From 94c7aa17899a82712b23beb35efcd3b2e429a7e8 Mon Sep 17 00:00:00 2001
From: houyingchao <1348375921@qq.com>
Date: Tue, 22 Jun 2021 15:26:04 +0800
Subject: [PATCH] fix CVE-2021-23169 CVE-2021-23215 CVE-2021-26260

(cherry picked from commit 61d45dd49f101bd20670df7ee2f5374722448e0f)
---
 CVE-2021-23169.patch | 34 ++++++++++++++++++
 CVE-2021-23215.patch | 83 ++++++++++++++++++++++++++++++++++++++++++++
 CVE-2021-26260.patch | 41 ++++++++++++++++++++++
 OpenEXR.spec         |  8 ++++-
 4 files changed, 165 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-23169.patch
 create mode 100644 CVE-2021-23215.patch
 create mode 100644 CVE-2021-26260.patch

diff --git a/CVE-2021-23169.patch b/CVE-2021-23169.patch
new file mode 100644
index 0000000..1584d7e
--- /dev/null
+++ b/CVE-2021-23169.patch
@@ -0,0 +1,34 @@
+From ae6d203892cc9311917a7f4f05354ef792b3e58e Mon Sep 17 00:00:00 2001
+From: peterhillman <peterh@wetafx.co.nz>
+Date: Thu, 3 Dec 2020 10:53:32 +1300
+Subject: [PATCH] Handle xsampling and bad seekg() calls in exrcheck (#872)
+
+* fix exrcheck xsampling!=1
+
+Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
+
+* fix handling bad seekg() calls in exrcheck
+
+Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
+
+* fix deeptile detection in multipart files
+
+Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
+---
+ src/lib/OpenEXR/ImfDeepTiledInputFile.cpp |  2 +-
+ src/lib/OpenEXRUtil/ImfCheckFile.cpp      | 20 ++++++++++++--------
+ 2 files changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/src/lib/OpenEXR/ImfDeepTiledInputFile.cpp b/src/lib/OpenEXR/ImfDeepTiledInputFile.cpp
+index f5abe9c6a..94452905c 100644
+--- a/IlmImf/ImfDeepTiledInputFile.cpp
++++ b/IlmImf/ImfDeepTiledInputFile.cpp
+@@ -960,7 +960,7 @@ DeepTiledInputFile::compatibilityInitialize(OPENEXR_IMF_INTERNAL_NAMESPACE::IStr
+ void
+ DeepTiledInputFile::multiPartInitialize(InputPartData* part)
+ {
+-    if (isTiled(part->header.type()) == false)
++    if (part->header.type() != DEEPTILE)
+         THROW (IEX_NAMESPACE::ArgExc, "Can't build a DeepTiledInputFile from a part of type " << part->header.type());
+ 
+     _data->_streamData = part->mutex;
diff --git a/CVE-2021-23215.patch b/CVE-2021-23215.patch
new file mode 100644
index 0000000..9a3da66
--- /dev/null
+++ b/CVE-2021-23215.patch
@@ -0,0 +1,83 @@
+From 1f7cac0d1538544d3f93353bc16750374aea33b8 Mon Sep 17 00:00:00 2001
+From: jackie_wu <wutao61@huawei.com>
+Date: Fri, 18 Jun 2021 16:31:51 +0800
+Subject: [PATCH] add
+
+---
+ IlmImf/ImfDwaCompressor.cpp | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/IlmImf/ImfDwaCompressor.cpp b/IlmImf/ImfDwaCompressor.cpp
+index 1c1bd45..424cc46 100644
+--- a/IlmImf/ImfDwaCompressor.cpp
++++ b/IlmImf/ImfDwaCompressor.cpp
+@@ -2905,8 +2905,8 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize)
+ 
+     int maxOutBufferSize  = 0;
+     int numLossyDctChans  = 0;
+-    int unknownBufferSize = 0;
+-    int rleBufferSize     = 0;
++    size_t unknownBufferSize = 0;
++    size_t rleBufferSize     = 0;
+ 
+     int maxLossyDctAcSize = (int)ceil ((float)numScanLines() / 8.0f) * 
+                             (int)ceil ((float)(_max[0] - _min[0] + 1) / 8.0f) *
+@@ -2916,6 +2916,9 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize)
+                             (int)ceil ((float)(_max[0] - _min[0] + 1) / 8.0f) *
+                             sizeof (unsigned short);
+ 
++
++    size_t pixelCount = static_cast<size_t>(numScanLines()) * static_cast<size_t>(_max[0] - _min[0] + 1);
++
+     for (unsigned int chan = 0; chan < _channelData.size(); ++chan)
+     {
+         switch (_channelData[chan].compression)
+@@ -2939,8 +2942,7 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize)
+                 // of the source data.
+                 //
+ 
+-                int rleAmount = 2 * numScanLines() * (_max[0] - _min[0] + 1) *
+-                                Imf::pixelTypeSize (_channelData[chan].type);
++                size_t rleAmount = 2 * pixelCount * Imf::pixelTypeSize (_channelData[chan].type);
+ 
+                 rleBufferSize += rleAmount;
+             }
+@@ -2949,8 +2951,7 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize)
