diff --git a/CVE-2020-11758-to-CVE-2020-11765.patch b/CVE-2020-11758-to-CVE-2020-11765.patch index 97d19fb1b9ac208c2e862058821a0cf5a01aacd7..5accf7b022eb045bab40aae998ea093d76fe4ef9 100644 --- a/CVE-2020-11758-to-CVE-2020-11765.patch +++ b/CVE-2020-11758-to-CVE-2020-11765.patch @@ -380,19 +380,6 @@ Subject: [PATCH 23/23] force x/y Sampling to 1 for Deep Scanline Images { if (nRaw != 0) notEnoughData(); -@@ -1070,6 +1073,12 @@ hufUncompress (const char compressed[], - - const char *ptr = compressed + 20; - -+ if ( ptr + (nBits+7 )/8 > compressed+nCompressed) -+ { -+ notEnoughData(); -+ return; -+ } -+ - // - // Fast decoder needs at least 2x64-bits of compressed data, and - // needs to be run-able on this platform. Otherwise, fall back --- openexr-2.2.1.orig/IlmImf/ImfMisc.cpp +++ openexr-2.2.1/IlmImf/ImfMisc.cpp @@ -114,9 +114,9 @@ bytesPerLineTable (const Header &header, diff --git a/CVE-2021-20300.patch b/CVE-2021-20300.patch new file mode 100644 index 0000000000000000000000000000000000000000..bd46ac2254597c531c52583e89d0e541ec7aff70 --- /dev/null +++ b/CVE-2021-20300.patch @@ -0,0 +1,17 @@ +diff -Naru openexr-2.2.0/IlmImf/ImfHuf.cpp openexr-2.2.0-new/IlmImf/ImfHuf.cpp +--- openexr-2.2.0/IlmImf/ImfHuf.cpp 2014-08-10 12:23:56.000000000 +0800 ++++ openexr-2.2.0-new/IlmImf/ImfHuf.cpp 2022-06-27 14:17:05.083624000 +0800 +@@ -1067,6 +1067,13 @@ + invalidTableSize(); + + const char *ptr = compressed + 20; ++ uint64_t nBytes = (static_cast(nBits)+7) / 8 ; ++ ++ if ( ptr + nBytes > compressed+nCompressed) ++ { ++ notEnoughData(); ++ return; ++ } + + // + // Fast decoder needs at least 2x64-bits of compressed data, and diff --git a/CVE-2021-20302.patch b/CVE-2021-20302.patch new file mode 100644 index 0000000000000000000000000000000000000000..39ccab3c6fb752b97733aaaf46de4a74ac7a4033 --- /dev/null +++ b/CVE-2021-20302.patch @@ -0,0 +1,33 @@ +diff -Naru "openexr-2.2.0 copy/IlmImf/ImfDeepScanLineInputFile.cpp" openexr-2.2.0/IlmImf/ImfDeepScanLineInputFile.cpp +--- "openexr-2.2.0 copy/IlmImf/ImfDeepScanLineInputFile.cpp" 2022-07-06 16:43:15.752732000 +0800 ++++ openexr-2.2.0/IlmImf/ImfDeepScanLineInputFile.cpp 2022-07-06 16:45:09.368817000 +0800 +@@ -717,10 +717,12 @@ + + int width = (_ifd->maxX - _ifd->minX + 1); + ++ ptrdiff_t base = reinterpret_cast(&_ifd->sampleCount[0][0]); ++ base -= sizeof(unsigned int)*_ifd->minX; ++ base -= sizeof(unsigned int)*static_cast(_ifd->minY) * static_cast(width); ++ + copyIntoDeepFrameBuffer (readPtr, slice.base, +- (char*) (&_ifd->sampleCount[0][0] +- - _ifd->minX +- - _ifd->minY * width), ++ reinterpret_cast(base), + sizeof(unsigned int) * 1, + sizeof(unsigned int) * width, + y, _ifd->minX, _ifd->maxX, + +diff -Naru "openexr-2.2.0 copy/IlmImf/ImfTiledInputFile.cpp" openexr-2.2.0/IlmImf/ImfTiledInputFile.cpp +--- "openexr-2.2.0 copy/IlmImf/ImfTiledInputFile.cpp" 2022-07-06 16:43:15.892732000 +0800 ++++ openexr-2.2.0/IlmImf/ImfTiledInputFile.cpp 2022-07-06 16:50:27.438890000 +0800 +@@ -903,6 +903,9 @@ + if (!isTiled (_data->version)) + throw IEX_NAMESPACE::ArgExc ("Expected a tiled file but the file is not tiled."); + ++ if (isNonImage (_data->version)) ++ throw IEX_NAMESPACE::ArgExc ("File is not a regular tiled image."); ++ + } + else + { diff --git a/CVE-2021-3933.patch b/CVE-2021-3933.patch new file mode 100644 index 0000000000000000000000000000000000000000..0d33bb0711b8c04b6bd90c9e216bfe807adc4772 --- /dev/null +++ b/CVE-2021-3933.patch @@ -0,0 +1,32 @@ +diff -Naru openexr-2.2.0/IlmImf/ImfMisc.cpp openexr-2.2.0-new/IlmImf/ImfMisc.cpp +--- openexr-2.2.0/IlmImf/ImfMisc.cpp 2014-08-10 12:23:56.000000000 +0800 ++++ openexr-2.2.0-new/IlmImf/ImfMisc.cpp 2022-07-07 09:19:27.750843000 +0800 +@@ -167,6 +167,7 @@ + c != channels.end(); + ++c) + { ++ const uint64_t pixelSize = pixelTypeSize (c.channel().type); + for (int y = minY; y <= maxY; ++y) + if (modp (y, c.channel().ySampling) == 0) + { +@@ -174,9 +175,18 @@ + for (int x = dataWindow.min.x; x <= dataWindow.max.x; x++) + { + if (modp (x, c.channel().xSampling) == 0) +- nBytes += pixelTypeSize (c.channel().type) * +- sampleCount(base, xStride, yStride, x, y); ++ nBytes += pixelSize * ++ static_cast(sampleCount(base, xStride, yStride, x, y)); + } ++ ++ // architectures where size_t is smaller than 64 bits may overflow ++ // (scanlines with more than 2^32 bytes are not currently supported so this should not occur with valid files) ++ // ++ if( static_cast(bytesPerLine[y - dataWindow.min.y]) + nBytes > SIZE_MAX) ++ { ++ throw IEX_NAMESPACE::IoExc("Scanline size too large"); ++ } ++ + bytesPerLine[y - dataWindow.min.y] += nBytes; + } + } diff --git a/OpenEXR.spec b/OpenEXR.spec index 3f02d93adfbc201c916642f6f527b500f0e653c0..d5effcfdca9f9f0e3e6731c6a6de367874470ef4 100644 --- a/OpenEXR.spec +++ b/OpenEXR.spec @@ -1,7 +1,7 @@ Name: OpenEXR Summary: A high dynamic-range (HDR) image file format for use in computer imaging applications Version: 2.2.0 -Release: 25 +Release: 26 License: BSD URL: http://www.openexr.com/ Source0: http://download.savannah.nongnu.org/releases/openexr/openexr-%{version}.tar.gz @@ -31,6 +31,9 @@ Patch0021: CVE-2021-3605.patch Patch0022: CVE-2021-20303.patch #https://github.com/AcademySoftwareFoundation/openexr/commit/7b11bbac18fc3c23.patch Patch0023: CVE-2021-20299.patch +Patch0024: CVE-2021-20300.patch +Patch0025: CVE-2021-20302.patch +Patch0026: CVE-2021-3933.patch BuildConflicts: %{name}-devel < 2.2.0 BuildRequires: gcc-c++ ilmbase-devel >= %{version} zlib-devel pkgconfig @@ -94,6 +97,9 @@ test "$(pkg-config --modversion OpenEXR)" = "%{version}" %{_libdir}/pkgconfig/OpenEXR.pc %changelog +* Thu Jul 7 2022 weichao.zhang - 2.2.0-26 +- Fix CVE-2021-20300 CVE-2021-20302 CVE-2021-3933 + * Wed Mar 23 2022 yaoxin - 2.2.0-25 - Fix CVE-2021-20299