Fix CVE-2021-20304

Changes to be committed: modified: OpenEXR.spec
2022-08-19 08:51:46 +08:00 · 2022-08-19 08:51:46 +08:00 · db619bb8b5
commit db619bb8b5
parent aaec46d587
2 changed files with 197 additions and 1 deletions
--- a/CVE-2021-20304.patch
+++ b/CVE-2021-20304.patch
@ -0,0 +1,192 @@
 From c78042065812cb58ca51f331159d46415e66db8d Mon Sep 17 00:00:00 2001
 From: mayp <mayanping@ncti-gba.cn>
 Date: Thu, 18 Aug 2022 16:49:57 +0800
 Subject: [PATCH] Fix CVE-2021-20304
 ---
 IlmImf/ImfHuf.cpp      |   9 +++
 IlmImfTest/testHuf.cpp | 141 +++++++++++++++++++++++------------------
 2 files changed, 89 insertions(+), 61 deletions(-)
 diff --git a/IlmImf/ImfHuf.cpp b/IlmImf/ImfHuf.cpp
 index aa708a8..82af799 100644
 --- a/IlmImf/ImfHuf.cpp
 +++ b/IlmImf/ImfHuf.cpp
@@ -897,6 +897,11 @@ hufDecode
 		//
 		lc -= pl.len;
 +
 +		if ( lc < 0 )
 +		{
 +			invalidCode(); // code length too long
 +		}
 		getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
 	    }
 	    else
@@ -954,6 +959,10 @@ hufDecode
 	if (pl.len)
 	{
 	    lc -= pl.len;
 +            if ( lc < 0 )
 +            {
 +   	        invalidCode(); // code length too long
 +            }
 	    getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
 	}
 	else
 diff --git a/IlmImfTest/testHuf.cpp b/IlmImfTest/testHuf.cpp
 index d2728fb..10d3906 100644
 --- a/IlmImfTest/testHuf.cpp
 +++ b/IlmImfTest/testHuf.cpp
@@ -180,67 +180,86 @@ testHuf (const std::string&)
 	IMATH_NAMESPACE::Rand48 rand48 (0);
 -	const int N = 1000000;
 -	Array <unsigned short> raw (N);
 -
 -	fill1 (raw, N, 1, rand48);	  // test various symbol distributions
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 -	fill1 (raw, N, 10, rand48);
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 -	fill1 (raw, N, 100, rand48);
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 -	fill1 (raw, N, 1000, rand48);
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 -
 -	fill2 (raw, N, 1, rand48);
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 -	fill2 (raw, N, 10, rand48);
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 -	fill2 (raw, N, 100, rand48);
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 -	fill2 (raw, N, 1000, rand48);
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 -
 -	fill3 (raw, N, 0);
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 -	fill3 (raw, N, 1);
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 -	fill3 (raw, N, USHRT_MAX - 1);
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 -	fill3 (raw, N, USHRT_MAX);
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 -
 -	fill4 (raw, USHRT_MAX + 1);
 -	compressUncompress (raw, USHRT_MAX + 1);
 -	compressUncompressSubset (raw, USHRT_MAX + 1);
 -	fill4 (raw, N);
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 -
 -	fill4 (raw, 0);
 -	compressUncompress (raw, 0);	// test small input data sets
 -	fill4 (raw, 1);
 -	compressUncompress (raw, 1);
 -	fill4 (raw, 2);
 -	compressUncompress (raw, 2);
 -	fill4 (raw, 3);
 -	compressUncompress (raw, 3);
 -
 -	fill5 (raw, N);			// test run-length coding of code table
 -	compressUncompress (raw, N);
 -	compressUncompressSubset (raw, N);
 +        //
 +        // FastHufDecoder is used for more than 128 bits, so first test with fewer than 128 bits,
 +        // then test FastHufDecoder
 +        //
 +        for (int pass = 0 ; pass < 2 ; ++pass)
 +        {
 +
 +            int N = pass==0 ? 12 : 1000000;
 +            Array <unsigned short> raw (N);
 +
 +            fill1 (raw, N, 1, rand48);	  // test various symbol distributions
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +            fill1 (raw, N, 10, rand48);
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +            fill1 (raw, N, 100, rand48);
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +            fill1 (raw, N, 1000, rand48);
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +
 +            fill2 (raw, N, 1, rand48);
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +            fill2 (raw, N, 10, rand48);
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +            fill2 (raw, N, 100, rand48);
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +            fill2 (raw, N, 1000, rand48);
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +
 +            fill3 (raw, N, 0);
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +            fill3 (raw, N, 1);
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +            fill3 (raw, N, USHRT_MAX - 1);
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +            fill3 (raw, N, USHRT_MAX);
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +
 +            if (pass==1)
 +            {
 +                fill4 (raw, USHRT_MAX + 1);
 +                compressVerify(raw, USHRT_MAX + 1, HUF_COMPRESS_DEK_HASH_FOR_FILL4_USHRT_MAX_PLUS_ONE);
 +
 +                compressUncompress (raw, USHRT_MAX + 1);
 +                compressUncompressSubset (raw, USHRT_MAX + 1);
 +                fill4 (raw, N);
 +                compressVerify(raw, N, HUF_COMPRESS_DEK_HASH_FOR_FILL4_N);
 +            }
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +
 +            fill4 (raw, 0);
 +            compressUncompress (raw, 0);	// test small input data sets
 +            fill4 (raw, 1);
 +            compressUncompress (raw, 1);
 +            fill4 (raw, 2);
 +            compressUncompress (raw, 2);
 +            fill4 (raw, 3);
 +            compressUncompress (raw, 3);
 +
 +            fill5 (raw, N);			// test run-length coding of code table
 +            if (pass==1)
 +            {
 +                compressVerify(raw, N, HUF_COMPRESS_DEK_HASH_FOR_FILL5_N);
 +            }
 +            compressUncompress (raw, N);
 +            compressUncompressSubset (raw, N);
 +
 +        }
 	cout << "ok\n" << endl;
     }
 -- 
 2.33.0
--- a/OpenEXR.spec
+++ b/OpenEXR.spec
@ -1,7 +1,7 @@
 Name:           OpenEXR
 Summary:        A high dynamic-range (HDR) image file format for use in computer imaging applications
 Version:        2.2.0
-Release:        26
+Release:        27
 License:        BSD
 URL:	        http://www.openexr.com/
 Source0:        http://download.savannah.nongnu.org/releases/openexr/openexr-%{version}.tar.gz
@ -37,6 +37,7 @@ Patch0024:      CVE-2021-20300.patch
 Patch0025:      CVE-2021-20302.patch
 #https://github.com/AcademySoftwareFoundation/openexr/commit/5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17
 Patch0026:      CVE-2021-3933.patch
 Patch0027:      CVE-2021-20304.patch
 BuildConflicts: %{name}-devel < 2.2.0
 BuildRequires:  gcc-c++ ilmbase-devel >= %{version} zlib-devel pkgconfig
@ -100,6 +101,9 @@ test "$(pkg-config --modversion OpenEXR)" = "%{version}"
 %{_libdir}/pkgconfig/OpenEXR.pc
 %changelog
 * Thu Aug 18 2022 mayp <mayanping@ncti-gba.cn> - 2.2.0-27
 - Fix CVE-2021-20304 
 * Fri Jul 15 2022 weichao.zhang <weichao.zhang@epro.com.cn> - 2.2.0-26
 - Fix CVE-2021-20300 CVE-2021-20302 CVE-2021-3933