindir}/exrmaketiled %{_bindir}/exrstdattr %{_bindir}/exrmultiview %{_bindir}/exrmultipart %files devel %{_includedir}/OpenEXR %{_libdir}/libIlmImf.so %{_libdir}/libIlmImfUtil.so %{_libdir}/pkgconfig/OpenEXR.pc %{_datadir}/aclocal/openexr.m4 %files doc %{_docdir}/%{name}-%{version} %changelog ++++++ baselibs.conf ++++++ libIlmImf-2_2-23 libIlmImfUtil-2_2-23 obsoletes "OpenEXR-<targettype> < <version>" ++++++ openexr-CVE-2017-14988.patch ++++++ --- a/IlmImf/ImfHeader.cpp +++ b/IlmImf/ImfHeader.cpp @@ -1185,6 +1185,11 @@ Header::readFrom (OPENEXR_IMF_INTERNAL_NAMESPACE::IStream &is, int &version) checkIsNullTerminated (typeName, "attribute type name"); OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, size); + if( size < 0 ) + { + throw IEX_NAMESPACE::InputExc("Invalid size field in header attribute"); + } + AttributeMap::iterator i = _map.find (name); if (i != _map.end()) ++++++ openexr-CVE-2017-9111,9113,9115.patch ++++++ Index: openexr-2.3.0/exrmakepreview/makePreview.cpp =================================================================== --- openexr-2.3.0.orig/exrmakepreview/makePreview.cpp 2018-08-10 03:35:00.000000000 +0200 +++ openexr-2.3.0/exrmakepreview/makePreview.cpp 2019-06-14 19:18:36.159142127 +0200 @@ -110,6 +110,9 @@ generatePreview (const char inFileName[] int h = dw.max.y - dw.min.y + 1; Array2D <Rgba> pixels (h, w); + if (INT_MAX / abs(w) < abs(dw.min.y) || + INT_MAX - abs(dw.min.x) < abs(dw.min.y * w)) + throw IEX_NAMESPACE::ArgExc ("Invalid data window in image header."); in.setFrameBuffer (&pixels[0][0] - dw.min.y * w - dw.min.x, 1, w); in.readPixels (dw.min.y, dw.max.y); Index: openexr-2.3.0/exrmaketiled/Image.h =================================================================== --- openexr-2.3.0.orig/exrmaketiled/Image.h 2018-08-10 03:35:00.000000000 +0200 +++ openexr-2.3.0/exrmaketiled/Image.h 2019-06-14 19:19:02.451287048 +0200 @@ -192,6 +192,9 @@ TypedImageChannel<T>::slice () const const IMATH_NAMESPACE::Box2i &dw = image().dataWindow(); int w = dw.max.x - dw.min.x + 1; + if (INT_MAX / abs(w) < abs(dw.min.y) || + INT_MAX - abs(dw.min.x) < abs(dw.min.y * w)) + throw IEX_NAMESPACE::ArgExc ("Invalid data window in image header."); return OPENEXR_IMF_INTERNAL_NAMESPACE::Slice (pixelType(), (char *) (&_pixels[0][0] - dw.min.y * w - dw.min.x), sizeof (T), ++++++ openexr-CVE-2018-18444.patch ++++++ Index: openexr-2.3.0/exrmultiview/Image.h =================================================================== --- openexr-2.3.0.orig/exrmultiview/Image.h 2018-08-10 03:35:00.000000000 +0200 +++ openexr-2.3.0/exrmultiview/Image.h 2018-11-07 09:07:48.072431858 +0100 @@ -227,7 +227,7 @@ template <class T> void TypedImageChannel<T>::black () { - memset(&_pixels[0][0],0,image().width()/_xSampling*image().height()/_ySampling*sizeof(T)); + memset(&_pixels[0][0],0,image().width()/_xSampling*(image().height()/_ySampling)*sizeof(T)); } ++++++ openexr-CVE-2020-11762,11758,11764,11765,11763,11761,11760.patch ++++++ ++++ 1039 lines (skipped) ++++++ openexr-CVE-2020-15304.patch ++++++ Index: openexr-2.2.1/IlmImf/ImfTiledInputFile.cpp =================================================================== --- openexr-2.2.1.orig/IlmImf/ImfTiledInputFile.cpp 2020-07-01 13:38:45.427112748 +0200 +++ openexr-2.2.1/IlmImf/ImfTiledInputFile.cpp 2020-07-01 13:41:05.028032935 +0200 @@ -807,7 +807,10 @@ TiledInputFile::TiledInputFile (OPENEXR_ { for (size_t i = 0; i < _data->tileBuffers.size(); i++) { - delete [] _data->tileBuffers[i]->buffer; + if( _data->tileBuffers[i]) + { + delete [] _data->tileBuffers[i]->buffer; + } } } if (streamDataCreated) delete _data->_streamData; @@ -849,11 +852,14 @@ TiledInputFile::TiledInputFile (const He { for (size_t i = 0; i < _data->tileBuffers.size(); i++) { - delete [] _data->tileBuffers[i]->buffer; + if( _data->tileBuffers[i]) + { + delete [] _data->tileBuffers[i]->buffer; + } } } delete _data->_streamData; - delete _data; + delete _data; throw; } } ++++++ openexr-CVE-2020-15305.patch ++++++ diff --git a/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp b/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp index 339d2f89..0844d234 100644 --- a/IlmImf/ImfDeepScanLineInputFile.cpp +++ b/IlmImf/ImfDeepScanLineInputFile.cpp @@ -1053,6 +1053,8 @@ DeepScanLineInputFile::DeepScanLineInputFile delete _data->_streamData; } if (_data) delete _data; + + throw; } readLineOffsets (*_data->_streamData->is, ++++++ openexr-CVE-2020-15306.patch ++++++ diff --git a/IlmImf/ImfDeepTiledOutputFile.cpp b/IlmImf/ImfDeepTiledOutputFile.cpp index 9654e311..887c0329 100644 --- a/IlmImf/ImfDeepTiledOutputFile.cpp +++ b/IlmImf/ImfDeepTiledOutputFile.cpp @@ -1237,7 +1237,7 @@ DeepTiledOutputFile::initialize (const Header &header) _data->numYTiles); //ignore the existing value of chunkCount - correct it if it's wrong - _data->header.setChunkCount(getChunkOffsetTableSize(_data->header,true)); + _data->header.setChunkCount(getChunkOffsetTableSize(_data->header)); _data->maxSampleCountTableSize = _data->tileDesc.ySize * _data->tileDesc.xSize * diff --git a/IlmImf/ImfMisc.cpp b/IlmImf/ImfMisc.cpp index d0b6fb26..7d69798e 100644 --- a/IlmImf/ImfMisc.cpp +++ b/IlmImf/ImfMisc.cpp @@ -1900,18 +1900,30 @@ int getTiledChunkOffsetTableSize(const Header& header); int -getChunkOffsetTableSize(const Header& header,bool ignore_attribute) +getChunkOffsetTableSize(const Header& header,bool) { - if(!ignore_attribute && header.hasChunkCount()) - { - return header.chunkCount(); - } - + // + // if there is a type in the header which indicates the part is not a currently supported type, + // use the chunkCount attribute + // + + if(header.hasType() && !isSupportedType(header.type())) { - throw IEX_NAMESPACE::ArgExc ("unsupported header type to " - "get chunk offset table size"); + if(header.hasChunkCount()) + { + return header.chunkCount(); + } + else + { + throw IEX_NAMESPACE::ArgExc ("unsupported header type to " + "get chunk offset table size"); + } } + + // + // part is a known type - ignore the header attribute and compute the chunk size from the header + // if (isTiled(header.type()) == false) return getScanlineChunkOffsetTableSize(header); else diff --git a/IlmImf/ImfMisc.h b/IlmImf/ImfMisc.h index 4cb7607e..f1cf648a 100644 --- a/IlmImf/ImfMisc.h +++ b/IlmImf/ImfMisc.h @@ -464,13 +464,16 @@ bool usesLongNames (const Header &header); // -// compute size of chunk offset table - if ignore_attribute set to true -// will compute from the image size and layout, rather than the attribute -// The default behaviour is to read the attribute +// compute size of chunk offset table - for existing types, computes +// the chunk size from the image size, compression type, and tile description +// (for tiled types). If the type is not supported, uses the chunkCount attribute +// if present, or throws an exception otherwise +// deprecated_attribute is no longer used by this function +// // IMF_EXPORT -int getChunkOffsetTableSize(const Header& header,bool ignore_attribute=false); +int getChunkOffsetTableSize(const Header& header,bool deprecated_attribute=false); OPENEXR_IMF_INTERNAL_NAMESPACE_HEADER_EXIT diff --git a/IlmImf/ImfMultiPartInputFile.cpp b/IlmImf/ImfMultiPartInputFile.cpp index 0c574fa8..42488c9d 100644 --- a/IlmImf/ImfMultiPartInputFile.cpp +++ b/IlmImf/ImfMultiPartInputFile.cpp @@ -738,7 +738,7 @@ MultiPartInputFile::Data::readChunkOffsetTables(bool reconstructChunkOffsetTable for (size_t i = 0; i < parts.size(); i++) { - int chunkOffsetTableSize = getChunkOffsetTableSize(parts[i]->header,false); + int chunkOffsetTableSize = getChunkOffsetTableSize(parts[i]->header); parts[i]->chunkOffsets.resize(chunkOffsetTableSize); for (int j = 0; j < chunkOffsetTableSize; j++) diff --git a/IlmImf/ImfMultiPartOutputFile.cpp b/IlmImf/ImfMultiPartOutputFile.cpp index 89501c40..082efc27 100644 --- a/IlmImf/ImfMultiPartOutputFile.cpp +++ b/IlmImf/ImfMultiPartOutputFile.cpp @@ -151,7 +151,7 @@ MultiPartOutputFile::Data::do_header_sanity_checks(bool overrideSharedAttributes if (isMultiPart) { // multipart files must contain a chunkCount attribute - _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0],true)); + _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0])); for (size_t i = 1; i < parts; i++) { @@ -159,7 +159,7 @@ MultiPartOutputFile::Data::do_header_sanity_checks(bool overrideSharedAttributes throw IEX_NAMESPACE::ArgExc ("Every header in a multipart file should have a type"); - _headers[i].setChunkCount(getChunkOffsetTableSize(_headers[i],true)); + _headers[i].setChunkCount(getChunkOffsetTableSize(_headers[i])); _headers[i].sanityCheck (_headers[i].hasTileDescription(), isMultiPart); @@ -191,7 +191,7 @@ MultiPartOutputFile::Data::do_header_sanity_checks(bool overrideSharedAttributes if (_headers[0].hasType() && isImage(_headers[0].type()) == false) { - _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0],true)); + _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0])); } } @@ -500,7 +500,7 @@ MultiPartOutputFile::Data::writeChunkTableOffsets (vector<OutputPartData*> &part { for (size_t i = 0; i < parts.size(); i++) { - int chunkTableSize = getChunkOffsetTableSize(parts[i]->header,false); + int chunkTableSize = getChunkOffsetTableSize(parts[i]->header); Int64 pos = os->tellp(); ++++++ openexr-CVE-2020-16587.patch ++++++ Index: openexr-2.2.1/IlmImf/ImfMultiPartInputFile.cpp =================================================================== --- openexr-2.2.1.orig/IlmImf/ImfMultiPartInputFile.cpp 2020-12-15 15:48:42.311478385 +0100 +++ openexr-2.2.1/IlmImf/ImfMultiPartInputFile.cpp 2020-12-15 15:51:12.896382930 +0100 @@ -571,7 +571,7 @@ MultiPartInputFile::Data::chunkOffsetRec - if(partNumber<0 || partNumber>int(parts.size())) + if(partNumber<0 || partNumber>=int(parts.size())) { // bail here - bad part number throw int(); ++++++ openexr-CVE-2020-16588.patch ++++++ Index: openexr-2.2.1/exrmakepreview/makePreview.cpp =================================================================== --- openexr-2.2.1.orig/exrmakepreview/makePreview.cpp 2020-12-16 10:20:11.324983868 +0100 +++ openexr-2.2.1/exrmakepreview/makePreview.cpp 2020-12-16 10:20:45.913193786 +0100 @@ -123,8 +123,8 @@ generatePreview (const char inFileName[] previewHeight = max (int (h / (w * a) * previewWidth + .5f), 1); previewPixels.resizeErase (previewHeight, previewWidth); - double fx = (previewWidth > 0)? (double (w - 1) / (previewWidth - 1)): 1; - double fy = (previewHeight > 0)? (double (h - 1) / (previewHeight - 1)): 1; + double fx = (previewWidth > 1)? (double (w - 1) / (previewWidth - 1)): 1; + double fy = (previewHeight > 1)? (double (h - 1) / (previewHeight - 1)): 1; float m = Math<float>::pow (2.f, clamp (exposure + 2.47393f, -20.f, 20.f)); for (int y = 0; y < previewHeight; ++y) ++++++ openexr-CVE-2020-16589.patch ++++++ Index: openexr-2.2.1/IlmImf/ImfTiledInputFile.cpp =================================================================== --- openexr-2.2.1.orig/IlmImf/ImfTiledInputFile.cpp 2020-12-16 11:11:18.584567006 +0100 +++ openexr-2.2.1/IlmImf/ImfTiledInputFile.cpp 2020-12-16 11:11:18.612567177 +0100 @@ -1345,6 +1345,13 @@ TiledInputFile::rawTileData (int &dx, in throw IEX_NAMESPACE::ArgExc ("rawTileData read the wrong tile"); } } + else + { + if(!isValidTile (dx, dy, lx, ly) ) + { + throw IEX_NAMESPACE::IoExc ("rawTileData read an invalid tile"); + } + } pixelData = tileBuffer->buffer; } catch (IEX_NAMESPACE::BaseExc &e) ++++++ openexr-CVE-2021-20296.patch ++++++ Index: openexr-2.2.1/IlmImf/ImfDwaCompressor.cpp =================================================================== --- openexr-2.2.1.orig/IlmImf/ImfDwaCompressor.cpp 2021-03-31 17:28:23.070431727 +0200 +++ openexr-2.2.1/IlmImf/ImfDwaCompressor.cpp 2021-03-31 17:28:23.086431821 +0200 @@ -2525,7 +2525,7 @@ DwaCompressor::uncompress if (acCompressedSize > 0) { - if (totalAcUncompressedCount*sizeof(unsigned short) > _packedAcBufferSize) + if ( !_packedAcBuffer || totalAcUncompressedCount*sizeof(unsigned short) > _packedAcBufferSize) { throw Iex::InputExc("Error uncompressing DWA data" "(corrupt header)."); ++++++ openexr-CVE-2021-20298.patch ++++++ Index: openexr-2.1.0/IlmImf/ImfB44Compressor.cpp =================================================================== --- openexr-2.1.0.orig/IlmImf/ImfB44Compressor.cpp 2021-08-03 17:07:05.896212845 +0200 +++ openexr-2.1.0/IlmImf/ImfB44Compressor.cpp 2021-08-03 17:07:05.980213452 +0200 @@ -492,7 +492,7 @@ B44Compressor::B44Compressor // _tmpBuffer = new unsigned short - [checkArraySize (uiMult (maxScanLineSize, numScanLines), + [checkArraySize (uiMult (maxScanLineSize / sizeof(unsigned short), numScanLines), sizeof (unsigned short))]; const ChannelList &channels = header().channels(); ++++++ openexr-CVE-2021-20299.patch ++++++ diff --git a/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp b/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp index 689956c90..cbb2ec234 100644 --- a/IlmImf/ImfMultiPartInputFile.cpp +++ b/IlmImf/ImfMultiPartInputFile.cpp @@ -340,6 +340,11 @@ MultiPartInputFile::initialize() // Perform usual check on headers. // + if ( _data->_headers.size() == 0) + { + throw IEX_NAMESPACE::ArgExc ("Files must contain at least one header"); + } + for (size_t i = 0; i < _data->_headers.size(); i++) { // ++++++ openexr-CVE-2021-20300.patch ++++++ diff --git a/OpenEXR/IlmImf/ImfHuf.cpp b/OpenEXR/IlmImf/ImfHuf.cpp index 7bd7fc00d..23cfcfd6c 100644 --- a/IlmImf/ImfHuf.cpp +++ b/IlmImf/ImfHuf.cpp @@ -1093,7 +1093,9 @@ hufUncompress (const char compressed[], const char *ptr = compressed + 20; - if ( ptr + (nBits+7 )/8 > compressed+nCompressed) + uint64_t nBytes = (static_cast<uint64_t>(nBits)+7) / 8 ; + + if ( ptr + nBytes > compressed+nCompressed) { notEnoughData(); return; ++++++ openexr-CVE-2021-20302.patch ++++++ diff --git a/OpenEXR/IlmImf/ImfTiledInputFile.cpp b/OpenEXR/IlmImf/ImfTiledInputFile.cpp index 3e7fda333..091ad623a 100644 --- a/IlmImf/ImfTiledInputFile.cpp +++ b/IlmImf/ImfTiledInputFile.cpp @@ -958,7 +958,10 @@ TiledInputFile::initialize () { if (!isTiled (_data->version)) throw IEX_NAMESPACE::ArgExc ("Expected a tiled file but the file is not tiled."); - + + if (isNonImage (_data->version)) + throw IEX_NAMESPACE::ArgExc ("File is not a regular tiled image."); + } else { ++++++ openexr-CVE-2021-20303.patch ++++++ diff --git a/OpenEXR/IlmImf/ImfTiledMisc.cpp b/OpenEXR/IlmImf/ImfTiledMisc.cpp index b8e195fd8..89ef97cb5 100644 --- a/IlmImf/ImfTiledMisc.cpp +++ b/IlmImf/ImfTiledMisc.cpp @@ -97,13 +97,14 @@ dataWindowForTile (const TileDescription &tileDesc, V2i tileMin = V2i (minX + dx * tileDesc.xSize, minY + dy * tileDesc.ySize); - V2i tileMax = tileMin + V2i (tileDesc.xSize - 1, tileDesc.ySize - 1); + int64_t tileMaxX = int64_t(tileMin[0]) + tileDesc.xSize - 1; + int64_t tileMaxY = int64_t(tileMin[1]) + tileDesc.ySize - 1; V2i levelMax = dataWindowForLevel (tileDesc, minX, maxX, minY, maxY, lx, ly).max; - tileMax = V2i (std::min (tileMax[0], levelMax[0]), - std::min (tileMax[1], levelMax[1])); + V2i tileMax = V2i (std::min (tileMaxX, int64_t(levelMax[0])), + std::min (tileMaxY, int64_t(levelMax[1]))); return Box2i (tileMin, tileMax); } ++++++ openexr-CVE-2021-20304.patch ++++++ diff --git a/OpenEXR/IlmImf/ImfHuf.cpp b/OpenEXR/IlmImf/ImfHuf.cpp index 23cfcfd6c..1cc09d63f 100644 --- a/IlmImf/ImfHuf.cpp +++ b/IlmImf/ImfHuf.cpp @@ -910,6 +910,11 @@ hufDecode // lc -= pl.len; + + if ( lc < 0 ) + { + invalidCode(); // code length too long + } getCode (pl.lit, rlc, c, lc, in, out, outb, oe); } else @@ -967,6 +972,10 @@ hufDecode if (pl.len) { lc -= pl.len; + if ( lc < 0 ) + { + invalidCode(); // code length too long + } getCode (pl.lit, rlc, c, lc, in, out, outb, oe); } else ++++++ openexr-CVE-2021-23215,26260.patch ++++++ Index: openexr-2.2.1/IlmImf/ImfDwaCompressor.cpp =================================================================== --- openexr-2.2.1.orig/IlmImf/ImfDwaCompressor.cpp 2021-04-26 14:19:38.233657002 +0200 +++ openexr-2.2.1/IlmImf/ImfDwaCompressor.cpp 2021-04-27 10:28:33.673535527 +0200 @@ -2164,7 +2164,7 @@ DwaCompressor::compress if (*unknownUncompressedSize > 0) { uLongf inSize = (uLongf)(*unknownUncompressedSize); - uLongf outSize = (uLongf)(ceil ((float)inSize * 1.01f) + 100); + uLongf outSize = compressBound (inSize); if (Z_OK != ::compress2 ((Bytef *)outDataPtr, &outSize, @@ -2202,8 +2202,8 @@ DwaCompressor::compress case DEFLATE: { - uLongf destLen = (uLongf) - (2 * (*totalAcUncompressedCount) * sizeof (unsigned short)); + uLongf destLen = compressBound ( + (*totalAcUncompressedCount) * sizeof (unsigned short)); if (Z_OK != ::compress2 ((Bytef *)outDataPtr, @@ -2255,8 +2255,7 @@ DwaCompressor::compress _planarUncBuffer[RLE], (signed char *)_rleBuffer); - uLongf dstLen = - (uLongf)ceil (1.01f * (float) * rleUncompressedSize) + 24; + uLongf dstLen = compressBound ((uLongf)*rleUncompressedSize); if (Z_OK != ::compress2 ((Bytef *)outDataPtr, @@ -2400,7 +2399,7 @@ DwaCompressor::uncompress totalDcUncompressedCount < 0) { throw Iex::InputExc("Error uncompressing DWA data" - " (corrupt header)."); + " (corrupt header I)."); } if (version < 2) @@ -2499,16 +2498,14 @@ DwaCompressor::uncompress if (unknownCompressedSize > 0) { - uLongf outSize = static_cast<uLongf>( - ceil( (float)unknownUncompressedSize * 1.01) + 100); - - if (unknownUncompressedSize < 0 || - outSize > _planarUncBufferSize[UNKNOWN]) + if (unknownUncompressedSize > _planarUncBufferSize[UNKNOWN]) { throw Iex::InputExc("Error uncompressing DWA data" - "(corrupt header)."); + "(corrupt header II)."); } + uLongf outSize = (uLongf)unknownUncompressedSize; + if (Z_OK != ::uncompress ((Bytef *)_planarUncBuffer[UNKNOWN], &outSize, @@ -2528,7 +2525,7 @@ DwaCompressor::uncompress if ( !_packedAcBuffer || totalAcUncompressedCount*sizeof(unsigned short) > _packedAcBufferSize) { throw Iex::InputExc("Error uncompressing DWA data" - "(corrupt header)."); + "(corrupt header III)."); } // @@ -2585,7 +2582,7 @@ DwaCompressor::uncompress if (totalDcUncompressedCount*sizeof(unsigned short) > _packedDcBufferSize) { throw Iex::InputExc("Error uncompressing DWA data" - "(corrupt header)."); + "(corrupt header IV)."); } if (_zip->uncompress @@ -2607,7 +2604,7 @@ DwaCompressor::uncompress rleRawSize > _planarUncBufferSize[RLE]) { throw Iex::InputExc("Error uncompressing DWA data" - "(corrupt header)."); + "(corrupt header V)."); } uLongf dstLen = (uLongf)rleUncompressedSize; @@ -2921,19 +2918,21 @@ DwaCompressor::initializeBuffers (size_t // of channels we have. // - int maxOutBufferSize = 0; - int numLossyDctChans = 0; - int unknownBufferSize = 0; - int rleBufferSize = 0; + Int64 maxOutBufferSize = 0; + Int64 numLossyDctChans = 0; + Int64 unknownBufferSize = 0; + Int64 rleBufferSize = 0; - int maxLossyDctAcSize = (int)ceil ((float)numScanLines() / 8.0f) * - (int)ceil ((float)(_max[0] - _min[0] + 1) / 8.0f) * + Int64 maxLossyDctAcSize = static_cast<Int64>(ceil ((float)numScanLines() / 8.0f)) * + static_cast<Int64>(ceil ((float)(_max[0] - _min[0] + 1) / 8.0f)) * 63 * sizeof (unsigned short); - int maxLossyDctDcSize = (int)ceil ((float)numScanLines() / 8.0f) * - (int)ceil ((float)(_max[0] - _min[0] + 1) / 8.0f) * + Int64 maxLossyDctDcSize = static_cast<Int64>(ceil ((float)numScanLines() / 8.0f)) * + static_cast<Int64>(ceil ((float)(_max[0] - _min[0] + 