packages/OpenEXR
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:e76c7b13aca2f73ba53f2eafa6098c76bf3c4305
Branches Tags
packages:main
...
compare: packages:34d8091a450f9ed50b338dfbcd7255c04e912f57
Branches Tags
packages:main

10 Commits
e76c7b13ac ... 34d8091a45

Author SHA1 Message Date
openeuler-ci-bot
34d8091a45
!102 Fix CVE-2024-31047 
From: @wk333 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
 2024-04-17 06:31:08 +00:00
wk333
fcd4f61e7b Fix CVE-2024-31047 2024-04-17 10:44:21 +08:00
openeuler-ci-bot
2634238303
!82 [sync] PR-81: Fix CVE-2021-20298 
From: @openeuler-sync-bot 
Reviewed-by: @gitee-cmd 
Signed-off-by: @gitee-cmd
 2022-08-26 07:05:01 +00:00
mayp
1dd3d0bd0f Changes to be committed: 
new file:   CVE-2021-20298.patch
	modified:   OpenEXR.spec

(cherry picked from commit cd531655669f557ec3d7ab8622c785a8b9c609e0)
 2022-08-26 10:40:34 +08:00
openeuler-ci-bot
658bfe75b5
!79 Fix CVE-2021-20304 
From: @myp-imago 
Reviewed-by: @gitee-cmd 
Signed-off-by: @gitee-cmd
 2022-08-19 02:43:26 +00:00
mayp
db619bb8b5 Fix CVE-2021-20304 
Changes to be committed:
	modified:   OpenEXR.spec
 2022-08-19 09:48:57 +08:00
openeuler-ci-bot
aaec46d587
!74 [sync] PR-73: Fix CVE-2021-20300 CVE-2021-20302 CVE-2021-3933 
From: @openeuler-sync-bot 
Reviewed-by: @small_leek 
Signed-off-by: @small_leek
 2022-07-18 03:10:28 +00:00
hundred-ci
7aac8ec197 fix CVE-2021-20300 CVE-2021-20302 CVE-2021-3933 
(cherry picked from commit 039a67120ac7283a3a2592a2a78a044b2105334c)
 2022-07-18 09:51:14 +08:00
openeuler-ci-bot
6e4c47cedb
!51 Fix CVE-2021-20299 
From: @starlet-dx 
Reviewed-by: @small_leek 
Signed-off-by: @small_leek
 2022-03-23 10:14:12 +00:00
starlet-dx
4ddedae515 Fix CVE-2021-20299 2022-03-23 11:04:03 +08:00
8 changed files with 425 additions and 1 deletions
Show Stats Expand all files Collapse all files

26
CVE-2021-20298.patch Normal file
View File

@ -0,0 +1,26 @@
From 01d1b18611469470eb3a1016c970953c09312fd6 Mon Sep 17 00:00:00 2001
From: mayp <mayanping@ncti-gba.cn>
Date: Thu, 25 Aug 2022 17:13:53 +0800
Subject: [PATCH] Changes to be committed: modified:
IlmImf/ImfB44Compressor.cpp
---
IlmImf/ImfB44Compressor.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/IlmImf/ImfB44Compressor.cpp b/IlmImf/ImfB44Compressor.cpp
index d9fec62..2b85ed0 100644
--- a/IlmImf/ImfB44Compressor.cpp
+++ b/IlmImf/ImfB44Compressor.cpp
@@ -492,7 +492,7 @@ B44Compressor::B44Compressor
//
_tmpBuffer = new unsigned short
- [checkArraySize (uiMult (maxScanLineSize, numScanLines),
+ [checkArraySize (uiMult (maxScanLineSize / sizeof(unsigned short), numScanLines),
sizeof (unsigned short))];
const ChannelList &channels = header().channels();
--
2.33.0