+ 
+           case UNKNOWN:
+ 
+-            unknownBufferSize += numScanLines() * (_max[0] - _min[0] + 1) *
+-                                 Imf::pixelTypeSize (_channelData[chan].type);
++            unknownBufferSize += pixelCount * Imf::pixelTypeSize (_channelData[chan].type);
+             break;
+ 
+           default:
+@@ -3059,7 +3060,7 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize)
+     // all in one swoop (for each compression scheme).
+     //
+ 
+-    int planarUncBufferSize[NUM_COMPRESSOR_SCHEMES];
++    size_t planarUncBufferSize[NUM_COMPRESSOR_SCHEMES];
+     for (int i=0; i<NUM_COMPRESSOR_SCHEMES; ++i)
+         planarUncBufferSize[i] = 0;
+ 
+@@ -3071,14 +3072,12 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize)
+             break;
+ 
+           case RLE:
+-            planarUncBufferSize[RLE] +=
+-                     numScanLines() * (_max[0] - _min[0] + 1) *
++            planarUncBufferSize[RLE] += pixelCount *
+                      Imf::pixelTypeSize (_channelData[chan].type);
+             break;
+ 
+           case UNKNOWN: 
+-            planarUncBufferSize[UNKNOWN] +=
+-                     numScanLines() * (_max[0] - _min[0] + 1) *
++            planarUncBufferSize[UNKNOWN] += pixelCount *
+                      Imf::pixelTypeSize (_channelData[chan].type);
+             break;
+ 
+-- 
+2.23.0
+
diff --git a/CVE-2021-26260.patch b/CVE-2021-26260.patch
new file mode 100644
index 0000000..2b8cb18
--- /dev/null
+++ b/CVE-2021-26260.patch
@@ -0,0 +1,41 @@
+From ca5ad034786d75ad9e9f0370a87bbb6ddfe35f86 Mon Sep 17 00:00:00 2001
+From: = <=>
+Date: Tue, 22 Jun 2021 14:47:31 +0800
+Subject: [PATCH] add
+
+---
+ IlmImf/ImfDwaCompressor.cpp | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/IlmImf/ImfDwaCompressor.cpp b/IlmImf/ImfDwaCompressor.cpp
+index ddd8b3c..4aa0d58 100644
+--- a/IlmImf/ImfDwaCompressor.cpp
++++ b/IlmImf/ImfDwaCompressor.cpp
+@@ -2908,7 +2908,7 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize)
+     // of channels we have. 
+     //
+ 
+-    int maxOutBufferSize  = 0;
++    size_t maxOutBufferSize  = 0;
+     int numLossyDctChans  = 0;
+     size_t unknownBufferSize = 0;
+     size_t rleBufferSize     = 0;
+@@ -2973,13 +2973,13 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize)
+     // which could take slightly more space
+     //
+ 
+-    maxOutBufferSize += (int)(ceil (1.01f * (float)rleBufferSize) + 100);
++    maxOutBufferSize += ceil (1.01f * (float)rleBufferSize) + 100;
+     
+     //
+     // And the same goes for the UNKNOWN data
+     //
+ 
+-    maxOutBufferSize += (int)(ceil (1.01f * (float)unknownBufferSize) + 100);
++    maxOutBufferSize += ceil (1.01f * (float)unknownBufferSize) + 100;
+ 
+     //
+     // Allocate a zip/deflate compressor big enought to hold the DC data
+-- 
+2.23.0
+
diff --git a/OpenEXR.spec b/OpenEXR.spec
index 41b1d72..8534a13 100644
--- a/OpenEXR.spec
+++ b/OpenEXR.spec
@@ -1,7 +1,7 @@
 Name:           OpenEXR
 Summary:        A high dynamic-range (HDR) image file format for use in computer imaging applications
 Version:        2.2.0
-Release:        19
+Release:        20
 License:        BSD
 URL:	        http://www.openexr.com/
 Source0:        http://download.savannah.nongnu.org/releases/openexr/openexr-%{version}.tar.gz
@@ -20,6 +20,9 @@ Patch0010:      CVE-2021-3479.patch
 Patch0011:      CVE-2021-3475-pre0.patch
 Patch0012:      CVE-2021-3475-pre1.patch
 Patch0013:      CVE-2021-3475.patch
+Patch0014:      CVE-2021-23215.patch
+Patch0015:      CVE-2021-23169.patch
+Patch0016:      CVE-2021-26260.patch
 
 BuildConflicts: %{name}-devel < 2.2.0
 BuildRequires:  gcc-c++ ilmbase-devel >= %{version} zlib-devel pkgconfig
@@ -83,6 +86,9 @@ test "$(pkg-config --modversion OpenEXR)" = "%{version}"
 %{_libdir}/pkgconfig/OpenEXR.pc
 
 %changelog
+* Tue Jun 22 2021 houyingchao <houyingchao@huawei.com> - 2.2.0-20
+- fix CVE-2021-23215 CVE-2021-23169 CVE-2021-26260
+
 * Tue Apr 06 2021 wangyue <wangyue92@huawei.com> - 2.2.0-19
 - fix CVE-2021-3474 CVE-2021-3477 CVE-2021-3476 CVE-2021-3475 CVE-2021-20296 CVE-2021-3479 CVE-2021-20296
 
-- 
Gitee