diff -urNp a/src/lib/OpenEXRCore/decoding.c b/src/lib/OpenEXRCore/decoding.c --- a/src/lib/OpenEXRCore/decoding.c 2024-10-23 08:11:05.307383943 +0200 +++ b/src/lib/OpenEXRCore/decoding.c 2024-10-23 08:18:26.077991254 +0200 @@ -292,6 +292,9 @@ default_decompress_chunk (exr_decode_pip (((uint64_t) decode->chunk.width) * ((uint64_t) decode->chunk.height)); sampsize *= sizeof (int32_t); + if ((decode->decode_flags & EXR_DECODE_SAMPLE_COUNTS_AS_INDIVIDUAL)) + sampsize += 1; + rv = decompress_data ( pctxt, part->comp_type, @@ -342,7 +345,7 @@ unpack_sample_table ( exr_result_t rv = EXR_ERR_SUCCESS; int32_t w = decode->chunk.width; int32_t h = decode->chunk.height; - int32_t totsamp = 0; + uint64_t totsamp = 0; int32_t* samptable = decode->sample_count_table; size_t combSampSize = 0; @@ -353,38 +356,44 @@ unpack_sample_table ( { for (int32_t y = 0; y < h; ++y) { + int32_t *cursampline = samptable + y * w; int32_t prevsamp = 0; for (int32_t x = 0; x < w; ++x) { int32_t nsamps = - (int32_t) one_to_native32 ((uint32_t) samptable[y * w + x]); - if (nsamps < 0) return EXR_ERR_INVALID_SAMPLE_DATA; - samptable[y * w + x] = nsamps - prevsamp; - prevsamp = nsamps; + (int32_t) one_to_native32 ((uint32_t) cursampline[x]); + if (nsamps < prevsamp) return EXR_ERR_INVALID_SAMPLE_DATA; + + cursampline[x] = nsamps - prevsamp; + prevsamp = nsamps; } - totsamp += prevsamp; + totsamp += (uint64_t)prevsamp; } - samptable[w * h] = totsamp; + if (totsamp >= (uint64_t)INT32_MAX) + return EXR_ERR_INVALID_SAMPLE_DATA; + samptable[w * h] = (uint64_t)totsamp; } else { for (int32_t y = 0; y < h; ++y) { + int32_t *cursampline = samptable + y * w; int32_t prevsamp = 0; for (int32_t x = 0; x < w; ++x) { int32_t nsamps = - (int32_t) one_to_native32 ((uint32_t) samptable[y * w + x]); - if (nsamps < 0) return EXR_ERR_INVALID_SAMPLE_DATA; - samptable[y * w + x] = nsamps; - prevsamp = nsamps; + (int32_t) one_to_native32 ((uint32_t) cursampline[x]); + if (nsamps < prevsamp) return EXR_ERR_INVALID_SAMPLE_DATA; + + cursampline[x] = nsamps; + prevsamp = nsamps; } - totsamp += prevsamp; + + totsamp += (uint64_t)prevsamp; } } - if (totsamp < 0 || - (((uint64_t) totsamp) * combSampSize) > decode->chunk.unpacked_size) + if ((totsamp * combSampSize) > decode->chunk.unpacked_size) { rv = pctxt->report_error ( pctxt, EXR_ERR_INVALID_SAMPLE_DATA, "Corrupt sample count table"); diff -urNp a/src/lib/OpenEXRCore/unpack.c b/src/lib/OpenEXRCore/unpack.c --- a/src/lib/OpenEXRCore/unpack.c 2024-10-23 08:11:05.309383964 +0200 +++ b/src/lib/OpenEXRCore/unpack.c 2024-10-23 08:22:34.488601523 +0200 @@ -1226,7 +1226,7 @@ generic_unpack_deep_pointers (exr_decode uint8_t* cdata = outpix; UNPACK_SAMPLES (samps) } - srcbuffer += bpc * samps; + srcbuffer += ((size_t) bpc) * ((size_t) samps); } } sampbuffer += w; @@ -1270,12 +1270,14 @@ generic_unpack_deep (exr_decode_pipeline } else prevsamps = sampbuffer[w - 1]; + srcbuffer += ((size_t) bpc) * ((size_t) prevsamps); if (incr_tot) totsamps += (size_t) prevsamps; continue; } + cdata += totsamps * ((size_t) ubpc); for (int x = 0; x < w; ++x) @@ -1291,7 +1293,7 @@ generic_unpack_deep (exr_decode_pipeline UNPACK_SAMPLES (samps) - srcbuffer += bpc * samps; + srcbuffer += ((size_t) bpc) * ((size_t) samps); if (incr_tot) totsamps += (size_t) samps; } } @@ -1329,7 +1331,7 @@ internal_exr_match_decode ( if (isdeep) { - if ((decode->decode_flags & EXR_DECODE_SAMPLE_COUNTS_AS_INDIVIDUAL)) + if ((decode->decode_flags & EXR_DECODE_NON_IMAGE_DATA_AS_POINTERS)) return &generic_unpack_deep_pointers; return &generic_unpack_deep; }