1) / 8.0f)) * sizeof (unsigned short); + Int64 pixelCount = static_cast<Int64>(numScanLines()) * static_cast<Int64>(_max[0] - _min[0] + 1); + for (unsigned int chan = 0; chan < _channelData.size(); ++chan) { switch (_channelData[chan].compression) @@ -2943,10 +2942,13 @@ DwaCompressor::initializeBuffers (size_t // // This is the size of the number of packed // components, plus the requirements for - // maximum Huffman encoding size. + // maximum Huffman encoding size (for STATIC_HUFFMAN) + // or for zlib compression (for DEFLATE) // - maxOutBufferSize += 2 * maxLossyDctAcSize + 65536; + maxOutBufferSize += std::max( + 2lu * maxLossyDctAcSize + 65536lu, + static_cast<Int64>(compressBound (maxLossyDctAcSize)) ); numLossyDctChans++; break; @@ -2957,8 +2959,7 @@ DwaCompressor::initializeBuffers (size_t // of the source data. // - int rleAmount = 2 * numScanLines() * (_max[0] - _min[0] + 1) * - Imf::pixelTypeSize (_channelData[chan].type); + Int64 rleAmount = 2 * pixelCount * Imf::pixelTypeSize (_channelData[chan].type); rleBufferSize += rleAmount; } @@ -2967,8 +2968,7 @@ DwaCompressor::initializeBuffers (size_t case UNKNOWN: - unknownBufferSize += numScanLines() * (_max[0] - _min[0] + 1) * - Imf::pixelTypeSize (_channelData[chan].type); + unknownBufferSize += pixelCount * Imf::pixelTypeSize (_channelData[chan].type); break; default: @@ -2985,13 +2985,13 @@ DwaCompressor::initializeBuffers (size_t // which could take slightly more space // - maxOutBufferSize += (int)(ceil (1.01f * (float)rleBufferSize) + 100); + maxOutBufferSize += static_cast<Int64>(compressBound (rleBufferSize)); // // And the same goes for the UNKNOWN data // - maxOutBufferSize += (int)(ceil (1.01f * (float)unknownBufferSize) + 100); + maxOutBufferSize += static_cast<Int64>(compressBound (unknownBufferSize)); // // Allocate a zip/deflate compressor big enought to hold the DC data @@ -3077,7 +3077,7 @@ DwaCompressor::initializeBuffers (size_t // all in one swoop (for each compression scheme). // - int planarUncBufferSize[NUM_COMPRESSOR_SCHEMES]; + Int64 planarUncBufferSize[NUM_COMPRESSOR_SCHEMES]; for (int i=0; i<NUM_COMPRESSOR_SCHEMES; ++i) planarUncBufferSize[i] = 0; @@ -3090,13 +3090,13 @@ DwaCompressor::initializeBuffers (size_t case RLE: planarUncBufferSize[RLE] += - numScanLines() * (_max[0] - _min[0] + 1) * + pixelCount * Imf::pixelTypeSize (_channelData[chan].type); break; case UNKNOWN: planarUncBufferSize[UNKNOWN] += - numScanLines() * (_max[0] - _min[0] + 1) * + pixelCount * Imf::pixelTypeSize (_channelData[chan].type); break; @@ -3114,7 +3114,7 @@ DwaCompressor::initializeBuffers (size_t if (planarUncBufferSize[UNKNOWN] > 0) { planarUncBufferSize[UNKNOWN] = - (int) ceil (1.01f * (float)planarUncBufferSize[UNKNOWN]) + 100; + static_cast<Int64>( compressBound (planarUncBufferSize[UNKNOWN]) ); } for (int i = 0; i < NUM_COMPRESSOR_SCHEMES; ++i) @@ -3124,6 +3124,12 @@ DwaCompressor::initializeBuffers (size_t _planarUncBufferSize[i] = planarUncBufferSize[i]; if (_planarUncBuffer[i] != 0) delete[] _planarUncBuffer[i]; + + if (planarUncBufferSize[i] > std::numeric_limits<size_t>::max()) + { + throw IEX_NAMESPACE::ArgExc("DWA buffers too large"); + } + _planarUncBuffer[i] = new char[planarUncBufferSize[i]]; } } Index: openexr-2.2.1/IlmImf/ImfDwaCompressor.h =================================================================== --- openexr-2.2.1.orig/IlmImf/ImfDwaCompressor.h 2017-11-18 00:00:24.000000000 +0100 +++ openexr-2.2.1/IlmImf/ImfDwaCompressor.h 2021-04-26 14:19:38.249657084 +0200 @@ -155,16 +155,16 @@ class DwaCompressor: public Compressor std::vector<CscChannelSet> _cscSets; std::vector<Classifier> _channelRules; - char *_packedAcBuffer; - size_t _packedAcBufferSize; - char *_packedDcBuffer; - size_t _packedDcBufferSize; - char *_rleBuffer; - size_t _rleBufferSize; - char *_outBuffer; - size_t _outBufferSize; - char *_planarUncBuffer[NUM_COMPRESSOR_SCHEMES]; - size_t _planarUncBufferSize[NUM_COMPRESSOR_SCHEMES]; + char* _packedAcBuffer; + Int64 _packedAcBufferSize; + char* _packedDcBuffer; + Int64 _packedDcBufferSize; + char* _rleBuffer; + Int64 _rleBufferSize; + char* _outBuffer; + Int64 _outBufferSize; + char* _planarUncBuffer[NUM_COMPRESSOR_SCHEMES]; + Int64 _planarUncBufferSize[NUM_COMPRESSOR_SCHEMES]; Zip *_zip; float _dwaCompressionLevel; ++++++ openexr-CVE-2021-3474.patch ++++++ Index: openexr-2.2.1/IlmImf/ImfFastHuf.cpp =================================================================== --- openexr-2.2.1.orig/IlmImf/ImfFastHuf.cpp 2021-03-31 17:28:23.022431443 +0200 +++ openexr-2.2.1/IlmImf/ImfFastHuf.cpp 2021-03-31 17:28:23.086431821 +0200 @@ -205,7 +205,7 @@ FastHufDecoder::FastHufDecoder for (int l = _minCodeLength; l <= _maxCodeLength; ++l) { countTmp[l] = (double)codeCount[l] * - (double)(2 << (_maxCodeLength-l)); + (double)(2ll << (_maxCodeLength-l)); } for (int l = _minCodeLength; l <= _maxCodeLength; ++l) @@ -215,7 +215,7 @@ FastHufDecoder::FastHufDecoder for (int k =l + 1; k <= _maxCodeLength; ++k) tmp += countTmp[k]; - tmp /= (double)(2 << (_maxCodeLength - l)); + tmp /= (double)(2ll << (_maxCodeLength - l)); base[l] = (Int64)ceil (tmp); } ++++++ openexr-CVE-2021-3475.patch ++++++ Index: openexr-2.2.1/IlmImf/ImfTiledInputFile.cpp =================================================================== --- openexr-2.2.1.orig/IlmImf/ImfTiledInputFile.cpp 2021-03-31 16:46:33.459586875 +0200 +++ openexr-2.2.1/IlmImf/ImfTiledInputFile.cpp 2021-03-31 16:46:33.471586946 +0200 @@ -976,6 +976,16 @@ TiledInputFile::initialize () _data->tileBufferSize = _data->maxBytesPerTileLine * _data->tileDesc.ySize; // + // OpenEXR has a limit of INT_MAX compressed bytes per tile + // disallow uncompressed tile sizes above INT_MAX too to guarantee file is written + // + if( _data->tileBufferSize > INT_MAX ) + { + throw IEX_NAMESPACE::ArgExc ("Tile size too large for OpenEXR format"); + } + + + // // Create all the TileBuffers and allocate their internal buffers // Index: openexr-2.2.1/IlmImf/ImfTiledMisc.cpp =================================================================== --- openexr-2.2.1.orig/IlmImf/ImfTiledMisc.cpp 2021-03-31 16:46:33.471586946 +0200 +++ openexr-2.2.1/IlmImf/ImfTiledMisc.cpp 2021-03-31 16:49:37.220675276 +0200 @@ -301,7 +301,9 @@ calculateNumTiles (int *numTiles, { for (int i = 0; i < numLevels; i++) { - numTiles[i] = (levelSize (min, max, i, rmode) + size - 1) / size; + // use 64 bits to avoid int overflow if size is large. + Int64 l = levelSize (min, max, i, rmode); + numTiles[i] = (l + size - 1) / size; } } Index: openexr-2.2.1/IlmImf/ImfTiledOutputFile.cpp =================================================================== --- openexr-2.2.1.orig/IlmImf/ImfTiledOutputFile.cpp 2017-11-18 00:00:24.000000000 +0100 +++ openexr-2.2.1/IlmImf/ImfTiledOutputFile.cpp 2021-03-31 16:46:33.471586946 +0200 @@ -1022,6 +1022,17 @@ TiledOutputFile::initialize (const Heade _data->tileBufferSize = _data->maxBytesPerTileLine * _data->tileDesc.ySize; + // + // OpenEXR has a limit of INT_MAX compressed bytes per tile + // disallow uncompressed tile sizes above INT_MAX too to guarantee file is written + // + if( _data->tileBufferSize > INT_MAX ) + { + throw IEX_NAMESPACE::ArgExc ("Tile size too large for OpenEXR format"); + } + + + // // Create all the TileBuffers and allocate their internal buffers // ++++++ openexr-CVE-2021-3476.patch ++++++ diff --git a/IlmImf/ImfB44Compressor.cpp b/IlmImf/ImfB44Compressor.cpp index 3b18ba855..5e2ab9ea5 100644 --- a/IlmImf/ImfB44Compressor.cpp +++ b/IlmImf/ImfB44Compressor.cpp @@ -381,26 +381,26 @@ unpack14 (const unsigned char b[14], unsigned short s[16]) s[ 0] = (b[0] << 8) | b[1]; unsigned short shift = (b[ 2] >> 2); - unsigned short bias = (0x20 << shift); + unsigned short bias = (0x20u << shift); - s[ 4] = s[ 0] + ((((b[ 2] << 4) | (b[ 3] >> 4)) & 0x3f) << shift) - bias; - s[ 8] = s[ 4] + ((((b[ 3] << 2) | (b[ 4] >> 6)) & 0x3f) << shift) - bias; - s[12] = s[ 8] + ((b[ 4] & 0x3f) << shift) - bias; + s[ 4] = s[ 0] + ((((b[ 2] << 4) | (b[ 3] >> 4)) & 0x3fu) << shift) - bias; + s[ 8] = s[ 4] + ((((b[ 3] << 2) | (b[ 4] >> 6)) & 0x3fu) << shift) - bias; + s[12] = s[ 8] + ((b[ 4] & 0x3fu) << shift) - bias; - s[ 1] = s[ 0] + ((b[ 5] >> 2) << shift) - bias; - s[ 5] = s[ 4] + ((((b[ 5] << 4) | (b[ 6] >> 4)) & 0x3f) << shift) - bias; - s[ 9] = s[ 8] + ((((b[ 6] << 2) | (b[ 7] >> 6)) & 0x3f) << shift) - bias; - s[13] = s[12] + ((b[ 7] & 0x3f) << shift) - bias; + s[ 1] = s[ 0] + ((unsigned int) (b[ 5] >> 2) << shift) - bias; + s[ 5] = s[ 4] + ((((b[ 5] << 4) | (b[ 6] >> 4)) & 0x3fu) << shift) - bias; + s[ 9] = s[ 8] + ((((b[ 6] << 2) | (b[ 7] >> 6)) & 0x3fu) << shift) - bias; + s[13] = s[12] + ((b[ 7] & 0x3fu) << shift) - bias; - s[ 2] = s[ 1] + ((b[ 8] >> 2) << shift) - bias; - s[ 6] = s[ 5] + ((((b[ 8] << 4) | (b[ 9] >> 4)) & 0x3f) << shift) - bias; - s[10] = s[ 9] + ((((b[ 9] << 2) | (b[10] >> 6)) & 0x3f) << shift) - bias; - s[14] = s[13] + ((b[10] & 0x3f) << shift) - bias; + s[ 2] = s[ 1] + ((unsigned int)(b[ 8] >> 2) << shift) - bias; + s[ 6] = s[ 5] + ((((b[ 8] << 4) | (b[ 9] >> 4)) & 0x3fu) << shift) - bias; + s[10] = s[ 9] + ((((b[ 9] << 2) | (b[10] >> 6)) & 0x3fu) << shift) - bias; + s[14] = s[13] + ((b[10] & 0x3fu) << shift) - bias; - s[ 3] = s[ 2] + ((b[11] >> 2) << shift) - bias; - s[ 7] = s[ 6] + ((((b[11] << 4) | (b[12] >> 4)) & 0x3f) << shift) - bias; - s[11] = s[10] + ((((b[12] << 2) | (b[13] >> 6)) & 0x3f) << shift) - bias; - s[15] = s[14] + ((b[13] & 0x3f) << shift) - bias; + s[ 3] = s[ 2] + ((unsigned int)(b[11] >> 2) << shift) - bias; + s[ 7] = s[ 6] + ((((b[11] << 4) | (b[12] >> 4)) & 0x3fu) << shift) - bias; + s[11] = s[10] + ((((b[12] << 