From 7cec6b4dd6aad3de92494ad422880a3104a95635 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 4 Nov 2024 20:51:37 +0000 Subject: [PATCH] import UBI openexr-3.1.1-2.el9_4.1 --- SOURCES/openexr-CVE-2023-5481.patch | 125 ++++++++++++++++++++++++++++ SPECS/openexr.spec | 7 +- 2 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 SOURCES/openexr-CVE-2023-5481.patch diff --git a/SOURCES/openexr-CVE-2023-5481.patch b/SOURCES/openexr-CVE-2023-5481.patch new file mode 100644 index 0000000..5c747a7 --- /dev/null +++ b/SOURCES/openexr-CVE-2023-5481.patch @@ -0,0 +1,125 @@ +diff -urNp a/src/lib/OpenEXRCore/decoding.c b/src/lib/OpenEXRCore/decoding.c +--- a/src/lib/OpenEXRCore/decoding.c 2024-10-23 08:11:05.307383943 +0200 ++++ b/src/lib/OpenEXRCore/decoding.c 2024-10-23 08:18:26.077991254 +0200 +@@ -292,6 +292,9 @@ default_decompress_chunk (exr_decode_pip + (((uint64_t) decode->chunk.width) * ((uint64_t) decode->chunk.height)); + sampsize *= sizeof (int32_t); + ++ if ((decode->decode_flags & EXR_DECODE_SAMPLE_COUNTS_AS_INDIVIDUAL)) ++ sampsize += 1; ++ + rv = decompress_data ( + pctxt, + part->comp_type, +@@ -342,7 +345,7 @@ unpack_sample_table ( + exr_result_t rv = EXR_ERR_SUCCESS; + int32_t w = decode->chunk.width; + int32_t h = decode->chunk.height; +- int32_t totsamp = 0; ++ uint64_t totsamp = 0; + int32_t* samptable = decode->sample_count_table; + size_t combSampSize = 0; + +@@ -353,38 +356,44 @@ unpack_sample_table ( + { + for (int32_t y = 0; y < h; ++y) + { ++ int32_t *cursampline = samptable + y * w; + int32_t prevsamp = 0; + for (int32_t x = 0; x < w; ++x) + { + int32_t nsamps = +- (int32_t) one_to_native32 ((uint32_t) samptable[y * w + x]); +- if (nsamps < 0) return EXR_ERR_INVALID_SAMPLE_DATA; +- samptable[y * w + x] = nsamps - prevsamp; +- prevsamp = nsamps; ++ (int32_t) one_to_native32 ((uint32_t) cursampline[x]); ++ if (nsamps < prevsamp) return EXR_ERR_INVALID_SAMPLE_DATA; ++ ++ cursampline[x] = nsamps - prevsamp; ++ prevsamp = nsamps; + } +- totsamp += prevsamp; ++ totsamp += (uint64_t)prevsamp; + } +- samptable[w * h] = totsamp; ++ if (totsamp >= (uint64_t)INT32_MAX) ++ return EXR_ERR_INVALID_SAMPLE_DATA; ++ samptable[w * h] = (uint64_t)totsamp; + } + else + { + for (int32_t y = 0; y < h; ++y) + { ++ int32_t *cursampline = samptable + y * w; + int32_t prevsamp = 0; + for (int32_t x = 0; x < w; ++x) + { + int32_t nsamps = +- (int32_t) one_to_native32 ((uint32_t) samptable[y * w + x]); +- if (nsamps < 0) return EXR_ERR_INVALID_SAMPLE_DATA; +- samptable[y * w + x] = nsamps; +- prevsamp = nsamps; ++ (int32_t) one_to_native32 ((uint32_t) cursampline[x]); ++ if (nsamps < prevsamp) return EXR_ERR_INVALID_SAMPLE_DATA; ++ ++ cursampline[x] = nsamps; ++ prevsamp = nsamps; + } +- totsamp += prevsamp; ++ ++ totsamp += (uint64_t)prevsamp; + } + } + +- if (totsamp < 0 || +- (((uint64_t) totsamp) * combSampSize) > decode->chunk.unpacked_size) ++ if ((totsamp * combSampSize) > decode->chunk.unpacked_size) + { + rv = pctxt->report_error ( + pctxt, EXR_ERR_INVALID_SAMPLE_DATA, "Corrupt sample count table"); +diff -urNp a/src/lib/OpenEXRCore/unpack.c b/src/lib/OpenEXRCore/unpack.c +--- a/src/lib/OpenEXRCore/unpack.c 2024-10-23 08:11:05.309383964 +0200 ++++ b/src/lib/OpenEXRCore/unpack.c 2024-10-23 08:22:34.488601523 +0200 +@@ -1226,7 +1226,7 @@ generic_unpack_deep_pointers (exr_decode + uint8_t* cdata = outpix; + UNPACK_SAMPLES (samps) + } +- srcbuffer += bpc * samps; ++ srcbuffer += ((size_t) bpc) * ((size_t) samps); + } + } + sampbuffer += w; +@@ -1270,12 +1270,14 @@ generic_unpack_deep (exr_decode_pipeline + } + else + prevsamps = sampbuffer[w - 1]; ++ + srcbuffer += ((size_t) bpc) * ((size_t) prevsamps); + + if (incr_tot) totsamps += (size_t) prevsamps; + + continue; + } ++ + cdata += totsamps * ((size_t) ubpc); + + for (int x = 0; x < w; ++x) +@@ -1291,7 +1293,7 @@ generic_unpack_deep (exr_decode_pipeline + + UNPACK_SAMPLES (samps) + +- srcbuffer += bpc * samps; ++ srcbuffer += ((size_t) bpc) * ((size_t) samps); + if (incr_tot) totsamps += (size_t) samps; + } + } +@@ -1329,7 +1331,7 @@ internal_exr_match_decode ( + + if (isdeep) + { +- if ((decode->decode_flags & EXR_DECODE_SAMPLE_COUNTS_AS_INDIVIDUAL)) ++ if ((decode->decode_flags & EXR_DECODE_NON_IMAGE_DATA_AS_POINTERS)) + return &generic_unpack_deep_pointers; + return &generic_unpack_deep; + } diff --git a/SPECS/openexr.spec b/SPECS/openexr.spec index 08589f6..0a8692f 100644 --- a/SPECS/openexr.spec +++ b/SPECS/openexr.spec @@ -3,7 +3,7 @@ Name: openexr Version: 3.1.1 -Release: 2%{?dist} +Release: 2%{?dist}.1 Summary: Provides the specification and reference implementation of the EXR file format License: BSD @@ -16,6 +16,8 @@ BuildRequires: imath-devel BuildRequires: python%{python3_pkgversion}-devel BuildRequires: zlib-devel +Patch1: openexr-CVE-2023-5481.patch + Obsoletes: OpenEXR < 2.5.3 Provides: OpenEXR = %{version}-%{release} @@ -126,6 +128,9 @@ Summary: Development files for %{name} %changelog +* Tue Oct 29 2024 Stepan Broz - 3.1.1-2.1 +- fix CVE-2023-5481 (RHEL-64162) + * Mon Aug 23 2021 Josef Ridky - 3.1.1-2 - fix issue with tests on specified architectures