diff -up openexr-1.4.0/IlmImf/ImfHeader.cpp.CVE-2009-1722 openexr-1.4.0/IlmImf/ImfHeader.cpp
--- openexr-1.4.0/IlmImf/ImfHeader.cpp.CVE-2009-1722 2006-06-04 21:04:52.000000000 -0500
+++ openexr-1.4.0/IlmImf/ImfHeader.cpp 2009-07-30 14:01:07.213632289 -0500
@@ -80,6 +80,12 @@ using IlmThread::Lock;
namespace {
+int maxImageWidth = 0;
+int maxImageHeight = 0;
+int maxTileWidth = 0;
+int maxTileHeight = 0;
+
+
void
initialize (Header &header,
const Box2i &displayWindow,
@@ -514,21 +520,50 @@ void
Header::sanityCheck (bool isTiled) const
{
//
- // The display window and the data window
- // must contain at least one pixel each.
+ // The display window and the data window must each
+ // contain at least one pixel. In addition, the
+ // coordinates of the window corners must be small
+ // enough to keep expressions like max-min+1 or
+ // max+min from overflowing.
//
const Box2i &displayWindow = this->displayWindow();
if (displayWindow.min.x > displayWindow.max.x ||
- displayWindow.min.y > displayWindow.max.y)
+ displayWindow.min.y > displayWindow.max.y ||
+ displayWindow.min.x <= -(INT_MAX / 2) ||
+ displayWindow.min.y <= -(INT_MAX / 2) ||
+ displayWindow.max.x >= (INT_MAX / 2) ||
+ displayWindow.max.y >= (INT_MAX / 2))
+ {
throw Iex::ArgExc ("Invalid display window in image header.");
+ }
const Box2i &dataWindow = this->dataWindow();
if (dataWindow.min.x > dataWindow.max.x ||
- dataWindow.min.y > dataWindow.max.y)
+ dataWindow.min.y > dataWindow.max.y ||
+ dataWindow.min.x <= -(INT_MAX / 2) ||
+ dataWindow.min.y <= -(INT_MAX / 2) ||
+ dataWindow.max.x >= (INT_MAX / 2) ||
+ dataWindow.max.y >= (INT_MAX / 2))
+ {
throw Iex::ArgExc ("Invalid data window in image header.");
+ }
+
+ if (maxImageWidth > 0 &&
+ maxImageWidth < dataWindow.max.x - dataWindow.min.x + 1)
+ {
+ THROW (Iex::ArgExc, "The width of the data window exceeds the "
+ "maximum width of " << maxImageWidth << "pixels.");
+ }
+
+ if (maxImageHeight > 0 &&
+ maxImageHeight < dataWindow.max.y - dataWindow.min.y + 1)
+ {
+ THROW (Iex::ArgExc, "The width of the data window exceeds the "
+ "maximum width of " << maxImageHeight << "pixels.");
+ }
//
// The pixel aspect ratio must be greater than 0.
@@ -587,6 +622,20 @@ Header::sanityCheck (bool isTiled) const
if (tileDesc.xSize <= 0 || tileDesc.ySize <= 0)
throw Iex::ArgExc ("Invalid tile size in image header.");
+ if (maxTileWidth > 0 &&
+ maxTileWidth < tileDesc.xSize)
+ {
+ THROW (Iex::ArgExc, "The width of the tiles exceeds the maximum "
+ "width of " << maxTileWidth << "pixels.");
+ }
+
+ if (maxTileHeight > 0 &&
+ maxTileHeight < tileDesc.ySize)
+ {
+ THROW (Iex::ArgExc, "The width of the tiles exceeds the maximum "
+ "width of " << maxTileHeight << "pixels.");
+ }
+
if (tileDesc.mode != ONE_LEVEL &&
tileDesc.mode != MIPMAP_LEVELS &&
tileDesc.mode != RIPMAP_LEVELS)
@@ -725,6 +774,22 @@ Header::sanityCheck (bool isTiled) const
}
+void
+Header::setMaxImageSize (int maxWidth, int maxHeight)
+{
+ maxImageWidth = maxWidth;
+ maxImageHeight = maxHeight;
+}
+
+
+void
+Header::setMaxTileSize (int maxWidth, int maxHeight)
+{
+ maxTileWidth = maxWidth;
+ maxTileHeight = maxHeight;
+}
+
+
Int64
Header::writeTo (OStream &os, bool isTiled) const
{
diff -up openexr-1.4.0/IlmImf/ImfHeader.h.CVE-2009-1722 openexr-1.4.0/IlmImf/ImfHeader.h
--- openexr-1.4.0/IlmImf/ImfHeader.h.CVE-2009-1722 2006-06-04 21:04:52.000000000 -0500
+++ openexr-1.4.0/IlmImf/ImfHeader.h 2009-07-30 14:01:07.213632289 -0500
@@ -299,6 +299,26 @@ class Header
void sanityCheck (bool isTiled = false) const;
+ //----------------------------------------------------------------
+ // Maximum image size and maximim tile size:
+ //
+ // sanityCheck() will throw an exception if the width or height of
+ // the data window exceeds the maximum image width or height, or
+ // if the size of a tile exceeds the maximum tile width or height.
+ //
+ // At program startup the maximum image and tile width and height
+ // are set to zero, meaning that width and height are unlimited.
+ //
+ // Limiting image and tile width and height limits how much memory
+ // will be allocated when a file is opened. This can help protect
+ // applications from running out of memory while trying to read
+ // a damaged image file.
+ //----------------------------------------------------------------
+
+ static void setMaxImageSize (int maxWidth, int maxHeight);
+ static void setMaxTileSize (int maxWidth, int maxHeight);
+
+
//------------------------------------------------------------------
// Input and output:
//
diff -up openexr-1.4.0/IlmImf/ImfPizCompressor.cpp.CVE-2009-1722 openexr-1.4.0/IlmImf/ImfPizCompressor.cpp
--- openexr-1.4.0/IlmImf/ImfPizCompressor.cpp.CVE-2009-1722 2009-07-30 14:01:07.205616394 -0500
+++ openexr-1.4.0/IlmImf/ImfPizCompressor.cpp 2009-07-30 14:01:07.214632487 -0500
@@ -60,6 +60,7 @@ using Imath::divp;
using Imath::modp;
using Imath::Box2i;
using Imath::V2i;
+using Iex::InputExc;
namespace {
@@ -556,6 +557,12 @@ PizCompressor::uncompress (const char *i
Xdr::read <CharPtrIO> (inPtr, minNonZero);
Xdr::read <CharPtrIO> (inPtr, maxNonZero);
+ if (maxNonZero >= BITMAP_SIZE)
+ {
+ throw InputExc ("Error in header for PIZ-compressed data "
+ "(invalid bitmap size).");
+ }
+
if (minNonZero <= maxNonZero)
{
Xdr::read <CharPtrIO> (inPtr, (char *) &bitmap[0] + minNonZero,