File openexr-CVE-2021-23215,26260.patch of Package openexr.21776
Index: openexr-2.2.1/IlmImf/ImfDwaCompressor.cpp
===================================================================
--- openexr-2.2.1.orig/IlmImf/ImfDwaCompressor.cpp 2021-04-26 14:19:38.233657002 +0200
+++ openexr-2.2.1/IlmImf/ImfDwaCompressor.cpp 2021-04-27 10:28:33.673535527 +0200
@@ -2164,7 +2164,7 @@ DwaCompressor::compress
if (*unknownUncompressedSize > 0)
{
uLongf inSize = (uLongf)(*unknownUncompressedSize);
- uLongf outSize = (uLongf)(ceil ((float)inSize * 1.01f) + 100);
+ uLongf outSize = compressBound (inSize);
if (Z_OK != ::compress2 ((Bytef *)outDataPtr,
&outSize,
@@ -2202,8 +2202,8 @@ DwaCompressor::compress
case DEFLATE:
{
- uLongf destLen = (uLongf)
- (2 * (*totalAcUncompressedCount) * sizeof (unsigned short));
+ uLongf destLen = compressBound (
+ (*totalAcUncompressedCount) * sizeof (unsigned short));
if (Z_OK != ::compress2
((Bytef *)outDataPtr,
@@ -2255,8 +2255,7 @@ DwaCompressor::compress
_planarUncBuffer[RLE],
(signed char *)_rleBuffer);
- uLongf dstLen =
- (uLongf)ceil (1.01f * (float) * rleUncompressedSize) + 24;
+ uLongf dstLen = compressBound ((uLongf)*rleUncompressedSize);
if (Z_OK != ::compress2
((Bytef *)outDataPtr,
@@ -2400,7 +2399,7 @@ DwaCompressor::uncompress
totalDcUncompressedCount < 0)
{
throw Iex::InputExc("Error uncompressing DWA data"
- " (corrupt header).");
+ " (corrupt header I).");
}
if (version < 2)
@@ -2499,16 +2498,14 @@ DwaCompressor::uncompress
if (unknownCompressedSize > 0)
{
- uLongf outSize = static_cast<uLongf>(
- ceil( (float)unknownUncompressedSize * 1.01) + 100);
-
- if (unknownUncompressedSize < 0 ||
- outSize > _planarUncBufferSize[UNKNOWN])
+ if (unknownUncompressedSize > _planarUncBufferSize[UNKNOWN])
{
throw Iex::InputExc("Error uncompressing DWA data"
- "(corrupt header).");
+ "(corrupt header II).");
}
+ uLongf outSize = (uLongf)unknownUncompressedSize;
+
if (Z_OK != ::uncompress
((Bytef *)_planarUncBuffer[UNKNOWN],
&outSize,
@@ -2528,7 +2525,7 @@ DwaCompressor::uncompress
if ( !_packedAcBuffer || totalAcUncompressedCount*sizeof(unsigned short) > _packedAcBufferSize)
{
throw Iex::InputExc("Error uncompressing DWA data"
- "(corrupt header).");
+ "(corrupt header III).");
}
//
@@ -2585,7 +2582,7 @@ DwaCompressor::uncompress
if (totalDcUncompressedCount*sizeof(unsigned short) > _packedDcBufferSize)
{
throw Iex::InputExc("Error uncompressing DWA data"
- "(corrupt header).");
+ "(corrupt header IV).");
}
if (_zip->uncompress
@@ -2607,7 +2604,7 @@ DwaCompressor::uncompress
rleRawSize > _planarUncBufferSize[RLE])
{
throw Iex::InputExc("Error uncompressing DWA data"
- "(corrupt header).");
+ "(corrupt header V).");
}
uLongf dstLen = (uLongf)rleUncompressedSize;
@@ -2921,19 +2918,21 @@ DwaCompressor::initializeBuffers (size_t
// of channels we have.
//
- int maxOutBufferSize = 0;
- int numLossyDctChans = 0;
- int unknownBufferSize = 0;
- int rleBufferSize = 0;
+ Int64 maxOutBufferSize = 0;
+ Int64 numLossyDctChans = 0;
+ Int64 unknownBufferSize = 0;
+ Int64 rleBufferSize = 0;
- int maxLossyDctAcSize = (int)ceil ((float)numScanLines() / 8.0f) *
- (int)ceil ((float)(_max[0] - _min[0] + 1) / 8.0f) *
+ Int64 maxLossyDctAcSize = static_cast<Int64>(ceil ((float)numScanLines() / 8.0f)) *
+ static_cast<Int64>(ceil ((float)(_max[0] - _min[0] + 1) / 8.0f)) *
63 * sizeof (unsigned short);
- int maxLossyDctDcSize = (int)ceil ((float)numScanLines() / 8.0f) *
- (int)ceil ((float)(_max[0] - _min[0] + 1) / 8.0f) *
+ Int64 maxLossyDctDcSize = static_cast<Int64>(ceil ((float)numScanLines() / 8.0f)) *
+ static_cast<Int64>(ceil ((float)(_max[0] - _min[0] + 1) / 8.0f)) *
sizeof (unsigned short);
+ Int64 pixelCount = static_cast<Int64>(numScanLines()) * static_cast<Int64>(_max[0] - _min[0] + 1);
+
for (unsigned int chan = 0; chan < _channelData.size(); ++chan)
{
switch (_channelData[chan].compression)
@@ -2943,10 +2942,13 @@ DwaCompressor::initializeBuffers (size_t
//
// This is the size of the number of packed
// components, plus the requirements for
- // maximum Huffman encoding size.
