File openexr-CVE-2017-9111,9113,9115.patch of Package openexr.17686

Index: openexr-2.1.0/exrmakepreview/makePreview.cpp
===================================================================
--- openexr-2.1.0.orig/exrmakepreview/makePreview.cpp	2013-06-18 21:51:40.000000000 +0200
+++ openexr-2.1.0/exrmakepreview/makePreview.cpp	2019-06-14 21:45:07.647887121 +0200
@@ -52,6 +52,7 @@
 #include <ImathFun.h>
 #include <math.h>
 #include <iostream>
+#include <stdlib.h>
 
 #include <OpenEXRConfig.h>
 using namespace OPENEXR_IMF_NAMESPACE;
@@ -109,6 +110,9 @@ generatePreview (const char inFileName[]
     int h = dw.max.y - dw.min.y + 1;
 
     Array2D <Rgba> pixels (h, w);
+    if (INT_MAX / abs(w) < abs(dw.min.y) ||
+        INT_MAX - abs(dw.min.x) < abs(dw.min.y * w))
+      throw IEX_NAMESPACE::ArgExc ("Invalid data window in image header.");
     in.setFrameBuffer (&pixels[0][0] - dw.min.y * w - dw.min.x, 1, w);
     in.readPixels (dw.min.y, dw.max.y);
 
Index: openexr-2.1.0/exrmaketiled/Image.h
===================================================================
--- openexr-2.1.0.orig/exrmaketiled/Image.h	2013-10-16 00:55:09.000000000 +0200
+++ openexr-2.1.0/exrmaketiled/Image.h	2019-06-14 21:44:54.411813691 +0200
@@ -49,6 +49,7 @@
 
 #include <string>
 #include <map>
+#include <stdlib.h>
 
 #include "namespaceAlias.h"
 
@@ -192,6 +193,9 @@ TypedImageChannel<T>::slice () const
     const IMATH_NAMESPACE::Box2i &dw = image().dataWindow();
     int w = dw.max.x - dw.min.x + 1;
 
+    if (INT_MAX / abs(w) < abs(dw.min.y) ||
+        INT_MAX - abs(dw.min.x) < abs(dw.min.y * w))
+      throw IEX_NAMESPACE::ArgExc ("Invalid data window in image header.");
     return OPENEXR_IMF_INTERNAL_NAMESPACE::Slice (pixelType(),
 		       (char *) (&_pixels[0][0] - dw.min.y * w - dw.min.x),
 		       sizeof (T),
openSUSE Build Service is sponsored by