From 746b8ae85264f49ed2cdd17c4121728a3432a5b6 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Tue, 19 Jul 2022 15:02:40 +0800 Subject: [PATCH] Fix CVE-2021-3933 --- CVE-2021-3933.patch | 64 +++++++++++++++++++++++++++++++++++++++++++++ OpenEXR.spec | 6 ++++- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-3933.patch diff --git a/CVE-2021-3933.patch b/CVE-2021-3933.patch new file mode 100644 index 0000000..2b7f289 --- /dev/null +++ b/CVE-2021-3933.patch @@ -0,0 +1,64 @@ +Backported of: + +From 5a0adf1aba7d41c6b94ba167c0c4308d2eecfd17 Mon Sep 17 00:00:00 2001 +From: peterhillman +Date: Wed, 22 Sep 2021 16:13:34 +1200 +Subject: [PATCH] prevent overflow in bytesPerDeepLineTable (#1152) + +* prevent overflow in bytesPerDeepLineTable + +Signed-off-by: Peter Hillman + +* restore zapped 'const' from ImfMisc + +Signed-off-by: Peter Hillman +diff --git a/IlmImf/ImfMisc.cpp b/IlmImf/ImfMisc.cpp +index b091015..d3a21b7 100644 +--- a/IlmImf/ImfMisc.cpp ++++ b/IlmImf/ImfMisc.cpp +@@ -167,16 +167,28 @@ bytesPerDeepLineTable (const Header &header, + c != channels.end(); + ++c) + { ++ const uint64_t pixelSize = pixelTypeSize (c.channel().type); ++ + for (int y = minY; y <= maxY; ++y) + if (modp (y, c.channel().ySampling) == 0) + { +- int nBytes = 0; ++ uint64_t nBytes = 0; + for (int x = dataWindow.min.x; x <= dataWindow.max.x; x++) + { + if (modp (x, c.channel().xSampling) == 0) +- nBytes += pixelTypeSize (c.channel().type) * +- sampleCount(base, xStride, yStride, x, y); ++ nBytes += pixelSize * ++ static_cast(sampleCount(base, xStride, yStride, x, y)); + } ++ ++ // ++ // architectures where size_t is smaller than 64 bits may overflow ++ // (scanlines with more than 2^32 bytes are not currently supported so this should not occur with valid files) ++ // ++ if( static_cast(bytesPerLine[y - dataWindow.min.y]) + nBytes > SIZE_MAX) ++ { ++ throw IEX_NAMESPACE::IoExc("Scanline size too large"); ++ } ++ + bytesPerLine[y - dataWindow.min.y] += nBytes; + } + } +@@ -184,9 +196,12 @@ bytesPerDeepLineTable (const Header &header, + size_t maxBytesPerLine = 0; + + for (int y = minY; y <= maxY; ++y) ++ { + if (maxBytesPerLine < bytesPerLine[y - dataWindow.min.y]) ++ { + maxBytesPerLine = bytesPerLine[y - dataWindow.min.y]; +- ++ } ++ } + return maxBytesPerLine; + } + diff --git a/OpenEXR.spec b/OpenEXR.spec index 3f02d93..d1c8851 100644 --- a/OpenEXR.spec +++ b/OpenEXR.spec @@ -1,7 +1,7 @@ Name: OpenEXR Summary: A high dynamic-range (HDR) image file format for use in computer imaging applications Version: 2.2.0 -Release: 25 +Release: 26 License: BSD URL: http://www.openexr.com/ Source0: http://download.savannah.nongnu.org/releases/openexr/openexr-%{version}.tar.gz @@ -31,6 +31,7 @@ Patch0021: CVE-2021-3605.patch Patch0022: CVE-2021-20303.patch #https://github.com/AcademySoftwareFoundation/openexr/commit/7b11bbac18fc3c23.patch Patch0023: CVE-2021-20299.patch +Patch0024: CVE-2021-3933.patch BuildConflicts: %{name}-devel < 2.2.0 BuildRequires: gcc-c++ ilmbase-devel >= %{version} zlib-devel pkgconfig @@ -94,6 +95,9 @@ test "$(pkg-config --modversion OpenEXR)" = "%{version}" %{_libdir}/pkgconfig/OpenEXR.pc %changelog +* Tue Jul 19 2022 wangkai - 2.2.0-26 +- Fix CVE-2021-3933 + * Wed Mar 23 2022 yaoxin - 2.2.0-25 - Fix CVE-2021-20299 -- Gitee