+ // maximum Huffman encoding size (for STATIC_HUFFMAN)
+ // or for zlib compression (for DEFLATE)
//
- maxOutBufferSize += 2 * maxLossyDctAcSize + 65536;
+ maxOutBufferSize += std::max(
+ 2lu * maxLossyDctAcSize + 65536lu,
+ static_cast<Int64>(compressBound (maxLossyDctAcSize)) );
numLossyDctChans++;
break;
@@ -2957,8 +2959,7 @@ DwaCompressor::initializeBuffers (size_t
// of the source data.
//
- int rleAmount = 2 * numScanLines() * (_max[0] - _min[0] + 1) *
- Imf::pixelTypeSize (_channelData[chan].type);
+ Int64 rleAmount = 2 * pixelCount * Imf::pixelTypeSize (_channelData[chan].type);
rleBufferSize += rleAmount;
}
@@ -2967,8 +2968,7 @@ DwaCompressor::initializeBuffers (size_t
case UNKNOWN:
- unknownBufferSize += numScanLines() * (_max[0] - _min[0] + 1) *
- Imf::pixelTypeSize (_channelData[chan].type);
+ unknownBufferSize += pixelCount * Imf::pixelTypeSize (_channelData[chan].type);
break;
default:
@@ -2985,13 +2985,13 @@ DwaCompressor::initializeBuffers (size_t
// which could take slightly more space
//
- maxOutBufferSize += (int)(ceil (1.01f * (float)rleBufferSize) + 100);
+ maxOutBufferSize += static_cast<Int64>(compressBound (rleBufferSize));
//
// And the same goes for the UNKNOWN data
//
- maxOutBufferSize += (int)(ceil (1.01f * (float)unknownBufferSize) + 100);
+ maxOutBufferSize += static_cast<Int64>(compressBound (unknownBufferSize));
//
// Allocate a zip/deflate compressor big enought to hold the DC data
@@ -3077,7 +3077,7 @@ DwaCompressor::initializeBuffers (size_t
// all in one swoop (for each compression scheme).
//
- int planarUncBufferSize[NUM_COMPRESSOR_SCHEMES];
+ Int64 planarUncBufferSize[NUM_COMPRESSOR_SCHEMES];
for (int i=0; i<NUM_COMPRESSOR_SCHEMES; ++i)
planarUncBufferSize[i] = 0;
@@ -3090,13 +3090,13 @@ DwaCompressor::initializeBuffers (size_t
case RLE:
planarUncBufferSize[RLE] +=
- numScanLines() * (_max[0] - _min[0] + 1) *
+ pixelCount *
Imf::pixelTypeSize (_channelData[chan].type);
break;
case UNKNOWN:
planarUncBufferSize[UNKNOWN] +=
- numScanLines() * (_max[0] - _min[0] + 1) *
+ pixelCount *
Imf::pixelTypeSize (_channelData[chan].type);
break;
@@ -3114,7 +3114,7 @@ DwaCompressor::initializeBuffers (size_t
if (planarUncBufferSize[UNKNOWN] > 0)
{
planarUncBufferSize[UNKNOWN] =
- (int) ceil (1.01f * (float)planarUncBufferSize[UNKNOWN]) + 100;
+ static_cast<Int64>( compressBound (planarUncBufferSize[UNKNOWN]) );
}
for (int i = 0; i < NUM_COMPRESSOR_SCHEMES; ++i)
@@ -3124,6 +3124,12 @@ DwaCompressor::initializeBuffers (size_t
_planarUncBufferSize[i] = planarUncBufferSize[i];
if (_planarUncBuffer[i] != 0)
delete[] _planarUncBuffer[i];
+
+ if (planarUncBufferSize[i] > std::numeric_limits<size_t>::max())
+ {
+ throw IEX_NAMESPACE::ArgExc("DWA buffers too large");
+ }
+
_planarUncBuffer[i] = new char[planarUncBufferSize[i]];
}
}
Index: openexr-2.2.1/IlmImf/ImfDwaCompressor.h
===================================================================
--- openexr-2.2.1.orig/IlmImf/ImfDwaCompressor.h 2017-11-18 00:00:24.000000000 +0100
+++ openexr-2.2.1/IlmImf/ImfDwaCompressor.h 2021-04-26 14:19:38.249657084 +0200
@@ -155,16 +155,16 @@ class DwaCompressor: public Compressor
std::vector<CscChannelSet> _cscSets;
std::vector<Classifier> _channelRules;
- char *_packedAcBuffer;
- size_t _packedAcBufferSize;
- char *_packedDcBuffer;
- size_t _packedDcBufferSize;
- char *_rleBuffer;
- size_t _rleBufferSize;
- char *_outBuffer;
- size_t _outBufferSize;
- char *_planarUncBuffer[NUM_COMPRESSOR_SCHEMES];
- size_t _planarUncBufferSize[NUM_COMPRESSOR_SCHEMES];
+ char* _packedAcBuffer;
+ Int64 _packedAcBufferSize;
+ char* _packedDcBuffer;
+ Int64 _packedDcBufferSize;
+ char* _rleBuffer;
+ Int64 _rleBufferSize;
+ char* _outBuffer;
+ Int64 _outBufferSize;
+ char* _planarUncBuffer[NUM_COMPRESSOR_SCHEMES];
+ Int64 _planarUncBufferSize[NUM_COMPRESSOR_SCHEMES];
Zip *_zip;
float _dwaCompressionLevel;
