diff --git a/CVE-2020-11758-to-CVE-2020-11765.patch b/CVE-2020-11758-to-CVE-2020-11765.patch new file mode 100644 index 0000000000000000000000000000000000000000..97d19fb1b9ac208c2e862058821a0cf5a01aacd7 --- /dev/null +++ b/CVE-2020-11758-to-CVE-2020-11765.patch @@ -0,0 +1,671 @@ +Backport of + +From 6bad53af7eebed507564dd5fc90320e4c6a6c0bc Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Mon, 20 Jan 2020 09:07:02 +1300 +Subject: [PATCH 01/23] Force tile sizes to be less than INT_MAX bytes, in line + with the maximum dimensions of data windows + +From df987cabc20c90803692022fd232def837cb88cc Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Mon, 20 Jan 2020 10:52:17 +1300 +Subject: [PATCH 02/23] validate tiles have valid headers when raw reading + tiles + +From 37750013830def57f19f3c3b7faaa9fc1dae81b3 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Mon, 20 Jan 2020 11:18:55 +1300 +Subject: [PATCH 03/23] Sanity check for input buffer overruns in RLE + uncompress + +From 3eda5d70aba127bae9bd6bae9956fcf024b64031 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Mon, 20 Jan 2020 14:46:54 +1300 +Subject: [PATCH 04/23] fixes for DWA uncompress: sanity check unknown data + reading, off-by-one error on max suffix string length + +From b9997d0c045fa01af3d2e46e1a74b07cc4519446 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Mon, 20 Jan 2020 15:39:10 +1300 +Subject: [PATCH 06/23] prevent int overflow when calculating buffer offsets + +From 7a52d40ae23c148f27116cb1f6e897b9143b372c Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Tue, 21 Jan 2020 12:04:13 +1300 +Subject: [PATCH 07/23] bypass SSE optimization when skipping subsampled + channels + +From 801272c9bf8b84a66c62f1e8a4490ece81da6a56 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Tue, 21 Jan 2020 13:33:53 +1300 +Subject: [PATCH 08/23] check for bad bit counts in Huff encoded data + +From 43cd3ad47d53356da6ae2e983e47c8313aebf72e Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Tue, 21 Jan 2020 14:53:23 +1300 +Subject: [PATCH 09/23] improve bad count detection in huf decompress + +From ea3349896d4a8a3b523e8f3b830334a85240b1e6 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Tue, 21 Jan 2020 15:12:58 +1300 +Subject: [PATCH 10/23] sanity check data reads from PIZ data + +From b1c34c496b62117115b1089b18a44e0031800a09 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Wed, 22 Jan 2020 09:35:46 +1300 +Subject: [PATCH 11/23] fix memory leak when reading damaged PIZ files + +From e7c26f6ef5bf7ae8ea21ecf19963186cd1391720 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Wed, 22 Jan 2020 17:31:22 +1300 +Subject: [PATCH 12/23] abort when file claims to have excessive scanline data + requirements + +From a6408c90339bdf19f89476578d7f936b741be9b2 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Thu, 23 Jan 2020 09:40:44 +1300 +Subject: [PATCH 13/23] avoid creating compression object just to compute + numLinesInBuffer + +From 2ae5f8376b0a6c3e2bb100042f5de79503ba837a Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Thu, 23 Jan 2020 09:52:58 +1300 +Subject: [PATCH 14/23] fix