diff options
Diffstat (limited to 'patches/source/openexr/openexr.CVE-2017-9110-to-9116.patch')
-rw-r--r-- | patches/source/openexr/openexr.CVE-2017-9110-to-9116.patch | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/patches/source/openexr/openexr.CVE-2017-9110-to-9116.patch b/patches/source/openexr/openexr.CVE-2017-9110-to-9116.patch new file mode 100644 index 00000000..98c03a99 --- /dev/null +++ b/patches/source/openexr/openexr.CVE-2017-9110-to-9116.patch @@ -0,0 +1,82 @@ +--- a/IlmImf/ImfDwaCompressor.cpp ++++ b/IlmImf/ImfDwaCompressor.cpp +@@ -2377,7 +2377,12 @@ DwaCompressor::uncompress + + const char *dataPtr = inPtr + NUM_SIZES_SINGLE * sizeof(Int64); + +- if (inSize < headerSize + compressedSize) ++ /* Both the sum and individual sizes are checked in case of overflow. */ ++ if (inSize < (headerSize + compressedSize) || ++ inSize < unknownCompressedSize || ++ inSize < acCompressedSize || ++ inSize < dcCompressedSize || ++ inSize < rleCompressedSize) + { + throw Iex::InputExc("Error uncompressing DWA data" + "(truncated file)."); +diff --git a/IlmImf/ImfHuf.cpp b/IlmImf/ImfHuf.cpp +index a375d05..97909a5 100644 +--- a/IlmImf/ImfHuf.cpp ++++ b/IlmImf/ImfHuf.cpp +@@ -822,7 +822,7 @@ hufEncode // return: output size (in bits) + } + + +-#define getCode(po, rlc, c, lc, in, out, oe) \ ++#define getCode(po, rlc, c, lc, in, out, ob, oe)\ + { \ + if (po == rlc) \ + { \ +@@ -835,6 +835,8 @@ hufEncode // return: output size (in bits) + \ + if (out + cs > oe) \ + tooMuchData(); \ ++ else if (out - 1 < ob) \ ++ notEnoughData(); \ + \ + unsigned short s = out[-1]; \ + \ +@@ -895,7 +897,7 @@ hufDecode + // + + lc -= pl.len; +- getCode (pl.lit, rlc, c, lc, in, out, oe); ++ getCode (pl.lit, rlc, c, lc, in, out, outb, oe); + } + else + { +@@ -925,7 +927,7 @@ hufDecode + // + + lc -= l; +- getCode (pl.p[j], rlc, c, lc, in, out, oe); ++ getCode (pl.p[j], rlc, c, lc, in, out, outb, oe); + break; + } + } +@@ -952,7 +954,7 @@ hufDecode + if (pl.len) + { + lc -= pl.len; +- getCode (pl.lit, rlc, c, lc, in, out, oe); ++ getCode (pl.lit, rlc, c, lc, in, out, outb, oe); + } + else + { +diff --git a/IlmImf/ImfPizCompressor.cpp b/IlmImf/ImfPizCompressor.cpp +index 46c6fba..8b3ee38 100644 +--- a/IlmImf/ImfPizCompressor.cpp ++++ b/IlmImf/ImfPizCompressor.cpp +@@ -573,6 +573,12 @@ PizCompressor::uncompress (const char *inPtr, + int length; + Xdr::read <CharPtrIO> (inPtr, length); + ++ if (length > inSize) ++ { ++ throw InputExc ("Error in header for PIZ-compressed data " ++ "(invalid array length)."); ++ } ++ + hufUncompress (inPtr, length, _tmpBuffer, tmpBufferEnd - _tmpBuffer); + + // |