packages/OpenEXR
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-20300 CVE-2021-20302 CVE-2021-3933

Browse Source 
(cherry picked from commit 039a67120ac7283a3a2592a2a78a044b2105334c)
This commit is contained in:
hundred-ci 2022-07-15 16:53:05 +08:00 committed by openeuler-sync-bot
parent 6e4c47cedb
commit 7aac8ec197
4 changed files with 122 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
CVE-2021-20300.patch Normal file
View File

@ -0,0 +1,14 @@
diff -Naru openexr-2.2.0/IlmImf/ImfHuf.cpp openexr-2.2.0-new/IlmImf/ImfHuf.cpp
--- openexr-2.2.0/IlmImf/ImfHuf.cpp 2022-07-15 11:20:21.474483000 +0800
+++ openexr-2.2.0-new/IlmImf/ImfHuf.cpp 2022-07-15 11:21:53.484077000 +0800
@@ -1068,7 +1068,9 @@
const char *ptr = compressed + 20;
- if ( ptr + (nBits+7 )/8 > compressed+nCompressed)
+ uint64_t nBytes = (static_cast<uint64_t>(nBits)+7) / 8 ;
+
+ if ( ptr + nBytes > compressed+nCompressed)
{
notEnoughData();
return;

33
CVE-2021-20302.patch Normal file
View File

@ -0,0 +1,33 @@
diff -Naru "openexr-2.2.0 copy/IlmImf/ImfDeepScanLineInputFile.cpp" openexr-2.2.0/IlmImf/ImfDeepScanLineInputFile.cpp
--- "openexr-2.2.0 copy/IlmImf/ImfDeepScanLineInputFile.cpp" 2022-07-06 16:43:15.752732000 +0800
+++ openexr-2.2.0/IlmImf/ImfDeepScanLineInputFile.cpp 2022-07-06 16:45:09.368817000 +0800
@@ -717,10 +717,12 @@
int width = (_ifd->maxX - _ifd->minX + 1);
+ ptrdiff_t base = reinterpret_cast<ptrdiff_t>(&_ifd->sampleCount[0][0]);
+ base -= sizeof(unsigned int)*_ifd->minX;
+ base -= sizeof(unsigned int)*static_cast<ptrdiff_t>(_ifd->minY) * static_cast<ptrdiff_t>(width);
+
copyIntoDeepFrameBuffer (readPtr, slice.base,
- (char*) (&_ifd->sampleCount[0][0]
- - _ifd->minX
- - _ifd->minY * width),
+ reinterpret_cast<char*>(base),
sizeof(unsigned int) * 1,
sizeof(unsigned int) * width,
y, _ifd->minX, _ifd->maxX,
diff -Naru "openexr-2.2.0 copy/IlmImf/ImfTiledInputFile.cpp" openexr-2.2.0/IlmImf/ImfTiledInputFile.cpp
--- "openexr-2.2.0 copy/IlmImf/ImfTiledInputFile.cpp" 2022-07-06 16:43:15.892732000 +0800
+++ openexr-2.2.0/IlmImf/ImfTiledInputFile.cpp 2022-07-06 16:50:27.438890000 +0800
@@ -903,6 +903,9 @@
if (!isTiled (_data->version))
throw IEX_NAMESPACE::ArgExc ("Expected a tiled file but the file is not tiled.");
+ if (isNonImage (_data->version))
+ throw IEX_NAMESPACE::ArgExc ("File is not a regular tiled image.");
+
}
else
{

65
CVE-2021-3933.patch Normal file
View File

@ -0,0 +1,65 @@
Backported of:
From 5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17 Mon Sep 17 00:00:00 2001
From: peterhillman <peterh@wetafx.co.nz>
Date: Wed, 22 Sep 2021 16:13:34 +1200
Subject: [PATCH] prevent overflow in bytesPerDeepLineTable (#1152)
* prevent overflow in bytesPerDeepLineTable
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
* restore zapped 'const' from ImfMisc
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
diff --git a/IlmImf/ImfMisc.cpp b/IlmImf/ImfMisc.cpp
index b091015..d3a21b7 100644
--- a/IlmImf/ImfMisc.cpp
+++ b/IlmImf/ImfMisc.cpp
@@ -167,16 +167,28 @@ bytesPerDeepLineTable (const Header &header,
c != channels.end();
++c)
{
+ const uint64_t pixelSize = pixelTypeSize (c.channel().type);
+
for (int y = minY; y <= maxY; ++y)
if (modp (y, c.channel().ySampling) == 0)
{
- int nBytes = 0;
+ uint64_t nBytes = 0;
for (int x = dataWindow.min.x; x <= dataWindow.max.x; x++)
{
if (modp (x, c.channel().xSampling) == 0)
- nBytes += pixelTypeSize (c.channel().type) *
- sampleCount(base, xStride, yStride, x, y);
+ nBytes += pixelSize *
+ static_cast<uint64_t>(sampleCount(base, xStride, yStride, x, y));
}
+
+ //
+ // architectures where size_t is smaller than 64 bits may overflow
+ // (scanlines with more than 2^32 bytes are not currently supported so this should not occur with valid files)
+ //
+ if( static_cast<uint64_t>(bytesPerLine[y - dataWindow.min.y]) + nBytes > SIZE_MAX)
+ {
+ throw IEX_NAMESPACE::IoExc("Scanline size too large");
+ }
+
bytesPerLine[y - dataWindow.min.y] += nBytes;
}
}
@@ -184,9 +196,12 @@ bytesPerDeepLineTable (const Header &header,
size_t maxBytesPerLine = 0;
for (int y = minY; y <= maxY; ++y)
+ {
if (maxBytesPerLine < bytesPerLine[y - dataWindow.min.y])
+ {
maxBytesPerLine = bytesPerLine[y - dataWindow.min.y];
-
+ }
+ }
return maxBytesPerLine;
}

11
OpenEXR.spec
View File

@ -1,7 +1,7 @@
Name: OpenEXR
Summary: A high dynamic-range (HDR) image file format for use in computer imaging applications
Version: 2.2.0
Release: 25
Release: 26
License: BSD
URL: http://www.openexr.com/
Source0: http://download.savannah.nongnu.org/releases/openexr/openexr-%{version}.tar.gz
@ -31,6 +31,12 @@ Patch0021: CVE-2021-3605.patch
Patch0022: CVE-2021-20303.patch
#https://github.com/AcademySoftwareFoundation/openexr/commit/7b11bbac18fc3c23.patch
Patch0023: CVE-2021-20299.patch
#https://github.com/AcademySoftwareFoundation/openexr/pull/836/files
Patch0024: CVE-2021-20300.patch
#https://github.com/AcademySoftwareFoundation/openexr/pull/842
Patch0025: CVE-2021-20302.patch
#https://github.com/AcademySoftwareFoundation/openexr/commit/5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17
Patch0026: CVE-2021-3933.patch
BuildConflicts: %{name}-devel < 2.2.0
BuildRequires: gcc-c++ ilmbase-devel >= %{version} zlib-devel pkgconfig
@ -94,6 +100,9 @@ test "$(pkg-config --modversion OpenEXR)" = "%{version}"
%{_libdir}/pkgconfig/OpenEXR.pc
%changelog
* Fri Jul 15 2022 weichao.zhang <weichao.zhang@epro.com.cn> - 2.2.0-26
- Fix CVE-2021-20300 CVE-2021-20302 CVE-2021-3933
* Wed Mar 23 2022 yaoxin <yaoxin30@huawei.com> - 2.2.0-25
- Fix CVE-2021-20299