1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
From c2b32f21cbe2db7c7ef485d62ffe9bec8eaa5165 Mon Sep 17 00:00:00 2001
From: Shawn Walker-Salas <shawn.walker@oracle.com>
Date: Tue, 30 May 2017 19:07:52 -0700
Subject: [PATCH] CVE-2017-{9110,9111,9112,9113,9114,9115,9116} fixes
---
OpenEXR/IlmImf/ImfDwaCompressor.cpp | 7 ++++++-
OpenEXR/IlmImf/ImfHuf.cpp | 10 ++++++----
OpenEXR/IlmImf/ImfPizCompressor.cpp | 6 ++++++
3 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/IlmImf/ImfDwaCompressor.cpp b/IlmImf/ImfDwaCompressor.cpp
index 1c1bd45..2ef8878 100644
--- a/IlmImf/ImfDwaCompressor.cpp
+++ b/IlmImf/ImfDwaCompressor.cpp
@@ -2377,7 +2377,12 @@ DwaCompressor::uncompress
const char *dataPtr = inPtr + NUM_SIZES_SINGLE * sizeof(Int64);
- if (inSize < headerSize + compressedSize)
+ /* Both the sum and individual sizes are checked in case of overflow. */
+ if (inSize < (headerSize + compressedSize) ||
+ inSize < unknownCompressedSize ||
+ inSize < acCompressedSize ||
+ inSize < dcCompressedSize ||
+ inSize < rleCompressedSize)
{
throw Iex::InputExc("Error uncompressing DWA data"
"(truncated file).");
diff --git a/IlmImf/ImfHuf.cpp b/IlmImf/ImfHuf.cpp
index a375d05..97909a5 100644
--- a/IlmImf/ImfHuf.cpp
+++ b/IlmImf/ImfHuf.cpp
@@ -822,7 +822,7 @@ hufEncode // return: output size (in bits)
}
-#define getCode(po, rlc, c, lc, in, out, oe) \
+#define getCode(po, rlc, c, lc, in, out, ob, oe)\
{ \
if (po == rlc) \
{ \
@@ -835,6 +835,8 @@ hufEncode // return: output size (in bits)
\
if (out + cs > oe) \
tooMuchData(); \
+ else if (out - 1 < ob) \
+ notEnoughData(); \
\
unsigned short s = out[-1]; \
\
@@ -895,7 +897,7 @@ hufDecode
//
lc -= pl.len;
- getCode (pl.lit, rlc, c, lc, in, out, oe);
+ getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
}
else
{
@@ -925,7 +927,7 @@ hufDecode
//
lc -= l;
- getCode (pl.p[j], rlc, c, lc, in, out, oe);
+ getCode (pl.p[j], rlc, c, lc, in, out, outb, oe);
break;
}
}
@@ -952,7 +954,7 @@ hufDecode
if (pl.len)
{
lc -= pl.len;
- getCode (pl.lit, rlc, c, lc, in, out, oe);
+ getCode (pl.lit, rlc, c, lc, in, out, outb, oe);
}
else
{
diff --git a/IlmImf/ImfPizCompressor.cpp b/IlmImf/ImfPizCompressor.cpp
index 46c6fba..8b3ee38 100644
--- a/IlmImf/ImfPizCompressor.cpp
+++ b/IlmImf/ImfPizCompressor.cpp
@@ -573,6 +573,12 @@ PizCompressor::uncompress (const char *inPtr,
int length;
Xdr::read <CharPtrIO> (inPtr, length);
+ if (length > inSize)
+ {
+ throw InputExc ("Error in header for PIZ-compressed data "
+ "(invalid array length).");
+ }
+
hufUncompress (inPtr, length, _tmpBuffer, tmpBufferEnd - _tmpBuffer);
//
--
2.14.1
|
