Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP4
openexr.22326
openexr-CVE-2021-23215,26260.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openexr-CVE-2021-23215,26260.patch of Package openexr.22326
Index: openexr-2.2.1/IlmImf/ImfDwaCompressor.cpp =================================================================== --- openexr-2.2.1.orig/IlmImf/ImfDwaCompressor.cpp 2021-04-26 14:19:38.233657002 +0200 +++ openexr-2.2.1/IlmImf/ImfDwaCompressor.cpp 2021-04-27 10:28:33.673535527 +0200 @@ -2164,7 +2164,7 @@ DwaCompressor::compress if (*unknownUncompressedSize > 0) { uLongf inSize = (uLongf)(*unknownUncompressedSize); - uLongf outSize = (uLongf)(ceil ((float)inSize * 1.01f) + 100); + uLongf outSize = compressBound (inSize); if (Z_OK != ::compress2 ((Bytef *)outDataPtr, &outSize, @@ -2202,8 +2202,8 @@ DwaCompressor::compress case DEFLATE: { - uLongf destLen = (uLongf) - (2 * (*totalAcUncompressedCount) * sizeof (unsigned short)); + uLongf destLen = compressBound ( + (*totalAcUncompressedCount) * sizeof (unsigned short)); if (Z_OK != ::compress2 ((Bytef *)outDataPtr, @@ -2255,8 +2255,7 @@ DwaCompressor::compress _planarUncBuffer[RLE], (signed char *)_rleBuffer); - uLongf dstLen = - (uLongf)ceil (1.01f * (float) * rleUncompressedSize) + 24; + uLongf dstLen = compressBound ((uLongf)*rleUncompressedSize); if (Z_OK != ::compress2 ((Bytef *)outDataPtr, @@ -2400,7 +2399,7 @@ DwaCompressor::uncompress totalDcUncompressedCount < 0) { throw Iex::InputExc("Error uncompressing DWA data" - " (corrupt header)."); + " (corrupt header I)."); } if (version < 2) @@ -2499,16 +2498,14 @@ DwaCompressor::uncompress if (unknownCompressedSize > 0) { - uLongf outSize = static_cast<uLongf>( - ceil( (float)unknownUncompressedSize * 1.01) + 100); - - if (unknownUncompressedSize < 0 || - outSize > _planarUncBufferSize[UNKNOWN]) + if (unknownUncompressedSize > _planarUncBufferSize[UNKNOWN]) { throw Iex::InputExc("Error uncompressing DWA data" - "(corrupt header)."); + "(corrupt header II)."); } + uLongf outSize = (uLongf)unknownUncompressedSize; + if (Z_OK != ::uncompress ((Bytef *)_planarUncBuffer[UNKNOWN], &outSize, @@ -2528,7 +2525,7 @@ DwaCompressor::uncompress if ( !_packedAcBuffer || totalAcUncompressedCount*sizeof(unsigned short) > _packedAcBufferSize) { throw Iex::InputExc("Error uncompressing DWA data" - "(corrupt header)."); + "(corrupt header III)."); } // @@ -2585,7 +2582,7 @@ DwaCompressor::uncompress if (totalDcUncompressedCount*sizeof(unsigned short) > _packedDcBufferSize) { throw Iex::InputExc("Error uncompressing DWA data" - "(corrupt header)."); + "(corrupt header IV)."); } if (_zip->uncompress @@ -2607,7 +2604,7 @@ DwaCompressor::uncompress rleRawSize > _planarUncBufferSize[RLE]) { throw Iex::InputExc("Error uncompressing DWA data" - "(corrupt header)."); + "(corrupt header V)."); } uLongf dstLen = (uLongf)rleUncompressedSize; @@ -2921,19 +2918,21 @@ DwaCompressor::initializeBuffers (size_t // of channels we have. // - int maxOutBufferSize = 0; - int numLossyDctChans = 0; - int unknownBufferSize = 0; - int rleBufferSize = 0; + Int64 maxOutBufferSize = 0; + Int64 numLossyDctChans = 0; + Int64 unknownBufferSize = 0; + Int64 rleBufferSize = 0; - int maxLossyDctAcSize = (int)ceil ((float)numScanLines() / 8.0f) * - (int)ceil ((float)(_max[0] - _min[0] + 1) / 8.0f) * + Int64 maxLossyDctAcSize = static_cast<Int64>(ceil ((float)numScanLines() / 8.0f)) * + static_cast<Int64>(ceil ((float)(_max[0] - _min[0] + 1) / 8.0f)) * 63 * sizeof (unsigned short); - int maxLossyDctDcSize = (int)ceil ((float)numScanLines() / 8.0f) * - (int)ceil ((float)(_max[0] - _min[0] + 1) / 8.0f) * + Int64 maxLossyDctDcSize = static_cast<Int64>(ceil ((float)numScanLines() / 8.0f)) * + static_cast<Int64>(ceil ((float)(_max[0] - _min[0] + 1) / 8.0f)) * sizeof (unsigned short); + Int64 pixelCount = static_cast<Int64>(numScanLines()) * static_cast<Int64>(_max[0] - _min[0] + 1); + for (unsigned int chan = 0; chan < _channelData.size(); ++chan) { switch (_channelData[chan].compression) @@ -2943,10 +2942,13 @@ DwaCompressor::initializeBuffers (size_t // // This is the size of the number of packed // components, plus the requirements for - // maximum Huffman encoding size. + // maximum Huffman encoding size (for STATIC_HUFFMAN) + // or for zlib compression (for DEFLATE) // - maxOutBufferSize += 2 * maxLossyDctAcSize + 65536; + maxOutBufferSize += std::max( + 2lu * maxLossyDctAcSize + 65536lu, + static_cast<Int64>(compressBound (maxLossyDctAcSize)) ); numLossyDctChans++; break; @@ -2957,8 +2959,7 @@ DwaCompressor::initializeBuffers (size_t // of the source data. // - int rleAmount = 2 * numScanLines() * (_max[0] - _min[0] + 1) * - Imf::pixelTypeSize (_channelData[chan].type); + Int64 rleAmount = 2 * pixelCount * Imf::pixelTypeSize (_channelData[chan].type); rleBufferSize += rleAmount; } @@ -2967,8 +2968,7 @@ DwaCompressor::initializeBuffers (size_t case UNKNOWN: - unknownBufferSize += numScanLines() * (_max[0] - _min[0] + 1) * - Imf::pixelTypeSize (_channelData[chan].type); + unknownBufferSize += pixelCount * Imf::pixelTypeSize (_channelData[chan].type); break; default: @@ -2985,13 +2985,13 @@ DwaCompressor::initializeBuffers (size_t // which could take slightly more space // - maxOutBufferSize += (int)(ceil (1.01f * (float)rleBufferSize) + 100); + maxOutBufferSize += static_cast<Int64>(compressBound (rleBufferSize)); // // And the same goes for the UNKNOWN data // - maxOutBufferSize += (int)(ceil (1.01f * (float)unknownBufferSize) + 100); + maxOutBufferSize += static_cast<Int64>(compressBound (unknownBufferSize)); // // Allocate a zip/deflate compressor big enought to hold the DC data @@ -3077,7 +3077,7 @@ DwaCompressor::initializeBuffers (size_t // all in one swoop (for each compression scheme). // - int planarUncBufferSize[NUM_COMPRESSOR_SCHEMES]; + Int64 planarUncBufferSize[NUM_COMPRESSOR_SCHEMES]; for (int i=0; i<NUM_COMPRESSOR_SCHEMES; ++i) planarUncBufferSize[i] = 0; @@ -3090,13 +3090,13 @@ DwaCompressor::initializeBuffers (size_t case RLE: planarUncBufferSize[RLE] += - numScanLines() * (_max[0] - _min[0] + 1) * + pixelCount * Imf::pixelTypeSize (_channelData[chan].type); break; case UNKNOWN: planarUncBufferSize[UNKNOWN] += - numScanLines() * (_max[0] - _min[0] + 1) * + pixelCount * Imf::pixelTypeSize (_channelData[chan].type); break; @@ -3114,7 +3114,7 @@ DwaCompressor::initializeBuffers (size_t if (planarUncBufferSize[UNKNOWN] > 0) { planarUncBufferSize[UNKNOWN] = - (int) ceil (1.01f * (float)planarUncBufferSize[UNKNOWN]) + 100; + static_cast<Int64>( compressBound (planarUncBufferSize[UNKNOWN]) ); } for (int i = 0; i < NUM_COMPRESSOR_SCHEMES; ++i) @@ -3124,6 +3124,12 @@ DwaCompressor::initializeBuffers (size_t _planarUncBufferSize[i] = planarUncBufferSize[i]; if (_planarUncBuffer[i] != 0) delete[] _planarUncBuffer[i]; + + if (planarUncBufferSize[i] > std::numeric_limits<size_t>::max()) + { + throw IEX_NAMESPACE::ArgExc("DWA buffers too large"); + } + _planarUncBuffer[i] = new char[planarUncBufferSize[i]]; } } Index: openexr-2.2.1/IlmImf/ImfDwaCompressor.h =================================================================== --- openexr-2.2.1.orig/IlmImf/ImfDwaCompressor.h 2017-11-18 00:00:24.000000000 +0100 +++ openexr-2.2.1/IlmImf/ImfDwaCompressor.h 2021-04-26 14:19:38.249657084 +0200 @@ -155,16 +155,16 @@ class DwaCompressor: public Compressor std::vector<CscChannelSet> _cscSets; std::vector<Classifier> _channelRules; - char *_packedAcBuffer; - size_t _packedAcBufferSize; - char *_packedDcBuffer; - size_t _packedDcBufferSize; - char *_rleBuffer; - size_t _rleBufferSize; - char *_outBuffer; - size_t _outBufferSize; - char *_planarUncBuffer[NUM_COMPRESSOR_SCHEMES]; - size_t _planarUncBufferSize[NUM_COMPRESSOR_SCHEMES]; + char* _packedAcBuffer; + Int64 _packedAcBufferSize; + char* _packedDcBuffer; + Int64 _packedDcBufferSize; + char* _rleBuffer; + Int64 _rleBufferSize; + char* _outBuffer; + Int64 _outBufferSize; + char* _planarUncBuffer[NUM_COMPRESSOR_SCHEMES]; + Int64 _planarUncBufferSize[NUM_COMPRESSOR_SCHEMES]; Zip *_zip; float _dwaCompressionLevel;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
