Overview

File openexr-CVE-2017-9111,9113,9115.patch of Package openexr.22326

Index: openexr-2.3.0/exrmakepreview/makePreview.cpp
===================================================================
--- openexr-2.3.0.orig/exrmakepreview/makePreview.cpp	2018-08-10 03:35:00.000000000 +0200
+++ openexr-2.3.0/exrmakepreview/makePreview.cpp	2019-06-14 19:18:36.159142127 +0200
@@ -110,6 +110,9 @@ generatePreview (const char inFileName[]
     int h = dw.max.y - dw.min.y + 1;
 
     Array2D <Rgba> pixels (h, w);
+    if (INT_MAX / abs(w) < abs(dw.min.y) ||
+        INT_MAX - abs(dw.min.x) < abs(dw.min.y * w))
+      throw IEX_NAMESPACE::ArgExc ("Invalid data window in image header.");
     in.setFrameBuffer (&pixels[0][0] - dw.min.y * w - dw.min.x, 1, w);
     in.readPixels (dw.min.y, dw.max.y);
 
Index: openexr-2.3.0/exrmaketiled/Image.h
===================================================================
--- openexr-2.3.0.orig/exrmaketiled/Image.h	2018-08-10 03:35:00.000000000 +0200
+++ openexr-2.3.0/exrmaketiled/Image.h	2019-06-14 19:19:02.451287048 +0200
@@ -192,6 +192,9 @@ TypedImageChannel<T>::slice () const
     const IMATH_NAMESPACE::Box2i &dw = image().dataWindow();
     int w = dw.max.x - dw.min.x + 1;
 
+    if (INT_MAX / abs(w) < abs(dw.min.y) ||
+        INT_MAX - abs(dw.min.x) < abs(dw.min.y * w))
+      throw IEX_NAMESPACE::ArgExc ("Invalid data window in image header.");
     return OPENEXR_IMF_INTERNAL_NAMESPACE::Slice (pixelType(),
 		       (char *) (&_pixels[0][0] - dw.min.y * w - dw.min.x),
 		       sizeof (T),
openSUSE Build Service is sponsored by
Places