check for valid ruleSize + +From dea0ef1ee7b2f4d2aa42ffba7b442e5d8051222b Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Thu, 23 Jan 2020 12:30:11 +1300 +Subject: [PATCH 15/23] fix memory leak on DeepTiledInput files: compressor for + sample count table wasn't deleted + +From d4fbaad4efe5d0ddf325da44ecbab105ebb2954e Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Thu, 23 Jan 2020 12:33:11 +1300 +Subject: [PATCH 16/23] fix memory leak in test suite + +From 53a06468ef5a08f4f2beb2d264a20547d7a78753 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Thu, 23 Jan 2020 14:44:48 +1300 +Subject: [PATCH 17/23] fixes to memory leak when constructors throw exceptions + +From b673e6ad0ec6cef94d86b9586244d26088a3d792 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Fri, 24 Jan 2020 08:42:07 +1300 +Subject: [PATCH 18/23] Fix cleanup when DeepScanLineInputFile constructor + throws + +From acad98d6d3e787f36012a3737c23c42c7f43a00f Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Fri, 24 Jan 2020 13:43:47 +1300 +Subject: [PATCH 21/23] missing header for ptrdiff_t + +From 0a1aa55ef108169c933ddaa631c1f6cb02b69050 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Tue, 28 Jan 2020 18:17:01 +1300 +Subject: [PATCH 22/23] minor tweaks and typo fixes + +From 89ce46f38c5e658d21df9179c1641c496cab7396 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Tue, 28 Jan 2020 18:18:01 +1300 +Subject: [PATCH 23/23] force x/y Sampling to 1 for Deep Scanline Images + + + + +--- openexr-2.2.1.orig/IlmImf/ImfCompositeDeepScanLine.cpp ++++ openexr-2.2.1/IlmImf/ImfCompositeDeepScanLine.cpp +@@ -179,7 +179,7 @@ CompositeDeepScanLine::Data::handleDeepF + int start, + int end) + { +- int width=_dataWindow.size().x+1; ++ ptrdiff_t width=_dataWindow.size().x+1; + size_t pixelcount = width * (end-start+1); + pointers.resize(_channels.size()); + counts.resize(pixelcount); +--- openexr-2.2.1.orig/IlmImf/ImfDeepScanLineInputFile.cpp ++++ openexr-2.2.1/IlmImf/ImfDeepScanLineInputFile.cpp +@@ -915,8 +915,7 @@ void DeepScanLineInputFile::initialize(c + } + catch (...) + { +- delete _data; +- _data=NULL; ++ // Don't delete _data here, leave that to caller + throw; + } + } +@@ -932,8 +931,15 @@ DeepScanLineInputFile::DeepScanLineInput + _data->memoryMapped = _data->_streamData->is->isMemoryMapped(); + _data->version = part->version; + +- initialize(part->header); +- ++ try ++ { ++ initialize(part->header); ++ } ++ catch(...) ++ { ++ delete _data; ++ throw; ++ } + _data->lineOffsets = part->chunkOffsets; + + _data->partNumber = part->partNumber; +@@ -945,7 +951,6 @@ DeepScanLineInputFile::DeepScanLineInput + : + _data (new Data (numThreads)) + { +- _data->_streamData = new InputStreamMutex(); + _data->_deleteStream = true; + OPENEXR_IMF_INTERNAL_NAMESPACE::IStream* is = 0; + +@@ -955,12 +960,29 @@ DeepScanLineInputFile::DeepScanLineInput + readMagicNumberAndVersionField(*is, _data->version); + // + // Backward compatibility to read multpart file. +- // ++ // multiPartInitialize will create _streamData + if (isMultiPart(_data->version)) + { + compatibilityInitialize(*is); + return; + } ++ } ++ catch (IEX_NAMESPACE::BaseExc &e) ++ { ++ if (is) delete is; ++ if (_data) delete _data; ++ ++ REPLACE_EXC (e, "Cannot read image file " ++ "\"" << fileName << "\". " << e.what()); ++ throw; ++ } ++ ++ // ++ // not multiPart - allocate stream data and intialise as normal ++ // ++ try ++ { ++ _data->_streamData = new InputStreamMutex(); + _data->_streamData->is = is; + _data->memoryMapped = is->isMemoryMapped(); + _data->header.readFrom (*_data->_streamData->is, _data->version); +@@ -976,7 +998,10 @@ DeepScanLineInputFile::DeepScanLineInput + catch (IEX_NAMESPACE::BaseExc &e) + { + if (is) delete is; +- if (_data && _data->_streamData) delete _data->_streamData; ++ if (_data && _data->_streamData) ++ { ++ delete _data->_streamData; ++ } + if (_data) delete _data; + + REPLACE_EXC (e, "Cannot read image file " +@@ -986,7 +1011,10 @@ DeepScanLineInputFile::DeepScanLineInput + catch (...) + { + if (is) delete is; +- if (_data && _data->_streamData) delete _data->_streamData; ++ if (_data && _data->_streamData) ++ { ++ delete _data->_streamData; ++ } + if (_data) delete _data; + + throw; +@@ -1010,7 +1038,18 @@ DeepScanLineInputFile::DeepScanLineInput + + _data->version =version; + +- initialize (header); ++ try ++ { ++ initialize (header); ++ } ++ catch (...) ++ { ++ if (_data && _data->_streamData) ++ { ++ delete _data->_streamData; ++ } ++ if (_data) delete _data; ++ } + + readLineOffsets (*_data->_streamData->is, + _data->lineOrder, +@@ -1042,8 +1081,9 @@ DeepScanLineInputFile::~DeepScanLineInpu + // + + if (_data->partNumber == -1 && _data->_streamData) ++ { + delete _data->_streamData; +- ++ } + delete _data; + } + } +--- openexr-2.2.1.orig/IlmImf/ImfDeepTiledInputFile.cpp ++++ openexr-2.2.1/IlmImf/ImfDeepTiledInputFile.cpp +@@ -283,6 +283,7 @@ DeepTiledInputFile::Data::Data (int numT + multiPartBackwardSupport(false), + numThreads(numThreads), + memoryMapped(false), ++ sampleCountTableComp(NULL), + _streamData(NULL), + _deleteStream(false) + { +@@ -308,6 +309,8 @@ DeepTiledInputFile::Data::~Data () + + for (size_t i = 0; i < slices.size(); i++) + delete slices[i]; ++ ++ delete sampleCountTableComp; + } + + +@@ -927,7 +930,15 @@ DeepTiledInputFile::DeepTiledInputFile ( + _data (new Data (part->numThreads)) + { + _data->_deleteStream=false; +- multiPartInitialize(part); ++ try ++ { ++ multiPartInitialize(part); ++ } ++ catch(...) ++ { ++ delete _data; ++ throw; ++ } + } + + +--- openexr-2.2.1.orig/IlmImf/ImfDwaCompressor.cpp ++++ openexr-2.2.1/IlmImf/ImfDwaCompressor.cpp +@@ -265,8 +265,9 @@ struct DwaCompressor::Classifier + " (truncated rule)."); + + { +- char suffix[Name::SIZE]; +- memset (suffix, 0, Name::SIZE); ++ // maximum length of string plus one byte for terminating NULL ++ char suffix[Name::SIZE+1]; ++ memset (suffix, 0, Name::SIZE+1); + Xdr::read (ptr, std::min(size, Name::SIZE-1), suffix); + _suffix = std::string(suffix); + } +@@ -2409,7 +2410,7 @@ DwaCompressor::uncompress + unsigned short ruleSize = 0; + Xdr::read(dataPtr, ruleSize); + +- if (ruleSize < 0) ++ if (ruleSize < Xdr::size() ) + throw Iex::InputExc("Error