diff --git a/23170c828485a91146a156e2939687c4b479633c.patch b/23170c828485a91146a156e2939687c4b479633c.patch new file mode 100644 index 0000000000000000000000000000000000000000..cc42d058a583d9cfc658b9a5a2e22a5305118153 --- /dev/null +++ b/23170c828485a91146a156e2939687c4b479633c.patch @@ -0,0 +1,61 @@ +From 23170c828485a91146a156e2939687c4b479633c Mon Sep 17 00:00:00 2001 +From: Peter Hillman +Date: Mon, 7 Dec 2020 13:42:55 +1300 +Subject: [PATCH] Merge ABI-compatible changes from #842 + +Signed-off-by: Peter Hillman +--- + OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp | 8 +++++--- + OpenEXR/IlmImf/ImfInputFile.cpp | 2 +- + OpenEXR/IlmImf/ImfTiledInputFile.cpp | 5 ++++- + 3 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp b/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp +index 0844d2349..c094fa79c 100644 +--- a/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp ++++ b/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp +@@ -721,10 +721,12 @@ LineBufferTask::execute () + + int width = (_ifd->maxX - _ifd->minX + 1); + ++ ptrdiff_t base = reinterpret_cast(&_ifd->sampleCount[0][0]); ++ base -= sizeof(unsigned int)*_ifd->minX; ++ base -= sizeof(unsigned int)*static_cast(_ifd->minY) * static_cast(width); ++ + copyIntoDeepFrameBuffer (readPtr, slice.base, +- (char*) (&_ifd->sampleCount[0][0] +- - _ifd->minX +- - _ifd->minY * width), ++ reinterpret_cast(base), + sizeof(unsigned int) * 1, + sizeof(unsigned int) * width, + y, _ifd->minX, _ifd->maxX, +diff --git a/OpenEXR/IlmImf/ImfInputFile.cpp b/OpenEXR/IlmImf/ImfInputFile.cpp +index ea70ef4e4..600c7023f 100644 +--- a/OpenEXR/IlmImf/ImfInputFile.cpp ++++ b/OpenEXR/IlmImf/ImfInputFile.cpp +@@ -281,7 +281,7 @@ bufferedReadPixels (InputFile::Data* ifd, int scanLine1, int scanLine2) + // if no channels are being read that are present in file, cachedBuffer will be empty + // + +- if (ifd->cachedBuffer->begin() != ifd->cachedBuffer->end()) ++ if (ifd->cachedBuffer && ifd->cachedBuffer->begin() != ifd->cachedBuffer->end()) + { + ifd->tFile->readTiles (0, ifd->tFile->numXTiles (0) - 1, j, j); + } +diff --git a/OpenEXR/IlmImf/ImfTiledInputFile.cpp b/OpenEXR/IlmImf/ImfTiledInputFile.cpp +index 3e7fda333..091ad623a 100644 +--- a/OpenEXR/IlmImf/ImfTiledInputFile.cpp ++++ b/OpenEXR/IlmImf/ImfTiledInputFile.cpp +@@ -958,7 +958,10 @@ TiledInputFile::initialize () + { + if (!isTiled (_data->version)) + throw IEX_NAMESPACE::ArgExc ("Expected a tiled file but the file is not tiled."); +- ++ ++ if (isNonImage (_data->version)) ++ throw IEX_NAMESPACE::ArgExc ("File is not a regular tiled image."); ++ + } + else + { diff --git a/5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17.patch b/5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17.patch new file mode 100644 index 0000000000000000000000000000000000000000..baab5e531d73b43c07cbc4ab0e3ea4c62bef87e1 --- /dev/null +++ b/5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17.patch @@ -0,0 +1,67 @@ +From 5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17 Mon Sep 17 00:00:00 2001 +From: peterhillman +Date: Wed, 22 Sep 2021 16:13:34 +1200 +Subject: [PATCH] prevent overflow in bytesPerDeepLineTable (#1152) + +* prevent overflow in bytesPerDeepLineTable + +Signed-off-by: Peter Hillman + +* restore zapped 'const' from ImfMisc + +Signed-off-by: Peter Hillman +--- + src/lib/OpenEXR/ImfMisc.cpp | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/src/lib/OpenEXR/ImfMisc.cpp b/src/lib/OpenEXR/ImfMisc.cpp +index 80c8ce8d2..844890910 100644 +--- a/src/lib/OpenEXR/ImfMisc.cpp ++++ b/src/lib/OpenEXR/ImfMisc.cpp +@@ -131,7 +131,7 @@ bytesPerDeepLineTable (const Header &header, + { + const int ySampling = abs(c.channel().ySampling); + const int xSampling = abs(c.channel().xSampling); +- const int pixelSize = pixelTypeSize (c.channel().type); ++ const uint64_t pixelSize = pixelTypeSize (c.channel().type); + + // Here we transform from the domain over all pixels into the domain + // of actual samples. We want to sample points in [minY, maxY] where +@@ -148,12 +148,22 @@ bytesPerDeepLineTable (const Header &header, + + for (int y = sampleMinY; y <= sampleMaxY; y+=ySampling) + { +- int nBytes = 0; ++ uint64_t nBytes = 0; + for (int x = sampleMinX; x <= sampleMaxX; x += xSampling) + { + nBytes += pixelSize * +- sampleCount(base, xStride, yStride, x, y); ++ static_cast(sampleCount(base, xStride, yStride, x, y)); + } ++ ++ // ++ // architectures where size_t is smaller than 64 bits may overflow ++ // (scanlines with more than 2^32 bytes are not currently supported so this should not occur with valid files) ++ // ++ if( static_cast(bytesPerLine[y - dataWindow.min.y]) + nBytes > SIZE_MAX) ++ { ++ throw IEX_NAMESPACE::IoExc("Scanline size too large"); ++ } ++ + bytesPerLine[y - dataWindow.min.y] += nBytes; + } + } +@@ -161,8 +171,12 @@ bytesPerDeepLineTable (const Header &header, + size_t maxBytesPerLine = 0; + + for (int y = minY; y <= maxY; ++y) ++ { + if (maxBytesPerLine < bytesPerLine[y - dataWindow.min.y]) ++ { + maxBytesPerLine = bytesPerLine[y - dataWindow.min.y]; ++ } ++ } + + return maxBytesPerLine; + } diff --git a/OpenEXR.spec b/OpenEXR.spec index 88e64ce5d26c82e211238c61b9585d24e1abf61e..a1dc564eea5a4d2c711f8ea7fcd2ce77ae515dea 100644 --- a/OpenEXR.spec +++ b/OpenEXR.spec @@ -1,7 +1,7 @@ Name: OpenEXR Summary: A high dynamic-range (HDR) image file format for use in computer imaging applications Version: 3.1.5 -Release: 2 +Release: 2.h1 License: BSD-3-Clause URL: http://www.openexr.com/ Source0: https://github.com/AcademySoftwareFoundation/openexr/archive/v%{version}/openexr-%{version}.tar.gz @@ -112,4 +112,19 @@ This package contains libraries and header files for development of %{name}. - DESC:unpack libs subpackage * Fri Oct 25 2019 huzhiyu - 2.2.0-16 +* Wed Jul 13 2022 Panys +- Type:CVE +- SUG :NO +- DESC : fix CVE-2021-20300 CVE-2021-20302 CVE-2021-3933 - Package init +%Patch +# CVE-2021-20300 +Patch1 ed560b8a932c78d5e8e5990ce36fe7808b35d9f0.patch +#CVE-2021-20302 +Patch2 23170c828485a91146a156e2939687c4b479633c.patch +#CVE-2021-3933 +Patch3 5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17.patch + +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 diff --git a/ed560b8a932c78d5e8e5990ce36fe7808b35d9f0.patch b/ed560b8a932c78d5e8e5990ce36fe7808b35d9f0.patch new file mode 100644 index 0000000000000000000000000000000000000000..679cfff149c330d80ad14a97eae93c0c31b02109 --- /dev/null +++ b/ed560b8a932c78d5e8e5990ce36fe7808b35d9f0.patch @@ -0,0 +1,25 @@ +From ed560b8a932c78d5e8e5990ce36fe7808b35d9f0 Mon Sep 17 00:00:00 2001 +From: peterhillman +Date: Thu, 17 Sep 2020 08:42:39 +1200 +Subject: [PATCH] prevent overflow in hufUncompress if nBits is large (#836) + +Signed-off-by: Peter Hillman +--- + OpenEXR/IlmImf/ImfHuf.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/OpenEXR/IlmImf/ImfHuf.cpp b/OpenEXR/IlmImf/ImfHuf.cpp +index 7bd7fc00d..23cfcfd6c 100644 +--- a/OpenEXR/IlmImf/ImfHuf.cpp ++++ b/OpenEXR/IlmImf/ImfHuf.cpp +@@ -1093,7 +1093,9 @@ hufUncompress (const char compressed[], + + const char *ptr = compressed + 20; + +- if ( ptr + (nBits+7 )/8 > compressed+nCompressed) ++ uint64_t nBytes = (static_cast(nBits)+7) / 8 ; ++ ++ if ( ptr + nBytes > compressed+nCompressed) + { + notEnoughData(); + return;