From 27f22f22bd6b6a9476a3eccd714de3ebc110420a Mon Sep 17 00:00:00 2001
From: Josef Ridky <jridky@redhat.com>
Date: Mon, 23 Mar 2026 11:04:45 +0100
Subject: [PATCH] Resolves: RHEL-153422 - fix CVE-2026-27622

Signed-off-by: Josef Ridky <jridky@redhat.com>
---
 openexr-CVE-2026-27622.patch | 34 ++++++++++++++++++++++++++++++++++
 openexr.spec                 |  7 ++++++-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 openexr-CVE-2026-27622.patch

diff --git a/openexr-CVE-2026-27622.patch b/openexr-CVE-2026-27622.patch
new file mode 100644
index 0000000..45f8c3a
--- /dev/null
+++ b/openexr-CVE-2026-27622.patch
@@ -0,0 +1,34 @@
+From a6ddaf5faa6e0e2119763ed93e5745c2ec164c2d Mon Sep 17 00:00:00 2001
+From: Cary Phillips <cary@ilm.com>
+Date: Sat, 21 Feb 2026 17:15:42 -0800
+Subject: [PATCH] Report an error if a deep pixel as more than UINT_MAX samples
+
+There was no overflow check in totalling the samples per pixel, so a
+pixel with more samples than could fit in an unsigned int would
+overflow.
+
+This formalizes a limit of 4,294,967,295 samples per pixel, which the
+library has always had by virtue of failing when attempting to add
+more.
+
+Signed-off-by: Cary Phillips <cary@ilm.com>
+---
+ src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp b/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp
+index 8ac4a166bf..01b8bec411 100644
+--- a/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp
++++ b/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp
+@@ -508,6 +508,10 @@ CompositeDeepScanLine::readPixels (int start, int end)
+         num_sources[ptr] = 0;
+         for (size_t j = 0; j < parts; j++)
+         {
++            if (total_sizes[ptr] > std::numeric_limits<unsigned int>::max() - counts[j][ptr])
++                throw IEX_NAMESPACE::ArgExc (
++                    "Cannot composite scanline: pixel cannot have more than UINT_MAX samples");
++                
+             total_sizes[ptr] += counts[j][ptr];
+             if (counts[j][ptr] > 0) num_sources[ptr]++;
+         }
+
diff --git a/openexr.spec b/openexr.spec
index 64f8546..047f04e 100644
--- a/openexr.spec
+++ b/openexr.spec
@@ -3,7 +3,7 @@
 
 Name:           openexr
 Version:        3.1.10
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Provides the specification and reference implementation of the EXR file format
 
 License:        BSD-3-Clause
@@ -19,6 +19,8 @@ Patch2:         gcc14.patch
 # https://github.com/AcademySoftwareFoundation/openexr/pull/1627
 # Backported to 3.1.10
 Patch3:         openexr-3.1.10-CVE-2023-5841.patch
+# Fix CVE 2026-27622
+Patch4:         openexr-CVE-2026-27622.patch
 
 BuildRequires:  cmake gcc gcc-c++
 BuildRequires:  boost-devel
@@ -157,6 +159,9 @@ EXCLUDE_REGEX='ReadDeep|DWA[AB]Compression|testCompression|Rgba|SampleImages|Sha
 
 
 %changelog
+* Mon Mar 23 2026 Josef Ridky <jridky@redhat.com> - 3.1.10-9
+- fix CVE-2026-27622
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.1.10-8
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018