uncompressing DWA data" + " (corrupt header file)."); + +@@ -2806,6 +2807,14 @@ DwaCompressor::uncompress + if (Imath::modp (y, cd->ySampling) != 0) + continue; + ++ // ++ // sanity check for buffer data lying within range ++ // ++ if (cd->planarUncBufferEnd + dstScanlineSize - _planarUncBuffer[UNKNOWN] > _planarUncBufferSize[UNKNOWN] ) ++ { ++ throw Iex::InputExc("DWA data corrupt"); ++ } ++ + memcpy (rowPtrs[chan][row], + cd->planarUncBufferEnd, + dstScanlineSize); +--- openexr-2.2.1.orig/IlmImf/ImfFastHuf.cpp ++++ openexr-2.2.1/IlmImf/ImfFastHuf.cpp +@@ -256,14 +256,29 @@ FastHufDecoder::FastHufDecoder + int symbol = *i >> 6; + + if (mapping[codeLen] >= _numSymbols) ++ { ++ delete[] _idToSymbol; ++ _idToSymbol = NULL; + throw Iex::InputExc ("Huffman decode error " + "(Invalid symbol in header)."); +- ++ } + _idToSymbol[mapping[codeLen]] = symbol; + mapping[codeLen]++; + } + +- buildTables(base, offset); ++ // ++ // exceptions can be thrown whilst building tables. Delete ++ // _idToSynmbol before re-throwing to prevent memory leak ++ // ++ try ++ { ++ buildTables(base, offset); ++ }catch(...) ++ { ++ delete[] _idToSymbol; ++ _idToSymbol = NULL; ++ throw; ++ } + } + + +--- openexr-2.2.1.orig/IlmImf/ImfHeader.cpp ++++ openexr-2.2.1/IlmImf/ImfHeader.cpp +@@ -914,7 +914,7 @@ Header::sanityCheck (bool isTiled, bool + + const TileDescription &tileDesc = tileDescription(); + +- if (tileDesc.xSize <= 0 || tileDesc.ySize <= 0) ++ if (tileDesc.xSize <= 0 || tileDesc.ySize <= 0 || tileDesc.xSize > INT_MAX || tileDesc.ySize > INT_MAX ) + throw IEX_NAMESPACE::ArgExc ("Invalid tile size in image header."); + + if (maxTileWidth > 0 && +--- openexr-2.2.1.orig/IlmImf/ImfHuf.cpp ++++ openexr-2.2.1/IlmImf/ImfHuf.cpp +@@ -1052,7 +1052,10 @@ hufUncompress (const char compressed[], + unsigned short raw[], + int nRaw) + { +- if (nCompressed == 0) ++ // ++ // nead at least 20 bytes for header ++ // ++ if (nCompressed < 20 ) + { + if (nRaw != 0) + notEnoughData(); +@@ -1070,6 +1073,12 @@ hufUncompress (const char compressed[], + + const char *ptr = compressed + 20; + ++ if ( ptr + (nBits+7 )/8 > compressed+nCompressed) ++ { ++ notEnoughData(); ++ return; ++ } ++ + // + // Fast decoder needs at least 2x64-bits of compressed data, and + // needs to be run-able on this platform. Otherwise, fall back +--- openexr-2.2.1.orig/IlmImf/ImfMisc.cpp ++++ openexr-2.2.1/IlmImf/ImfMisc.cpp +@@ -114,9 +114,9 @@ bytesPerLineTable (const Header &header, + c != channels.end(); + ++c) + { +- int nBytes = pixelTypeSize (c.channel().type) * +- (dataWindow.max.x - dataWindow.min.x + 1) / +- c.channel().xSampling; ++ size_t nBytes = size_t(pixelTypeSize (c.channel().type)) * ++ size_t(dataWindow.max.x - dataWindow.min.x + 1) / ++ size_t(c.channel().xSampling); + + for (int y = dataWindow.min.y, i = 0; y <= dataWindow.max.y; ++y, ++i) + if (modp (y, c.channel().ySampling) == 0) +@@ -262,6 +262,7 @@ defaultFormat (Compressor * compressor) + } + + ++//obsolete + int + numLinesInBuffer (Compressor * compressor) + { +@@ -1838,6 +1839,39 @@ usesLongNames (const Header &header) + return false; + } + ++namespace ++{ ++// for a given compression type, return the number of scanlines ++// compressed into a single chunk ++// TODO add to API and move to ImfCompressor.cpp ++int ++numLinesInBuffer(Compression comp) ++{ ++ switch(comp) ++ { ++ case NO_COMPRESSION : ++ case RLE_COMPRESSION: ++ case ZIPS_COMPRESSION: ++ return 1; ++ case ZIP_COMPRESSION: ++ return 16; ++ case PIZ_COMPRESSION: ++ return 32; ++ case PXR24_COMPRESSION: ++ return 16; ++ case B44_COMPRESSION: ++ case B44A_COMPRESSION: ++ case DWAA_COMPRESSION: ++ return 32; ++ case DWAB_COMPRESSION: ++ return 256; ++ ++ default: ++ throw IEX_NAMESPACE::ArgExc ("Unknown compression type"); ++ } ++} ++} ++ + int + getScanlineChunkOffsetTableSize(const Header& header) + { +@@ -1847,17 +1881,11 @@ getScanlineChunkOffsetTableSize(const He + size_t maxBytesPerLine = bytesPerLineTable (header, + bytesPerLine); + +- Compressor* compressor = newCompressor(header.compression(), +- maxBytesPerLine, +- header); +- +- int linesInBuffer = numLinesInBuffer (compressor); ++ int linesInBuffer = numLinesInBuffer ( header.compression() ); + + int lineOffsetSize = (dataWindow.max.y - dataWindow.min.y + + linesInBuffer) / linesInBuffer; + +- delete compressor; +- + return lineOffsetSize; + } + +--- openexr-2.2.1.orig/IlmImf/ImfPizCompressor.cpp ++++ openexr-2.2.1/IlmImf/ImfPizCompressor.cpp +@@ -491,7 +491,9 @@ PizCompressor::uncompress (const char *i + // This is the cunompress function which is used by both the tiled and + // scanline decompression routines. + // +- ++ ++ const char* inputEnd=inPtr+inSize; ++ + // + // Special case - empty input buffer + // +@@ -502,6 +504,7 @@ PizCompressor::uncompress (const char *i + return 0; + } + ++ + // + // Determine the layout of the compressed pixel data + // +@@ -548,6 +551,12 @@ PizCompressor::uncompress (const char *i + AutoArray bitmap; + memset (bitmap, 0, sizeof (unsigned char) * BITMAP_SIZE); + ++ ++ if(inPtr + sizeof(unsigned short)*2 > inputEnd) ++ { ++ throw InputExc ("PIZ compressed data too short"); ++ } ++ + Xdr::read (inPtr, minNonZero); + Xdr::read (inPtr, maxNonZero); + +@@ -559,8 +568,14 @@ PizCompressor::uncompress (const char *i + + if (minNonZero <= maxNonZero) + { +- Xdr::read (inPtr, (char *) &bitmap[0] + minNonZero, +- maxNonZero - minNonZero + 1); ++ size_t bytesToRead = maxNonZero - minNonZero + 1; ++ if(inPtr + bytesToRead > inputEnd) ++ { ++ throw InputExc ("PIZ compressed data too short"); ++ } ++ ++Xdr::read (inPtr, (char *) &bitmap[0] + minNonZero, ++ bytesToRead); + } + + AutoArray lut; +@@ -569,6 +584,11 @@ PizCompressor::uncompress (const char *i + // + // Huffman decoding + // ++ if(inPtr + sizeof(int)> inputEnd) ++ { ++ throw InputExc ("PIZ compressed data too short"); ++ } ++ + + int length; + Xdr::read (inPtr, length); +--- openexr-2.2.1.orig/IlmImf/ImfRle.cpp ++++ openexr-2.2.1/IlmImf/ImfRle.cpp +@@ -129,6 +129,11 @@ rleUncompress (int inLength, int maxLeng + if (0 > (maxLength -= count)) + return 0; + ++ // check the input buffer is big enough to contain ++ // 'count' bytes of remaining data ++ if (inLength < 0) ++ return 0; ++ + memcpy(out, in, count); + out += count; + in += count; +--- openexr-2.2.1.orig/IlmImf/ImfScanLineInputFile.cpp ++++ openexr-2.2.1/IlmImf/ImfScanLineInputFile.cpp +@@ -1114,6 +1114,12 @@ void ScanLineInputFile::initialize(const + + size_t maxBytesPerLine = bytesPerLineTable (_data->header, + _data->bytesPerLine); ++ ++ if(maxBytesPerLine > INT_MAX) ++ { ++ throw IEX_NAMESPACE::InputExc("maximum bytes per scanline exceeds maximum permissible size"); ++ } ++ + + for (size_t i = 0; i < _data->lineBuffers.size(); i++) + { +@@ -1148,6 +1154,8 @@ void ScanLineInputFile::initialize(const + } + catch (...) + { ++ if (_data->partNumber == -1) ++ delete _streamData; + delete _data; + _data=NULL; + throw; +@@ -1420,6 +1428,14 @@ ScanLineInputFile::setFrameBuffer (const + offset+=2; + break; + } ++ ++ // ++ // optimization mode cannot currently skip subsampled channels ++ // ++ if (i.channel().xSampling!=1 || i.channel().ySampling!=1) ++ { ++ optimizationPossible = false; ++ } + ++i; + } + +--- openexr-2.2.1.orig/IlmImf/ImfTiledInputFile.cpp ++++ openexr-2.2.1/IlmImf/ImfTiledInputFile.cpp +@@ -736,7 +736,10 @@ TiledInputFile::TiledInputFile (const ch + + delete _data->_streamData; + } +- ++ if (_data) ++ { ++ delete _data; ++ } + if (is != 0) + delete is; + +@@ -759,6 +762,10 @@ TiledInputFile::TiledInputFile (const ch + + if (is != 0) + delete is; ++ if (_data) ++ { ++ delete _data; ++ } + throw; + } + } +@@ -846,7 +853,15 @@ TiledInputFile::TiledInputFile (InputPar + { + _data = new Data (part->numThreads); + _data->_deleteStream=false; +- multiPartInitialize(part); ++ try ++ { ++ multiPartInitialize(part); ++ } ++ catch(...) ++ { ++ if (_data) delete _data; ++ throw; ++ } + } + + +@@ -1307,6 +1322,11 @@ TiledInputFile::rawTileData (int &dx, in + readNextTileData (_data->_streamData, _data, dx, dy, lx, ly, + tileBuffer->buffer, + pixelDataSize); ++ ++ if ( !isValidLevel(lx,ly) || !isValidTile (dx, dy, lx, ly) ) ++ throw IEX_NAMESPACE::ArgExc ("File contains an invalid tile"); ++ ++ + if(isMultiPart(version())) + { + if (old_dx!=dx || old_dy !=dy || old_lx!=lx || old_ly!=ly) +--- openexr-2.2.1.orig/IlmImfTest/testMultiPartApi.cpp ++++ openexr-2.2.1/IlmImfTest/testMultiPartApi.cpp +@@ -450,6 +450,21 @@ generateRandomFile (int partCount, const + } + } + ++ for (size_t i = 0 ; i < parts.size() ; ++i ) ++ { ++ int partType = partTypes[i]; ++ ++ if (partType == 0) ++ { ++ delete (OutputPart*) parts[i]; ++ } ++ else ++ { ++ delete (TiledOutputPart*) parts[i]; ++ } ++ ++ } ++ + delete[] tiledHalfData; + delete[] tiledUintData; + delete[] tiledFloatData; diff --git a/CVE-2020-15305.patch b/CVE-2020-15305.patch new file mode 100644 index 0000000000000000000000000000000000000000..b8d7f26adbffa19f73ef60debebbaa6c327d17c8 --- /dev/null +++ b/CVE-2020-15305.patch @@ -0,0 +1,16 @@ +From 3d03979dc101612e806cdf0b011475d9fa685a73 Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Tue, 19 May 2020 16:09:21 +1200 +Subject: [PATCH] fix #728 - missing 'throw' in deepscanline error handling + +--- openexr-2.2.1.orig/IlmImf/ImfDeepScanLineInputFile.cpp ++++ openexr-2.2.1/IlmImf/ImfDeepScanLineInputFile.cpp +@@ -1049,6 +1049,8 @@ DeepScanLineInputFile::DeepScanLineInput + delete _data->_streamData; + } + if (_data) delete _data; ++ ++ throw; + } + + readLineOffsets (*_data->_streamData->is, diff --git a/CVE-2020-15306.patch b/CVE-2020-15306.patch new file mode 100644 index 0000000000000000000000000000000000000000..fecbc2c97b5613c7e0058ca42c61c90ddd8d56f5 --- /dev/null +++ b/CVE-2020-15306.patch @@ -0,0 +1,130 @@ +From 6a9f8af6e89547bcd370ae3cec2b12849eee0b54 Mon Sep 17 00:00:00 2001 +From: peterhillman +Date: Wed, 27 May 2020 13:50:54 +1200 +Subject: [PATCH] always ignore chunkCount attribute unless it cannot be + computed (#738) + +--- openexr-2.2.1.orig/IlmImf/ImfDeepTiledOutputFile.cpp ++++ openexr-2.2.1/IlmImf/ImfDeepTiledOutputFile.cpp +@@ -1228,7 +1228,7 @@ DeepTiledOutputFile::initialize (const H + _data->numYTiles); + + //ignore the existing value of chunkCount - correct it if it's wrong +- _data->header.setChunkCount(getChunkOffsetTableSize(_data->header,true)); ++ _data->header.setChunkCount(getChunkOffsetTableSize(_data->header)); + + _data->maxSampleCountTableSize = _data->tileDesc.ySize * + _data->tileDesc.xSize * +--- openexr-2.2.1.orig/IlmImf/ImfMisc.cpp ++++ openexr-2.2.1/IlmImf/ImfMisc.cpp +@@ -1896,18 +1896,30 @@ int + getTiledChunkOffsetTableSize(const Header& header); + + int +-getChunkOffsetTableSize(const Header& header,bool ignore_attribute) ++getChunkOffsetTableSize(const Header& header,bool) + { +- if(!ignore_attribute && header.hasChunkCount()) +- { +- return header.chunkCount(); +- } +- ++ // ++ // if there is a type in the header which indicates the part is not a currently supported type, ++ // use the chunkCount attribute ++ // ++ ++ + if(header.hasType() && !isSupportedType(header.type())) + { +- throw IEX_NAMESPACE::ArgExc ("unsupported header type to " +- "get chunk offset table size"); ++ if(header.hasChunkCount()) ++ { ++ return header.chunkCount(); ++ } ++ else ++ { ++ throw IEX_NAMESPACE::ArgExc ("unsupported header type to " ++ "get chunk offset table size"); ++ } + } ++ ++ // ++ // part is a known type - ignore the header attribute and compute the chunk size from the header ++ // + if (isTiled(header.type()) == false) + return getScanlineChunkOffsetTableSize(header); + else +--- openexr-2.2.1.orig/IlmImf/ImfMisc.h ++++ openexr-2.2.1/IlmImf/ImfMisc.h +@@ -452,13 +452,16 @@ bool usesLongNames (const Header &header + + + // +-// compute size of chunk offset table - if ignore_attribute set to true +-// will compute from the image size and layout, rather than the attribute +-// The default behaviour is to read the attribute ++// compute size of chunk offset table - for existing types, computes ++// the chunk size from the image size, compression type, and tile description ++// (for tiled types). If the type is not supported, uses the chunkCount attribute ++// if present, or throws an exception otherwise ++// deprecated_attribute is no longer used by this function ++// + // + + IMF_EXPORT +-int getChunkOffsetTableSize(const Header& header,bool ignore_attribute=false); ++int getChunkOffsetTableSize(const