File openexr-CVE-2021-3476.patch of Package openexr.21776
diff --git a/IlmImf/ImfB44Compressor.cpp b/IlmImf/ImfB44Compressor.cpp
index 3b18ba855..5e2ab9ea5 100644
--- a/IlmImf/ImfB44Compressor.cpp
+++ b/IlmImf/ImfB44Compressor.cpp
@@ -381,26 +381,26 @@ unpack14 (const unsigned char b[14], unsigned short s[16])
s[ 0] = (b[0] << 8) | b[1];
unsigned short shift = (b[ 2] >> 2);
- unsigned short bias = (0x20 << shift);
+ unsigned short bias = (0x20u << shift);
- s[ 4] = s[ 0] + ((((b[ 2] << 4) | (b[ 3] >> 4)) & 0x3f) << shift) - bias;
- s[ 8] = s[ 4] + ((((b[ 3] << 2) | (b[ 4] >> 6)) & 0x3f) << shift) - bias;
- s[12] = s[ 8] + ((b[ 4] & 0x3f) << shift) - bias;
+ s[ 4] = s[ 0] + ((((b[ 2] << 4) | (b[ 3] >> 4)) & 0x3fu) << shift) - bias;
+ s[ 8] = s[ 4] + ((((b[ 3] << 2) | (b[ 4] >> 6)) & 0x3fu) << shift) - bias;
+ s[12] = s[ 8] + ((b[ 4] & 0x3fu) << shift) - bias;
- s[ 1] = s[ 0] + ((b[ 5] >> 2) << shift) - bias;
- s[ 5] = s[ 4] + ((((b[ 5] << 4) | (b[ 6] >> 4)) & 0x3f) << shift) - bias;
- s[ 9] = s[ 8] + ((((b[ 6] << 2) | (b[ 7] >> 6)) & 0x3f) << shift) - bias;
- s[13] = s[12] + ((b[ 7] & 0x3f) << shift) - bias;
+ s[ 1] = s[ 0] + ((unsigned int) (b[ 5] >> 2) << shift) - bias;
+ s[ 5] = s[ 4] + ((((b[ 5] << 4) | (b[ 6] >> 4)) & 0x3fu) << shift) - bias;
+ s[ 9] = s[ 8] + ((((b[ 6] << 2) | (b[ 7] >> 6)) & 0x3fu) << shift) - bias;
+ s[13] = s[12] + ((b[ 7] & 0x3fu) << shift) - bias;
- s[ 2] = s[ 1] + ((b[ 8] >> 2) << shift) - bias;
- s[ 6] = s[ 5] + ((((b[ 8] << 4) | (b[ 9] >> 4)) & 0x3f) << shift) - bias;
- s[10] = s[ 9] + ((((b[ 9] << 2) | (b[10] >> 6)) & 0x3f) << shift) - bias;
- s[14] = s[13] + ((b[10] & 0x3f) << shift) - bias;
+ s[ 2] = s[ 1] + ((unsigned int)(b[ 8] >> 2) << shift) - bias;
+ s[ 6] = s[ 5] + ((((b[ 8] << 4) | (b[ 9] >> 4)) & 0x3fu) << shift) - bias;
+ s[10] = s[ 9] + ((((b[ 9] << 2) | (b[10] >> 6)) & 0x3fu) << shift) - bias;
+ s[14] = s[13] + ((b[10] & 0x3fu) << shift) - bias;
- s[ 3] = s[ 2] + ((b[11] >> 2) << shift) - bias;
- s[ 7] = s[ 6] + ((((b[11] << 4) | (b[12] >> 4)) & 0x3f) << shift) - bias;
- s[11] = s[10] + ((((b[12] << 2) | (b[13] >> 6)) & 0x3f) << shift) - bias;
- s[15] = s[14] + ((b[13] & 0x3f) << shift) - bias;
+ s[ 3] = s[ 2] + ((unsigned int)(b[11] >> 2) << shift) - bias;
+ s[ 7] = s[ 6] + ((((b[11] << 4) | (b[12] >> 4)) & 0x3fu) << shift) - bias;
+ s[11] = s[10] + ((((b[12] << 2) | (b[13] >> 6)) & 0x3fu) << shift) - bias;
+ s[15] = s[14] + ((b[13] & 0x3fu) << shift) - bias;
for (int i = 0; i < 16; ++i)
{
@@ -951,7 +951,10 @@ B44Compressor::uncompress (const char *inPtr,
if (inSize < 3)
notEnoughData();
- if (((const unsigned char *)inPtr)[2] == 0xfc)
+ //
+ // If shift exponent is 63, call unpack14 (ignoring unused bits)
+ //
+ if (((const unsigned char *)inPtr)[2] >= (13<<2) )
{
unpack3 ((const unsigned char *)inPtr, s);
inPtr += 3;
diff --git a/IlmImf/ImfDwaCompressor.cpp b/IlmImf/ImfDwaCompressor.cpp
index da2d95068..d8c66dd27 100644
--- a/IlmImf/ImfDwaCompressor.cpp
+++ b/IlmImf/ImfDwaCompressor.cpp
@@ -2681,6 +2681,10 @@ DwaCompressor::uncompress
int gChan = _cscSets[csc].idx[1];
int bChan = _cscSets[csc].idx[2];
+ if (_channelData[rChan].compression != LOSSY_DCT || _channelData[gChan].compression != LOSSY_DCT || _channelData[bChan].compression != LOSSY_DCT)
+ {
+ throw IEX_NAMESPACE::BaseExc("Bad DWA compression type detected");
+ }
LossyDctDecoderCsc decoder
(rowPtrs[rChan],