rpms / OpenEXR

Clone
Source Code
GIT

Files

el4 el5 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f7 f8 f9 fc6 main rawhide
  1.   el4
  2.   openexr-1.4.0-CVE-2009-1722.patch
Blob Blame History Raw 
diff -up openexr-1.4.0/IlmImf/ImfHeader.cpp.CVE-2009-1722 openexr-1.4.0/IlmImf/ImfHeader.cpp
--- openexr-1.4.0/IlmImf/ImfHeader.cpp.CVE-2009-1722	2006-06-04 21:04:52.000000000 -0500
+++ openexr-1.4.0/IlmImf/ImfHeader.cpp	2009-07-30 14:01:07.213632289 -0500
@@ -80,6 +80,12 @@ using IlmThread::Lock;
 
 namespace {
 
+int maxImageWidth = 0;
+int maxImageHeight = 0;
+int maxTileWidth = 0;
+int maxTileHeight = 0;
+
+
 void
 initialize (Header &header,
 	    const Box2i &displayWindow,
@@ -514,21 +520,50 @@ void		
 Header::sanityCheck (bool isTiled) const
 {
     //
-    // The display window and the data window
-    // must contain at least one pixel each.
+    // The display window and the data window must each
+    // contain at least one pixel.  In addition, the
+    // coordinates of the window corners must be small
+    // enough to keep expressions like max-min+1 or
+    // max+min from overflowing.
     //
 
     const Box2i &displayWindow = this->displayWindow();
 
     if (displayWindow.min.x > displayWindow.max.x ||
-	displayWindow.min.y > displayWindow.max.y)
+	displayWindow.min.y > displayWindow.max.y ||
+	displayWindow.min.x <= -(INT_MAX / 2) ||
+	displayWindow.min.y <= -(INT_MAX / 2) ||
+	displayWindow.max.x >=  (INT_MAX / 2) ||
+	displayWindow.max.y >=  (INT_MAX / 2))
+    {
 	throw Iex::ArgExc ("Invalid display window in image header.");
+    }
 
     const Box2i &dataWindow = this->dataWindow();
 
     if (dataWindow.min.x > dataWindow.max.x ||
-	dataWindow.min.y > dataWindow.max.y)
+	dataWindow.min.y > dataWindow.max.y ||
+	dataWindow.min.x <= -(INT_MAX / 2) ||
+	dataWindow.min.y <= -(INT_MAX / 2) ||
+	dataWindow.max.x >=  (INT_MAX / 2) ||
+	dataWindow.max.y >=  (INT_MAX / 2))
+    {
 	throw Iex::ArgExc ("Invalid data window in image header.");
+    }
+
+    if (maxImageWidth > 0 &&
+	maxImageWidth < dataWindow.max.x - dataWindow.min.x + 1)
+    {
+	THROW (Iex::ArgExc, "The width of the data window exceeds the "
+			    "maximum width of " << maxImageWidth << "pixels.");
+    }
+
+    if (maxImageHeight > 0 &&
+	maxImageHeight < dataWindow.max.y - dataWindow.min.y + 1)
+    {
+	THROW (Iex::ArgExc, "The width of the data window exceeds the "
+			    "maximum width of " << maxImageHeight << "pixels.");
+    }
 
     //
     // The pixel aspect ratio must be greater than 0.
@@ -587,6 +622,20 @@ Header::sanityCheck (bool isTiled) const
 	if (tileDesc.xSize <= 0 || tileDesc.ySize <= 0)
 	    throw Iex::ArgExc ("Invalid tile size in image header.");
 
+	if (maxTileWidth > 0 &&
+	    maxTileWidth < tileDesc.xSize)
+	{
+	    THROW (Iex::ArgExc, "The width of the tiles exceeds the maximum "
+				"width of " << maxTileWidth << "pixels.");
+	}
+
+	if (maxTileHeight > 0 &&
+	    maxTileHeight < tileDesc.ySize)
+	{
+	    THROW (Iex::ArgExc, "The width of the tiles exceeds the maximum "
+				"width of " << maxTileHeight << "pixels.");
+	}
+
 	if (tileDesc.mode != ONE_LEVEL &&
 	    tileDesc.mode != MIPMAP_LEVELS &&
 	    tileDesc.mode != RIPMAP_LEVELS)
@@ -725,6 +774,22 @@ Header::sanityCheck (bool isTiled) const
 }
 
 
+void		
+Header::setMaxImageSize (int maxWidth, int maxHeight)
+{
+    maxImageWidth = maxWidth;
+    maxImageHeight = maxHeight;
+}
+
+
+void		
+Header::setMaxTileSize (int maxWidth, int maxHeight)
+{
+    maxTileWidth = maxWidth;
+    maxTileHeight = maxHeight;
+}
+
+
 Int64
 Header::writeTo (OStream &os, bool isTiled) const
 {
diff -up openexr-1.4.0/IlmImf/ImfHeader.h.CVE-2009-1722 openexr-1.4.0/IlmImf/ImfHeader.h
--- openexr-1.4.0/IlmImf/ImfHeader.h.CVE-2009-1722	2006-06-04 21:04:52.000000000 -0500
+++ openexr-1.4.0/IlmImf/ImfHeader.h	2009-07-30 14:01:07.213632289 -0500
@@ -299,6 +299,26 @@ class Header
     void			sanityCheck (bool isTiled = false) const;
 
 
+    //----------------------------------------------------------------
+    // Maximum image size and maximim tile size:
+    //
+    // sanityCheck() will throw an exception if the width or height of
+    // the data window exceeds the maximum image width or height, or
+    // if the size of a tile exceeds the maximum tile width or height.
+    // 
+    // At program startup the maximum image and tile width and height
+    // are set to zero, meaning that width and height are unlimited.
+    //
+    // Limiting image and tile width and height limits how much memory
+    // will be allocated when a file is opened.  This can help protect
+    // applications from running out of memory while trying to read
+    // a damaged image file.
+    //----------------------------------------------------------------
+
+    static void			setMaxImageSize (int maxWidth, int maxHeight);
+    static void			setMaxTileSize (int maxWidth, int maxHeight);
+
+
     //------------------------------------------------------------------
     // Input and output:
     //
diff -up openexr-1.4.0/IlmImf/ImfPizCompressor.cpp.CVE-2009-1722 openexr-1.4.0/IlmImf/ImfPizCompressor.cpp
--- openexr-1.4.0/IlmImf/ImfPizCompressor.cpp.CVE-2009-1722	2009-07-30 14:01:07.205616394 -0500
+++ openexr-1.4.0/IlmImf/ImfPizCompressor.cpp	2009-07-30 14:01:07.214632487 -0500
@@ -60,6 +60,7 @@ using Imath::divp;
 using Imath::modp;
 using Imath::Box2i;
 using Imath::V2i;
+using Iex::InputExc;
 
 namespace {
 
@@ -556,6 +557,12 @@ PizCompressor::uncompress (const char *i
     Xdr::read <CharPtrIO> (inPtr, minNonZero);
     Xdr::read <CharPtrIO> (inPtr, maxNonZero);
 
+    if (maxNonZero >= BITMAP_SIZE)
+    {
+	throw InputExc ("Error in header for PIZ-compressed data "
+			"(invalid bitmap size).");
+    }
+
     if (minNonZero <= maxNonZero)
     {
 	Xdr::read <CharPtrIO> (inPtr, (char *) &bitmap[0] + minNonZero,
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.