Header& header,bool deprecated_attribute=false); + + OPENEXR_IMF_INTERNAL_NAMESPACE_HEADER_EXIT + +--- openexr-2.2.1.orig/IlmImf/ImfMultiPartInputFile.cpp ++++ openexr-2.2.1/IlmImf/ImfMultiPartInputFile.cpp +@@ -735,7 +735,7 @@ MultiPartInputFile::Data::readChunkOffse + + for (size_t i = 0; i < parts.size(); i++) + { +- int chunkOffsetTableSize = getChunkOffsetTableSize(parts[i]->header,false); ++ int chunkOffsetTableSize = getChunkOffsetTableSize(parts[i]->header); + parts[i]->chunkOffsets.resize(chunkOffsetTableSize); + + for (int j = 0; j < chunkOffsetTableSize; j++) +--- openexr-2.2.1.orig/IlmImf/ImfMultiPartOutputFile.cpp ++++ openexr-2.2.1/IlmImf/ImfMultiPartOutputFile.cpp +@@ -145,7 +145,7 @@ MultiPartOutputFile::Data::do_header_san + if (isMultiPart) + { + // multipart files must contain a chunkCount attribute +- _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0],true)); ++ _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0])); + + for (size_t i = 1; i < parts; i++) + { +@@ -153,7 +153,7 @@ MultiPartOutputFile::Data::do_header_san + throw IEX_NAMESPACE::ArgExc ("Every header in a multipart file should have a type"); + + +- _headers[i].setChunkCount(getChunkOffsetTableSize(_headers[i],true)); ++ _headers[i].setChunkCount(getChunkOffsetTableSize(_headers[i])); + _headers[i].sanityCheck (_headers[i].hasTileDescription(), isMultiPart); + + +@@ -185,7 +185,7 @@ MultiPartOutputFile::Data::do_header_san + + if (_headers[0].hasType() && isImage(_headers[0].type()) == false) + { +- _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0],true)); ++ _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0])); + } + + } +@@ -494,7 +494,7 @@ MultiPartOutputFile::Data::writeChunkTab + { + for (size_t i = 0; i < parts.size(); i++) + { +- int chunkTableSize = getChunkOffsetTableSize(parts[i]->header,false); ++ int chunkTableSize = getChunkOffsetTableSize(parts[i]->header); + + Int64 pos = os->tellp(); + diff --git a/OpenEXR.spec b/OpenEXR.spec index fca67e63897d0bd0023b96bd4307b95924bfa9d9..8db424c7bb56be9205da1bcc3203e9c6c6fb5a53 100644 --- a/OpenEXR.spec +++ b/OpenEXR.spec @@ -1,7 +1,7 @@ Name: OpenEXR Summary: A high dynamic-range (HDR) image file format for use in computer imaging applications Version: 2.2.0 -Release: 21 +Release: 22 License: BSD URL: http://www.openexr.com/ Source0: http://download.savannah.nongnu.org/releases/openexr/openexr-%{version}.tar.gz @@ -24,6 +24,9 @@ Patch0014: CVE-2021-23215.patch Patch0015: CVE-2021-23169.patch Patch0016: CVE-2021-26260.patch Patch0017: CVE-2021-3598.patch +Patch0018: CVE-2020-11758-to-CVE-2020-11765.patch +Patch0019: CVE-2020-15305.patch +Patch0020: CVE-2020-15306.patch BuildConflicts: %{name}-devel < 2.2.0 BuildRequires: gcc-c++ ilmbase-devel >= %{version} zlib-devel pkgconfig @@ -87,6 +90,9 @@ test "$(pkg-config --modversion OpenEXR)" = "%{version}" %{_libdir}/pkgconfig/OpenEXR.pc %changelog +* Mon Jul 12 2021 yaoxin - 2.2.0-22 +- fix CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765 CVE-2020-15305 CVE-2020-15306 + * Sat Jul 10 2021 wangyue - 2.2.0-21 - fix CVE-2021-3598