File openexr-CVE-2021-3933.patch of Package openexr.22326
Index: openexr-2.2.1/IlmImf/ImfMisc.cpp
===================================================================
--- openexr-2.2.1.orig/IlmImf/ImfMisc.cpp 2021-11-09 11:34:04.683045514 +0100
+++ openexr-2.2.1/IlmImf/ImfMisc.cpp 2021-11-09 12:49:23.721792651 +0100
@@ -167,16 +167,28 @@ bytesPerDeepLineTable (const Header &hea
c != channels.end();
++c)
{
+ const uint64_t pixelSize = pixelTypeSize (c.channel().type);
+
for (int y = minY; y <= maxY; ++y)
if (modp (y, c.channel().ySampling) == 0)
{
- int nBytes = 0;
+ uint64_t nBytes = 0;
for (int x = dataWindow.min.x; x <= dataWindow.max.x; x++)
{
if (modp (x, c.channel().xSampling) == 0)
- nBytes += pixelTypeSize (c.channel().type) *
- sampleCount(base, xStride, yStride, x, y);
+ nBytes += pixelSize *
+ static_cast<uint64_t>(sampleCount(base, xStride, yStride, x, y));
}
+
+ //
+ // architectures where size_t is smaller than 64 bits may overflow
+ // (scanlines with more than 2^32 bytes are not currently supported so this should not occur with valid files)
+ //
+ if( static_cast<uint64_t>(bytesPerLine[y - dataWindow.min.y]) + nBytes > SIZE_MAX)
+ {
+ throw IEX_NAMESPACE::IoExc("Scanline size too large");
+ }
+
bytesPerLine[y - dataWindow.min.y] += nBytes;
}
}