diff --git a/CVE-2021-20300.patch b/CVE-2021-20300.patch new file mode 100644 index 0000000000000000000000000000000000000000..de464c0dbd8602d34757094fd28e637d4b1791b5 --- /dev/null +++ b/CVE-2021-20300.patch @@ -0,0 +1,14 @@ +diff -Naru openexr-2.2.0/IlmImf/ImfHuf.cpp openexr-2.2.0-new/IlmImf/ImfHuf.cpp +--- openexr-2.2.0/IlmImf/ImfHuf.cpp 2022-07-15 11:20:21.474483000 +0800 ++++ openexr-2.2.0-new/IlmImf/ImfHuf.cpp 2022-07-15 11:21:53.484077000 +0800 +@@ -1068,7 +1068,9 @@ + + const char *ptr = compressed + 20; + +- if ( ptr + (nBits+7 )/8 > compressed+nCompressed) ++ uint64_t nBytes = (static_cast(nBits)+7) / 8 ; ++ ++ if ( ptr + nBytes > compressed+nCompressed) + { + notEnoughData(); + return; diff --git a/CVE-2021-20302.patch b/CVE-2021-20302.patch new file mode 100644 index 0000000000000000000000000000000000000000..39ccab3c6fb752b97733aaaf46de4a74ac7a4033 --- /dev/null +++ b/CVE-2021-20302.patch @@ -0,0 +1,33 @@ +diff -Naru "openexr-2.2.0 copy/IlmImf/ImfDeepScanLineInputFile.cpp" openexr-2.2.0/IlmImf/ImfDeepScanLineInputFile.cpp +--- "openexr-2.2.0 copy/IlmImf/ImfDeepScanLineInputFile.cpp" 2022-07-06 16:43:15.752732000 +0800 ++++ openexr-2.2.0/IlmImf/ImfDeepScanLineInputFile.cpp 2022-07-06 16:45:09.368817000 +0800 +@@ -717,10 +717,12 @@ + + int width = (_ifd->maxX - _ifd->minX + 1); + ++ ptrdiff_t base = reinterpret_cast(&_ifd->sampleCount[0][0]); ++ base -= sizeof(unsigned int)*_ifd->minX; ++ base -= sizeof(unsigned int)*static_cast(_ifd->minY) * static_cast(width); ++ + copyIntoDeepFrameBuffer (readPtr, slice.base, +- (char*) (&_ifd->sampleCount[0][0] +- - _ifd->minX +- - _ifd->minY * width), ++ reinterpret_cast(base), + sizeof(unsigned int) * 1, + sizeof(unsigned int) * width, + y, _ifd->minX, _ifd->maxX, + +diff -Naru "openexr-2.2.0 copy/IlmImf/ImfTiledInputFile.cpp" openexr-2.2.0/IlmImf/ImfTiledInputFile.cpp +--- "openexr-2.2.0 copy/IlmImf/ImfTiledInputFile.cpp" 2022-07-06 16:43:15.892732000 +0800 ++++ openexr-2.2.0/IlmImf/ImfTiledInputFile.cpp 2022-07-06 16:50:27.438890000 +0800 +@@ -903,6 +903,9 @@ + if (!isTiled (_data->version)) + throw IEX_NAMESPACE::ArgExc ("Expected a tiled file but the file is not tiled."); + ++ if (isNonImage (_data->version)) ++ throw IEX_NAMESPACE::ArgExc ("File is not a regular tiled image."); ++ + } + else + { diff --git a/CVE-2021-3933.patch b/CVE-2021-3933.patch new file mode 100644 index 0000000000000000000000000000000000000000..e483a4da20d3e4f8104385fe89683c6c440151e0 --- /dev/null +++ b/CVE-2021-3933.patch @@ -0,0 +1,65 @@ +Backported of: + +From 5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17 Mon Sep 17 00:00:00 2001 +From: peterhillman +Date: Wed, 22 Sep 2021 16:13:34 +1200 +Subject: [PATCH] prevent overflow in bytesPerDeepLineTable (#1152) + +* prevent overflow in bytesPerDeepLineTable + +Signed-off-by: Peter Hillman + +* restore zapped 'const' from ImfMisc + +Signed-off-by: Peter Hillman +diff --git a/IlmImf/ImfMisc.cpp b/IlmImf/ImfMisc.cpp +index b091015..d3a21b7 100644 +--- a/IlmImf/ImfMisc.cpp ++++ b/IlmImf/ImfMisc.cpp +@@ -167,16 +167,28 @@ bytesPerDeepLineTable (const Header &header, + c != channels.end(); + ++c) + { ++ const uint64_t pixelSize = pixelTypeSize (c.channel().type); ++ + for (int y = minY; y <= maxY; ++y) + if (modp (y, c.channel().ySampling) == 0) + { +- int nBytes = 0; ++ uint64_t nBytes = 0; + for (int x = dataWindow.min.x; x <= dataWindow.max.x; x++) + { + if (modp (x, c.channel().xSampling) == 0) +- nBytes += pixelTypeSize (c.channel().type) * +- sampleCount(base, xStride, yStride, x, y); ++ nBytes += pixelSize * ++ static_cast(sampleCount(base, xStride, yStride, x, y)); + } ++ ++ // ++ // architectures where size_t is smaller than 64 bits may overflow ++ // (scanlines with more than 2^32 bytes are not currently supported so this should not occur with valid files) ++ // ++ if( static_cast(bytesPerLine[y - dataWindow.min.y]) + nBytes > SIZE_MAX) ++ { ++ throw IEX_NAMESPACE::IoExc("Scanline size too large"); ++ } ++ + bytesPerLine[y - dataWindow.min.y] += nBytes; + } + } +@@ -184,9 +196,12 @@ bytesPerDeepLineTable (const Header &header, + size_t maxBytesPerLine = 0; + + for (int y = minY; y <= maxY; ++y) ++ { + if (maxBytesPerLine < bytesPerLine[y - dataWindow.min.y]) ++ { + maxBytesPerLine = bytesPerLine[y - dataWindow.min.y]; +- ++ } ++ } + return maxBytesPerLine; + } + + \ No newline at end of file diff --git a/OpenEXR.spec b/OpenEXR.spec index 68e7eb6f6a3a4fb8e97d9226bf301f31b09dad56..6f4d464f7a888cb46bc4ba5ad43b252071d98e2c 100644 --- a/OpenEXR.spec +++ b/OpenEXR.spec @@ -1,7 +1,7 @@ Name: OpenEXR Summary: A high dynamic-range (HDR) image file format for use in computer imaging applications Version: 2.2.0 -Release: 25 +Release: 26 License: BSD URL: http://www.openexr.com/ Source0: http://download.savannah.nongnu.org/releases/openexr/openexr-%{version}.tar.gz @@ -31,6 +31,12 @@ Patch0021: CVE-2021-3605.patch Patch0022: CVE-2021-20303.patch #https://github.com/AcademySoftwareFoundation/openexr/commit/7b11bbac18fc3c23.patch Patch0023: CVE-2021-20299.patch +#https://github.com/AcademySoftwareFoundation/openexr/pull/836/files +Patch0024: CVE-2021-20300.patch +#https://github.com/AcademySoftwareFoundation/openexr/pull/842 +Patch0025: CVE-2021-20302.patch +#https://github.com/AcademySoftwareFoundation/openexr/commit/5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17 +Patch0026: CVE-2021-3933.patch BuildConflicts: %{name}-devel < 2.2.0 BuildRequires: gcc-c++ ilmbase-devel >= %{version} zlib-devel pkgconfig @@ -94,6 +100,9 @@ test "$(pkg-config --modversion OpenEXR)" = "%{version}" %{_libdir}/pkgconfig/OpenEXR.pc %changelog +* Fri Jul 15 2022 weichao.zhang - 2.2.0-26 +- Fix CVE-2021-20300 CVE-2021-20302 CVE-2021-3933 + * Wed Mar 23 2022 yaoxin - 2.2.0-25 - Fix CVE-2021-20299