26
CVE-2021-20299.patch Normal file
View File

@ -0,0 +1,26 @@
From 7b11bbac18fc3c23c9c78ba1c4f9547c165a2613 Mon Sep 17 00:00:00 2001
From: Peter Hillman <peterh@wetafx.co.nz>
Date: Fri, 18 Sep 2020 08:47:21 +1200
Subject: [PATCH] add sanity check for reading multipart files with no parts
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
---
IlmImf/ImfMultiPartInputFile.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/IlmImf/ImfMultiPartInputFile.cpp b/IlmImf/ImfMultiPartInputFile.cpp
index 689956c90..cbb2ec234 100644
--- a/IlmImf/ImfMultiPartInputFile.cpp
+++ b/IlmImf/ImfMultiPartInputFile.cpp
@@ -340,6 +340,11 @@ MultiPartInputFile::initialize()
// Perform usual check on headers.
//
+ if ( _data->_headers.size() == 0)
+ {
+ throw IEX_NAMESPACE::ArgExc ("Files must contain at least one header");
+ }
+
for (size_t i = 0; i < _data->_headers.size(); i++)
{
//

14
CVE-2021-20300.patch Normal file
View File

@ -0,0 +1,14 @@
diff -Naru openexr-2.2.0/IlmImf/ImfHuf.cpp openexr-2.2.0-new/IlmImf/ImfHuf.cpp
--- openexr-2.2.0/IlmImf/ImfHuf.cpp 2022-07-15 11:20:21.474483000 +0800
+++ openexr-2.2.0-new/IlmImf/ImfHuf.cpp 2022-07-15 11:21:53.484077000 +0800
@@ -1068,7 +1068,9 @@
const char *ptr = compressed + 20;
- if ( ptr + (nBits+7 )/8 > compressed+nCompressed)
+ uint64_t nBytes = (static_cast<uint64_t>(nBits)+7) / 8 ;
+
+ if ( ptr + nBytes > compressed+nCompressed)
{
notEnoughData();
return;

33
CVE-2021-20302.patch Normal file
View File

@ -0,0 +1,33 @@
diff -Naru "openexr-2.2.0 copy/IlmImf/ImfDeepScanLineInputFile.cpp" openexr-2.2.0/IlmImf/ImfDeepScanLineInputFile.cpp
--- "openexr-2.2.0 copy/IlmImf/ImfDeepScanLineInputFile.cpp" 2022-07-06 16:43:15.752732000 +0800
+++ openexr-2.2.0/IlmImf/ImfDeepScanLineInputFile.cpp 2022-07-06 16:45:09.368817000 +0800
@@ -717,10 +717,12 @@
int width = (_ifd->maxX - _ifd->minX + 1);
+ ptrdiff_t base = reinterpret_cast<ptrdiff_t>(&_ifd->sampleCount[0][0]);
+ base -= sizeof(unsigned int)*_ifd->minX;
+ base -= sizeof(unsigned int)*static_cast<ptrdiff_t>(_ifd->minY) * static_cast<ptrdiff_t>(width);
+
copyIntoDeepFrameBuffer (readPtr, slice.base,
- (char*) (&_ifd->sampleCount[0][0]
- - _ifd->minX
- - _ifd->minY * width),
+ reinterpret_cast<char*>(base),
sizeof(unsigned int) * 1,
sizeof(unsigned int) * width,
y, _ifd->minX, _ifd->maxX,
diff -Naru "openexr-2.2.0 copy/IlmImf/ImfTiledInputFile.cpp" openexr-2.2.0/IlmImf/ImfTiledInputFile.cpp
--- "openexr-2.2.0 copy/IlmImf/ImfTiledInputFile.cpp" 2022-07-06 16:43:15.892732000 +0800
+++ openexr-2.2.0/IlmImf/ImfTiledInputFile.cpp 2022-07-06 16:50:27.438890000 +0800
@@ -903,6 +903,9 @@
if (!isTiled (_data->version))
throw IEX_NAMESPACE::ArgExc ("Expected a tiled file but the file is not tiled.");
+ if (isNonImage (_data->version))
+ throw IEX_NAMESPACE::ArgExc ("File is not a regular tiled image.");
+
}
else
{