2) | (b[13] >> 6)) & 0x3fu) << shift) - bias; + s[15] = s[14] + ((b[13] & 0x3fu) << shift) - bias; for (int i = 0; i < 16; ++i) { @@ -951,7 +951,10 @@ B44Compressor::uncompress (const char *inPtr, if (inSize < 3) notEnoughData(); - if (((const unsigned char *)inPtr)[2] == 0xfc) + // + // If shift exponent is 63, call unpack14 (ignoring unused bits) + // + if (((const unsigned char *)inPtr)[2] >= (13<<2) ) { unpack3 ((const unsigned char *)inPtr, s); inPtr += 3; diff --git a/IlmImf/ImfDwaCompressor.cpp b/IlmImf/ImfDwaCompressor.cpp index da2d95068..d8c66dd27 100644 --- a/IlmImf/ImfDwaCompressor.cpp +++ b/IlmImf/ImfDwaCompressor.cpp @@ -2681,6 +2681,10 @@ DwaCompressor::uncompress int gChan = _cscSets[csc].idx[1]; int bChan = _cscSets[csc].idx[2]; + if (_channelData[rChan].compression != LOSSY_DCT || _channelData[gChan].compression != LOSSY_DCT || _channelData[bChan].compression != LOSSY_DCT) + { + throw IEX_NAMESPACE::BaseExc("Bad DWA compression type detected"); + } LossyDctDecoderCsc decoder (rowPtrs[rChan], ++++++ openexr-CVE-2021-3477.patch ++++++ diff --git a/src/lib/OpenEXR/ImfDeepTiledInputFile.cpp b/src/lib/OpenEXR/ImfDeepTiledInputFile.cpp index 0f893481b..f5abe9c6a 100644 --- a/IlmImf/ImfDeepTiledInputFile.cpp +++ b/IlmImf/ImfDeepTiledInputFile.cpp @@ -1034,8 +1034,8 @@ DeepTiledInputFile::initialize () for (size_t i = 0; i < _data->tileBuffers.size(); i++) _data->tileBuffers[i] = new TileBuffer (); - _data->maxSampleCountTableSize = _data->tileDesc.ySize * - _data->tileDesc.xSize * + _data->maxSampleCountTableSize = static_cast<size_t>(_data->tileDesc.ySize) * + static_cast<size_t>(_data->tileDesc.xSize) * sizeof(int); _data->sampleCountTableBuffer.resizeErase(_data->maxSampleCountTableSize); ++++++ openexr-CVE-2021-3479.patch ++++++ Index: openexr-2.2.1/IlmImf/ImfInputFile.cpp =================================================================== --- openexr-2.2.1.orig/IlmImf/ImfInputFile.cpp 2021-04-08 14:57:22.846573803 +0200 +++ openexr-2.2.1/IlmImf/ImfInputFile.cpp 2021-04-08 15:13:24.275790861 +0200 @@ -272,9 +272,14 @@ bufferedReadPixels (InputFile::Data* ifd // // We don't have any valid buffered info, so we need to read in // from the file. + // if no channels are being read that are present in file, cachedBuffer will be empty // - ifd->tFile->readTiles (0, ifd->tFile->numXTiles (0) - 1, j, j); + if (ifd->cachedBuffer->begin() != ifd->cachedBuffer->end()) + { + ifd->tFile->readTiles (0, ifd->tFile->numXTiles (0) - 1, j, j); + } + ifd->cachedTileY = j; } @@ -283,55 +288,135 @@ bufferedReadPixels (InputFile::Data* ifd // framebuffer. // - for (FrameBuffer::ConstIterator k = ifd->cachedBuffer->begin(); - k != ifd->cachedBuffer->end(); + for (FrameBuffer::ConstIterator k = ifd->tFileBuffer.begin(); + k != ifd->tFileBuffer.end(); ++k) { - Slice fromSlice = k.slice(); // slice to write from - Slice toSlice = ifd->tFileBuffer[k.name()]; // slice to write to - char *fromPtr, *toPtr; - int size = pixelTypeSize (toSlice.type); - int xStart = levelRange.min.x; - int yStart = minYThisRow; + Slice toSlice = k.slice(); // slice to read from + char* toPtr; + + int xStart = levelRange.min.x; + int yStart = minYThisRow; - while (modp (xStart, toSlice.xSampling) != 0) - ++xStart; + while (modp (xStart, toSlice.xSampling) != 0) + ++xStart; - while (modp (yStart, toSlice.ySampling) != 0) - ++yStart; + while (modp (yStart, toSlice.ySampling) != 0) + ++yStart; - for (int y = yStart; - y <= maxYThisRow; - y += toSlice.ySampling) + FrameBuffer::ConstIterator c = ifd->cachedBuffer->find(k.name()); + intptr_t toBase = reinterpret_cast<intptr_t>(toSlice.base); + + + if( c!=ifd->cachedBuffer->end()) { - // - // Set the pointers to the start of the y scanline in - // this row of tiles - // - - fromPtr = fromSlice.base + - (y - tileRange.min.y) * fromSlice.yStride + - xStart * fromSlice.xStride; - - toPtr = toSlice.base + - divp (y, toSlice.ySampling) * toSlice.yStride + - divp (xStart, toSlice.xSampling) * toSlice.xStride; - - // - // Copy all pixels for the scanline in this row of tiles - // - - for (int x = xStart; - x <= levelRange.max.x; - x += toSlice.xSampling) + // + // output channel was read from source image: copy to output slice + // + Slice fromSlice = c.slice(); // slice to write to + intptr_t fromBase = reinterpret_cast<intptr_t>(fromSlice.base); + + int size = pixelTypeSize (toSlice.type); + char* fromPtr; + + for (int y = yStart; + y <= maxYThisRow; + y += toSlice.ySampling) { - for (int i = 0; i < size; ++i) - toPtr[i] = fromPtr[i]; + // + // Set the pointers to the start of the y scanline in + // this row of tiles + // + + fromPtr = reinterpret_cast<char*> (fromBase + + (y - tileRange.min.y) * fromSlice.yStride + + xStart * fromSlice.xStride); + + toPtr = reinterpret_cast<char*> (toBase + + divp (y, toSlice.ySampling) * toSlice.yStride + + divp (xStart, toSlice.xSampling) * toSlice.xStride); + + // + // Copy all pixels for the scanline in this row of tiles + // + + for (int x = xStart; + x <= levelRange.max.x; + x += toSlice.xSampling) + { + for (int i = 0; i < size; ++i) + toPtr[i] = fromPtr[i]; + + fromPtr += fromSlice.xStride * toSlice.xSampling; + toPtr += toSlice.xStride; + } + } + } + else + { + + // + // channel wasn't present in source file: fill output slice + // + for (int y = yStart; + y <= maxYThisRow; + y += toSlice.ySampling) + { + + toPtr = reinterpret_cast<char*> (toBase+ + divp (y, toSlice.ySampling) * toSlice.yStride + + divp (xStart, toSlice.xSampling) * toSlice.xStride); + + // + // Copy all pixels for the scanline in this row of tiles + // + + switch ( toSlice.type) + { + case UINT: + { + unsigned int fill = toSlice.fillValue; + for (int x = xStart; + x <= levelRange.max.x; + x += toSlice.xSampling) + { + * reinterpret_cast<unsigned int*>(toPtr) = fill; + toPtr += toSlice.xStride; + } + break; + } + case HALF : + { + half fill = toSlice.fillValue; + for (int x = xStart; + x <= levelRange.max.x; + x += toSlice.xSampling) + { + * reinterpret_cast<half*>(toPtr) = fill; + toPtr += toSlice.xStride; + } + break; + } + case FLOAT : + { + float fill = toSlice.fillValue; + for (int x = xStart; + x <= levelRange.max.x; + x += toSlice.xSampling) + { + * reinterpret_cast<float*>(toPtr) = fill; + toPtr += toSlice.xStride; + } + break; + } + case NUM_PIXELTYPES : + { + break; + } - fromPtr += fromSlice.xStride * toSlice.xSampling; - toPtr += toSlice.xStride; + } } } } @@ -696,60 +781,67 @@ InputFile::setFrameBuffer (const FrameBu { Slice s = k.slice(); - switch (s.type) - { - case OPENEXR_IMF_INTERNAL_NAMESPACE::UINT: - - _data->cachedBuffer->insert - (k.name(), - Slice (UINT, - (char *)(new unsigned int[tileRowSize] - - _data->offset), - sizeof (unsigned int), - sizeof (unsigned int) * - _data->tFile->levelWidth(0), - 1, 1, - s.fillValue, - false, true)); - break; - - case OPENEXR_IMF_INTERNAL_NAMESPACE::HALF: - - _data->cachedBuffer->insert - (k.name(), - Slice (HALF, - (char *)(new half[tileRowSize] - - _data->offset), - sizeof (half), - sizeof (half) * - _data->tFile->levelWidth(0), - 1, 1, - s.fillValue, - false, true)); - break; - - case OPENEXR_IMF_INTERNAL_NAMESPACE::FLOAT: - - _data->cachedBuffer->insert - (k.name(), - Slice (OPENEXR_IMF_INTERNAL_NAMESPACE::FLOAT, - (char *)(new float[tileRowSize] - - _data->offset), - sizeof(float), - sizeof(float) * - _data->tFile->levelWidth(0), - 1, 1, - s.fillValue, - false, true)); - break; + // + // omit adding channels that are not listed - 'fill' channels are added later + // + if ( _data->header.channels().find(k.name()) != _data->header.channels().end() ) + { + switch (s.type) + { + case OPENEXR_IMF_INTERNAL_NAMESPACE::UINT: + + _data->cachedBuffer->insert + (k.name(), + Slice (UINT, + (char *)(new unsigned int[tileRowSize] - + _data->offset), + sizeof (unsigned int), + sizeof (unsigned int) * + _data->tFile->levelWidth(0), + 1, 1, + s.fillValue, + false, true)); + break; + + case OPENEXR_IMF_INTERNAL_NAMESPACE::HALF: + + _data->cachedBuffer->insert + (k.name(), + Slice (HALF, + (char *)(new half[tileRowSize] - + _data->offset), + sizeof (half), + sizeof (half) * + _data->tFile->levelWidth(0), + 1, 1, + s.fillValue, + false, true)); + break; + + case OPENEXR_IMF_INTERNAL_NAMESPACE::FLOAT: + + _data->cachedBuffer->insert + (k.name(), + Slice (OPENEXR_IMF_INTERNAL_NAMESPACE::FLOAT, + (char *)(new float[tileRowSize] - + _data->offset), + sizeof(float), + sizeof(float) * + _data->tFile->levelWidth(0), + 1, 1, + s.fillValue, + false, true)); + break; - default: + default: - throw IEX_NAMESPACE::ArgExc ("Unknown pixel data type."); - } + throw IEX_NAMESPACE::ArgExc ("Unknown pixel data type."); + } + } } _data->tFile->setFrameBuffer (*_data->cachedBuffer); + } _data->tFileBuffer = frameBuffer; ++++++ openexr-CVE-2021-3598.patch ++++++ --- a/IlmImf/ImfDeepScanLineInputFile.cpp +++ b/IlmImf/ImfDeepScanLineInputFile.cpp @@ -647,6 +647,11 @@ LineBufferTask::execute () _lineBuffer->format = Compressor::XDR; _lineBuffer->uncompressedData = _lineBuffer->buffer; + + if(_lineBuffer->packedDataSize!=maxBytesPerLine) + { + THROW (IEX_NAMESPACE::InputExc, "Incorrect size for uncompressed data. Expected " << maxBytesPerLine << " got " << _lineBuffer->packedDataSize << " bytes"); + } } } ++++++ openexr-CVE-2021-3605.patch ++++++ --- a/IlmImf/ImfRle.cpp +++ b/IlmImf/ImfRle.cpp @@ -146,6 +146,11 @@ rleUncompress (int inLength, int maxLength, const signed char in[], char out[]) if (0 > (maxLength -= count + 1)) return 0; + // check the input buffer is big enough to contain + // byte to be duplicated + if (inLength < 0) + return 0; + memset(out, *(char*)in, count+1); out += count+1;
