rpms/OpenEXR
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-164926 - fix CVE-2026-34588

Browse Source 
Signed-off-by: Josef Ridky <jridky@redhat.com>
This commit is contained in:
Josef Ridky 2026-04-27 15:12:25 +02:00
parent 27f22f22bd
commit e42e39db59
2 changed files with 107 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
openexr-CVE-2026-34588.patch Normal file
View File

@ -0,0 +1,101 @@
diff --git a/src/lib/OpenEXRCore/internal_piz.c b/src/lib/OpenEXRCore/internal_piz.c
index e4d7cd5b0d..ff12a6c68d 100644
--- a/src/lib/OpenEXRCore/internal_piz.c
+++ b/src/lib/OpenEXRCore/internal_piz.c
@@ -10,6 +10,7 @@
#include "internal_huf.h"
#include "internal_xdr.h"
+#include <limits.h>
#include <string.h>
/**************************************/
@@ -232,10 +233,11 @@ wdec16 (uint16_t l, uint16_t h, uint16_t* a, uint16_t* b)
static void
wav_2D_encode (uint16_t* in, int nx, int ox, int ny, int oy, uint16_t mx)
{
- int w14 = (mx < (1 << 14)) ? 1 : 0;
- int n = (nx > ny) ? ny : nx;
- int p = 1; // == 1 << level
- int p2 = 2; // == 1 << (level+1)
+ int w14 = (mx < (1 << 14)) ? 1 : 0;
+ int n = (nx > ny) ? ny : nx;
+ int p = 1; // == 1 << level
+ int p2 = 2; // == 1 << (level+1)
+ int64_t oy64 = oy;
//
// Hierarchical loop on smaller dimension n
@@ -244,9 +246,9 @@ wav_2D_encode (uint16_t* in, int nx, int ox, int ny, int oy, uint16_t mx)
while (p2 <= n)
{
uint16_t* py = in;
- uint16_t* ey = in + oy * (ny - p2);
- int oy1 = oy * p;
- int oy2 = oy * p2;
+ uint16_t* ey = in + oy64 * (ny - p2);
+ int64_t oy1 = oy64 * p;
+ int64_t oy2 = oy64 * p2;
int ox1 = ox * p;
int ox2 = ox * p2;
uint16_t i00, i01, i10, i11;
@@ -345,10 +347,11 @@ wav_2D_decode (
int oy, // i : y offset
uint16_t mx) // i : maximum in[x][y] value
{
- int w14 = (mx < (1 << 14)) ? 1 : 0;
- int n = (nx > ny) ? ny : nx;
- int p = 1;
- int p2;
+ int w14 = (mx < (1 << 14)) ? 1 : 0;
+ int n = (nx > ny) ? ny : nx;
+ int p = 1;
+ int p2;
+ int64_t oy64 = oy;
//
// Search max level
@@ -368,9 +371,9 @@ wav_2D_decode (
while (p >= 1)
{
uint16_t* py = in;
- uint16_t* ey = in + oy * (ny - p2);
- int oy1 = oy * p;
- int oy2 = oy * p2;
+ uint16_t* ey = in + oy64 * (ny - p2);
+ int64_t oy1 = oy64 * p;
+ int64_t oy2 = oy64 * p2;
int ox1 = ox * p;
int ox2 = ox * p2;
uint16_t i00, i01, i10, i11;
@@ -566,11 +569,13 @@ internal_exr_apply_piz (exr_encode_pipeline_t* encode)
nx = curc->width;
ny = curc->height;
wcount = (int) (curc->bytes_per_element / 2);
+ if (wcount > 0 && nx > INT_MAX / wcount)
+ return EXR_ERR_CORRUPT_CHUNK;
for (int j = 0; j < wcount; ++j)
{
wav_2D_encode (wavbuf + j, nx, wcount, ny, wcount * nx, maxValue);
}
- wavbuf += nx * ny * wcount;
+ wavbuf += (uint64_t) nx * ny * wcount;
}
nBytes = 0;
@@ -722,11 +727,13 @@ internal_exr_undo_piz (
nx = curc->width;
ny = curc->height;
wcount = (int) (curc->bytes_per_element / 2);
+ if (wcount > 0 && nx > INT_MAX / wcount)
+ return EXR_ERR_CORRUPT_CHUNK;
for (int j = 0; j < wcount; ++j)
{
wav_2D_decode (wavbuf + j, nx, wcount, ny, wcount * nx, maxValue);
}
- wavbuf += nx * ny * wcount;
+ wavbuf += (uint64_t) nx * ny * wcount;
}
//

7
openexr.spec
View File

@ -3,7 +3,7 @@
Name: openexr
Version: 3.1.10
Release: 9%{?dist}
Release: 10%{?dist}
Summary: Provides the specification and reference implementation of the EXR file format
License: BSD-3-Clause
@ -21,6 +21,8 @@ Patch2: gcc14.patch
Patch3: openexr-3.1.10-CVE-2023-5841.patch
# Fix CVE 2026-27622
Patch4: openexr-CVE-2026-27622.patch
# Fix CVE 2026-34588
Patch5: openexr-CVE-2026-34588.patch
BuildRequires: cmake gcc gcc-c++
BuildRequires: boost-devel
@ -159,6 +161,9 @@ EXCLUDE_REGEX='ReadDeep|DWA[AB]Compression|testCompression|Rgba|SampleImages|Sha
%changelog
* Mon Apr 27 2026 Josef Ridky <jridky@redhat.com> - 3.1.10-10
- fix CVE-2026-34588
* Mon Mar 23 2026 Josef Ridky <jridky@redhat.com> - 3.1.10-9
- fix CVE-2026-27622