192
CVE-2021-20304.patch Normal file
View File

@ -0,0 +1,192 @@
From c78042065812cb58ca51f331159d46415e66db8d Mon Sep 17 00:00:00 2001
From: mayp <mayanping@ncti-gba.cn>
Date: Thu, 18 Aug 2022 16:49:57 +0800
Subject: [PATCH] Fix CVE-2021-20304
---
IlmImf/ImfHuf.cpp | 9 +++
IlmImfTest/testHuf.cpp | 141 +++++++++++++++++++++++------------------
2 files changed, 89 insertions(+), 61 deletions(-)
diff --git a/IlmImf/ImfHuf.cpp b/IlmImf/ImfHuf.cpp
index aa708a8..82af799 100644
--- a/IlmImf/ImfHuf.cpp
+++ b/IlmImf/ImfHuf.cpp
@@ -897,6 +897,11 @@ hufDecode
//
lc -= pl.len;
+
+ if ( lc < 0 )
+ {
+ invalidCode(); // code length too long
+ }
getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
}
else
@@ -954,6 +959,10 @@ hufDecode
if (pl.len)
{
lc -= pl.len;
+ if ( lc < 0 )
+ {
+ invalidCode(); // code length too long
+ }
getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
}
else
diff --git a/IlmImfTest/testHuf.cpp b/IlmImfTest/testHuf.cpp
index d2728fb..10d3906 100644
--- a/IlmImfTest/testHuf.cpp
+++ b/IlmImfTest/testHuf.cpp
@@ -180,67 +180,86 @@ testHuf (const std::string&)
IMATH_NAMESPACE::Rand48 rand48 (0);
- const int N = 1000000;
- Array <unsigned short> raw (N);
-
- fill1 (raw, N, 1, rand48); // test various symbol distributions
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
- fill1 (raw, N, 10, rand48);
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
- fill1 (raw, N, 100, rand48);
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
- fill1 (raw, N, 1000, rand48);
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
-
- fill2 (raw, N, 1, rand48);
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
- fill2 (raw, N, 10, rand48);
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
- fill2 (raw, N, 100, rand48);
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
- fill2 (raw, N, 1000, rand48);
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
-
- fill3 (raw, N, 0);
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
- fill3 (raw, N, 1);
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
- fill3 (raw, N, USHRT_MAX - 1);
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
- fill3 (raw, N, USHRT_MAX);
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
-
- fill4 (raw, USHRT_MAX + 1);
- compressUncompress (raw, USHRT_MAX + 1);
- compressUncompressSubset (raw, USHRT_MAX + 1);
- fill4 (raw, N);
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
-
- fill4 (raw, 0);
- compressUncompress (raw, 0); // test small input data sets
- fill4 (raw, 1);
- compressUncompress (raw, 1);
- fill4 (raw, 2);
- compressUncompress (raw, 2);
- fill4 (raw, 3);
- compressUncompress (raw, 3);
-
- fill5 (raw, N); // test run-length coding of code table
- compressUncompress (raw, N);
- compressUncompressSubset (raw, N);
+ //
+ // FastHufDecoder is used for more than 128 bits, so first test with fewer than 128 bits,
+ // then test FastHufDecoder
+ //
+ for (int pass = 0 ; pass < 2 ; ++pass)
+ {
+
+ int N = pass==0 ? 12 : 1000000;
+ Array <unsigned short> raw (N);
+
+ fill1 (raw, N, 1, rand48); // test various symbol distributions
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+ fill1 (raw, N, 10, rand48);
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+ fill1 (raw, N, 100, rand48);
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+ fill1 (raw, N, 1000, rand48);
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+
+ fill2 (raw, N, 1, rand48);
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+ fill2 (raw, N, 10, rand48);
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+ fill2 (raw, N, 100, rand48);
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+ fill2 (raw, N, 1000, rand48);
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+
+ fill3 (raw, N, 0);
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+ fill3 (raw, N, 1);
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+ fill3 (raw, N, USHRT_MAX - 1);
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+ fill3 (raw, N, USHRT_MAX);
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+
+ if (pass==1)
+ {
+ fill4 (raw, USHRT_MAX + 1);
+ compressVerify(raw, USHRT_MAX + 1, HUF_COMPRESS_DEK_HASH_FOR_FILL4_USHRT_MAX_PLUS_ONE);
+
+ compressUncompress (raw, USHRT_MAX + 1);
+ compressUncompressSubset (raw, USHRT_MAX + 1);
+ fill4 (raw, N);
+ compressVerify(raw, N, HUF_COMPRESS_DEK_HASH_FOR_FILL4_N);
+ }
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+
+ fill4 (raw, 0);
+ compressUncompress (raw, 0); // test small input data sets
+ fill4 (raw, 1);
+ compressUncompress (raw, 1);
+ fill4 (raw, 2);
+ compressUncompress (raw, 2);
+ fill4 (raw, 3);
+ compressUncompress (raw, 3);
+
+ fill5 (raw, N); // test run-length coding of code table
+ if (pass==1)
+ {
+ compressVerify(raw, N, HUF_COMPRESS_DEK_HASH_FOR_FILL5_N);
+ }
+ compressUncompress (raw, N);
+ compressUncompressSubset (raw, N);
+
+ }
cout << "ok\n" << endl;
}
--
2.33.0

