rpms/OpenEXR
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI openexr-3.1.1-2.el9_4.1

Browse Source
This commit is contained in:
eabdullin 2024-11-04 20:51:37 +00:00
parent 3a6b0718bc
commit 7cec6b4dd6
2 changed files with 131 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
SOURCES/openexr-CVE-2023-5481.patch Normal file
View File

@ -0,0 +1,125 @@
diff -urNp a/src/lib/OpenEXRCore/decoding.c b/src/lib/OpenEXRCore/decoding.c
--- a/src/lib/OpenEXRCore/decoding.c 2024-10-23 08:11:05.307383943 +0200
+++ b/src/lib/OpenEXRCore/decoding.c 2024-10-23 08:18:26.077991254 +0200
@@ -292,6 +292,9 @@ default_decompress_chunk (exr_decode_pip
(((uint64_t) decode->chunk.width) * ((uint64_t) decode->chunk.height));
sampsize *= sizeof (int32_t);
+ if ((decode->decode_flags & EXR_DECODE_SAMPLE_COUNTS_AS_INDIVIDUAL))
+ sampsize += 1;
+
rv = decompress_data (
pctxt,
part->comp_type,
@@ -342,7 +345,7 @@ unpack_sample_table (
exr_result_t rv = EXR_ERR_SUCCESS;
int32_t w = decode->chunk.width;
int32_t h = decode->chunk.height;
- int32_t totsamp = 0;
+ uint64_t totsamp = 0;
int32_t* samptable = decode->sample_count_table;
size_t combSampSize = 0;
@@ -353,38 +356,44 @@ unpack_sample_table (
{
for (int32_t y = 0; y < h; ++y)
{
+ int32_t *cursampline = samptable + y * w;
int32_t prevsamp = 0;
for (int32_t x = 0; x < w; ++x)
{
int32_t nsamps =
- (int32_t) one_to_native32 ((uint32_t) samptable[y * w + x]);
- if (nsamps < 0) return EXR_ERR_INVALID_SAMPLE_DATA;
- samptable[y * w + x] = nsamps - prevsamp;
- prevsamp = nsamps;
+ (int32_t) one_to_native32 ((uint32_t) cursampline[x]);
+ if (nsamps < prevsamp) return EXR_ERR_INVALID_SAMPLE_DATA;
+
+ cursampline[x] = nsamps - prevsamp;
+ prevsamp = nsamps;
}
- totsamp += prevsamp;
+ totsamp += (uint64_t)prevsamp;
}
- samptable[w * h] = totsamp;
+ if (totsamp >= (uint64_t)INT32_MAX)
+ return EXR_ERR_INVALID_SAMPLE_DATA;
+ samptable[w * h] = (uint64_t)totsamp;
}
else
{
for (int32_t y = 0; y < h; ++y)
{
+ int32_t *cursampline = samptable + y * w;
int32_t prevsamp = 0;
for (int32_t x = 0; x < w; ++x)
{
int32_t nsamps =
- (int32_t) one_to_native32 ((uint32_t) samptable[y * w + x]);
- if (nsamps < 0) return EXR_ERR_INVALID_SAMPLE_DATA;
- samptable[y * w + x] = nsamps;
- prevsamp = nsamps;
+ (int32_t) one_to_native32 ((uint32_t) cursampline[x]);
+ if (nsamps < prevsamp) return EXR_ERR_INVALID_SAMPLE_DATA;
+
+ cursampline[x] = nsamps;
+ prevsamp = nsamps;
}
- totsamp += prevsamp;
+
+ totsamp += (uint64_t)prevsamp;
}
}
- if (totsamp < 0 ||
- (((uint64_t) totsamp) * combSampSize) > decode->chunk.unpacked_size)
+ if ((totsamp * combSampSize) > decode->chunk.unpacked_size)
{
rv = pctxt->report_error (
pctxt, EXR_ERR_INVALID_SAMPLE_DATA, "Corrupt sample count table");
diff -urNp a/src/lib/OpenEXRCore/unpack.c b/src/lib/OpenEXRCore/unpack.c
--- a/src/lib/OpenEXRCore/unpack.c 2024-10-23 08:11:05.309383964 +0200
+++ b/src/lib/OpenEXRCore/unpack.c 2024-10-23 08:22:34.488601523 +0200
@@ -1226,7 +1226,7 @@ generic_unpack_deep_pointers (exr_decode
uint8_t* cdata = outpix;
UNPACK_SAMPLES (samps)
}
- srcbuffer += bpc * samps;
+ srcbuffer += ((size_t) bpc) * ((size_t) samps);
}
}
sampbuffer += w;
@@ -1270,12 +1270,14 @@ generic_unpack_deep (exr_decode_pipeline
}
else
prevsamps = sampbuffer[w - 1];
+
srcbuffer += ((size_t) bpc) * ((size_t) prevsamps);
if (incr_tot) totsamps += (size_t) prevsamps;
continue;
}
+
cdata += totsamps * ((size_t) ubpc);
for (int x = 0; x < w; ++x)
@@ -1291,7 +1293,7 @@ generic_unpack_deep (exr_decode_pipeline
UNPACK_SAMPLES (samps)
- srcbuffer += bpc * samps;
+ srcbuffer += ((size_t) bpc) * ((size_t) samps);
if (incr_tot) totsamps += (size_t) samps;
}
}
@@ -1329,7 +1331,7 @@ internal_exr_match_decode (
if (isdeep)
{
- if ((decode->decode_flags & EXR_DECODE_SAMPLE_COUNTS_AS_INDIVIDUAL))
+ if ((decode->decode_flags & EXR_DECODE_NON_IMAGE_DATA_AS_POINTERS))
return &generic_unpack_deep_pointers;
return &generic_unpack_deep;
}

7
SPECS/openexr.spec
View File

@ -3,7 +3,7 @@
Name: openexr Name: openexr
Version: 3.1.1 Version: 3.1.1
Release: 2%{?dist} Release: 2%{?dist}.1
Summary: Provides the specification and reference implementation of the EXR file format Summary: Provides the specification and reference implementation of the EXR file format
License: BSD License: BSD
@ -16,6 +16,8 @@ BuildRequires: imath-devel
BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
Patch1: openexr-CVE-2023-5481.patch
Obsoletes: OpenEXR < 2.5.3 Obsoletes: OpenEXR < 2.5.3
Provides: OpenEXR = %{version}-%{release} Provides: OpenEXR = %{version}-%{release}
@ -126,6 +128,9 @@ Summary: Development files for %{name}
%changelog %changelog
* Tue Oct 29 2024 Stepan Broz <sbroz@redhat.com> - 3.1.1-2.1
- fix CVE-2023-5481 (RHEL-64162)
* Mon Aug 23 2021 Josef Ridky <jridky@redhat.com> - 3.1.1-2 * Mon Aug 23 2021 Josef Ridky <jridky@redhat.com> - 3.1.1-2
- fix issue with tests on specified architectures - fix issue with tests on specified architectures