65
CVE-2021-3933.patch Normal file
View File

@ -0,0 +1,65 @@
Backported of:
From 5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17 Mon Sep 17 00:00:00 2001
From: peterhillman <peterh@wetafx.co.nz>
Date: Wed, 22 Sep 2021 16:13:34 +1200
Subject: [PATCH] prevent overflow in bytesPerDeepLineTable (#1152)
* prevent overflow in bytesPerDeepLineTable
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
* restore zapped 'const' from ImfMisc
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
diff --git a/IlmImf/ImfMisc.cpp b/IlmImf/ImfMisc.cpp
index b091015..d3a21b7 100644
--- a/IlmImf/ImfMisc.cpp
+++ b/IlmImf/ImfMisc.cpp
@@ -167,16 +167,28 @@ bytesPerDeepLineTable (const Header &header,
c != channels.end();
++c)
{
+ const uint64_t pixelSize = pixelTypeSize (c.channel().type);
+
for (int y = minY; y <= maxY; ++y)
if (modp (y, c.channel().ySampling) == 0)
{
- int nBytes = 0;
+ uint64_t nBytes = 0;
for (int x = dataWindow.min.x; x <= dataWindow.max.x; x++)
{
if (modp (x, c.channel().xSampling) == 0)
- nBytes += pixelTypeSize (c.channel().type) *
- sampleCount(base, xStride, yStride, x, y);
+ nBytes += pixelSize *
+ static_cast<uint64_t>(sampleCount(base, xStride, yStride, x, y));
}
+
+ //
+ // architectures where size_t is smaller than 64 bits may overflow
+ // (scanlines with more than 2^32 bytes are not currently supported so this should not occur with valid files)
+ //
+ if( static_cast<uint64_t>(bytesPerLine[y - dataWindow.min.y]) + nBytes > SIZE_MAX)
+ {
+ throw IEX_NAMESPACE::IoExc("Scanline size too large");
+ }
+
bytesPerLine[y - dataWindow.min.y] += nBytes;
}
}
@@ -184,9 +196,12 @@ bytesPerDeepLineTable (const Header &header,
size_t maxBytesPerLine = 0;
for (int y = minY; y <= maxY; ++y)
+ {
if (maxBytesPerLine < bytesPerLine[y - dataWindow.min.y])
+ {
maxBytesPerLine = bytesPerLine[y - dataWindow.min.y];
-
+ }
+ }
return maxBytesPerLine;
}

42
CVE-2024-31047.patch Normal file
View File

@ -0,0 +1,42 @@
From 7aa89e1d09b09d9f5dbb96976ee083a331ab9d71 Mon Sep 17 00:00:00 2001
From: xiaoxiaoafeifei <zhailiangliang@loongson.cn>
Date: Wed, 20 Mar 2024 00:09:05 +0800
Subject: [PATCH] prevent integer overflows in file exrmultipart.cpp (#1681)
Signed-off-by: ZhaiLiangliang <zhailiangliang@loongson.cn>
Origin: https://github.com/AcademySoftwareFoundation/openexr/pull/1681
---
exrmultipart/exrmultipart.cpp | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/exrmultipart/exrmultipart.cpp b/exrmultipart/exrmultipart.cpp
index 931cebc..1c624b8 100644
--- a/exrmultipart/exrmultipart.cpp
+++ b/exrmultipart/exrmultipart.cpp
@@ -326,12 +326,17 @@ convert(vector <const char*> in,
}
Box2i dataWindow = infile.header(0).dataWindow();
- int pixel_count = (dataWindow.size().y+1)*(dataWindow.size().x+1);
- int pixel_width = dataWindow.size().x+1;
-
+ //
+ // use int64_t for dimensions, since possible overflow int storage
+ //
+ int64_t pixel_count = (static_cast<int64_t>(dataWindow.size ().y) + 1) * (static_cast<int64_t>(dataWindow.size ().x) + 1);
+ int64_t pixel_width = static_cast<int64_t>(dataWindow.size ().x) + 1;
+ //
// offset in pixels between base of array and 0,0
- int pixel_base = dataWindow.min.y*pixel_width+dataWindow.min.x;
+ // use int64_t for dimensions, since dataWindow.min.y * pixel_width could overflow int storage
+ //
+ int64_t pixel_base = static_cast<int64_t>(dataWindow.min.y) * pixel_width + static_cast<int64_t>(dataWindow.min.x);
vector< vector<char> > channelstore(channel_count);
--
2.43.0

28
OpenEXR.spec
View File

@ -1,7 +1,7 @@
Name: OpenEXR
Summary: A high dynamic-range (HDR) image file format for use in computer imaging applications
Version: 2.2.0
Release: 24
Release: 29
License: BSD
URL: http://www.openexr.com/
Source0: http://download.savannah.nongnu.org/releases/openexr/openexr-%{version}.tar.gz
@ -29,6 +29,17 @@ Patch0019: CVE-2020-15305.patch
Patch0020: CVE-2020-15306.patch
Patch0021: CVE-2021-3605.patch
Patch0022: CVE-2021-20303.patch
#https://github.com/AcademySoftwareFoundation/openexr/commit/7b11bbac18fc3c23.patch
Patch0023: CVE-2021-20299.patch
#https://github.com/AcademySoftwareFoundation/openexr/pull/836/files
Patch0024: CVE-2021-20300.patch
#https://github.com/AcademySoftwareFoundation/openexr/pull/842
Patch0025: CVE-2021-20302.patch
#https://github.com/AcademySoftwareFoundation/openexr/commit/5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17
Patch0026: CVE-2021-3933.patch
Patch0027: CVE-2021-20304.patch
Patch0028: CVE-2021-20298.patch
Patch0029: CVE-2024-31047.patch
BuildConflicts: %{name}-devel < 2.2.0
BuildRequires: gcc-c++ ilmbase-devel >= %{version} zlib-devel pkgconfig
@ -92,6 +103,21 @@ test "$(pkg-config --modversion OpenEXR)" = "%{version}"
%{_libdir}/pkgconfig/OpenEXR.pc
%changelog
* Wed Apr 17 2024 wangkai <13474090681@163.com> - 2.2.0-29
- Fix CVE-2024-31047
* Thu Aug 25 2022 mayp <mayanping@ncti-gba.cn> - 2.2.0-28
- Fix CVE-2021-20298
* Thu Aug 18 2022 mayp <mayanping@ncti-gba.cn> - 2.2.0-27
- Fix CVE-2021-20304
* Fri Jul 15 2022 weichao.zhang <weichao.zhang@epro.com.cn> - 2.2.0-26
- Fix CVE-2021-20300 CVE-2021-20302 CVE-2021-3933
* Wed Mar 23 2022 yaoxin <yaoxin30@huawei.com> - 2.2.0-25
- Fix CVE-2021-20299
* Mon Mar 14 2022 yaoxin <yaoxin30@huawei.com> - 2.2.0-24
- Fix CVE-2021-20303