From: Markus Koschany Date: Thu, 8 Dec 2022 12:58:48 +0100 Subject: CVE-2021-23215 Origin: https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d --- OpenEXR/IlmImf/ImfDwaCompressor.cpp | 62 ++++++++++++++++++++++--------------- OpenEXR/IlmImf/ImfDwaCompressor.h | 20 ++++++------ 2 files changed, 47 insertions(+), 35 deletions(-) diff --git a/OpenEXR/IlmImf/ImfDwaCompressor.cpp b/OpenEXR/IlmImf/ImfDwaCompressor.cpp index a50a58c..b300f77 100644 --- a/OpenEXR/IlmImf/ImfDwaCompressor.cpp +++ b/OpenEXR/IlmImf/ImfDwaCompressor.cpp @@ -2605,6 +2605,14 @@ DwaCompressor::uncompress throw IEX_NAMESPACE::BaseExc("DC data corrupt."); } } + else + { + // if the compressed size is 0, then the uncompressed size must also be zero + if (totalDcUncompressedCount!=0) + { + throw IEX_NAMESPACE::BaseExc("DC data corrupt."); + } + } // // Uncompress the RLE data into _rleBuffer, then unRLE the results @@ -2931,19 +2939,21 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize) // of channels we have. // - int maxOutBufferSize = 0; - int numLossyDctChans = 0; - int unknownBufferSize = 0; - int rleBufferSize = 0; + Int64 maxOutBufferSize = 0; + Int64 numLossyDctChans = 0; + Int64 unknownBufferSize = 0; + Int64 rleBufferSize = 0; - int maxLossyDctAcSize = (int)ceil ((float)numScanLines() / 8.0f) * - (int)ceil ((float)(_max[0] - _min[0] + 1) / 8.0f) * + Int64 maxLossyDctAcSize = static_cast(ceil ((float)numScanLines() / 8.0f)) * + static_cast(ceil ((float)(_max[0] - _min[0] + 1) / 8.0f)) * 63 * sizeof (unsigned short); - int maxLossyDctDcSize = (int)ceil ((float)numScanLines() / 8.0f) * - (int)ceil ((float)(_max[0] - _min[0] + 1) / 8.0f) * + Int64 maxLossyDctDcSize = static_cast(ceil ((float)numScanLines() / 8.0f)) * + static_cast(ceil ((float)(_max[0] - _min[0] + 1) / 8.0f)) * sizeof (unsigned short); + Int64 pixelCount = static_cast(numScanLines()) * static_cast(_max[0] - _min[0] + 1); + for (unsigned int chan = 0; chan < _channelData.size(); ++chan) { switch (_channelData[chan].compression) @@ -2971,8 +2981,7 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize) // of the source data. // - int rleAmount = 2 * numScanLines() * (_max[0] - _min[0] + 1) * - OPENEXR_IMF_NAMESPACE::pixelTypeSize (_channelData[chan].type); + Int64 rleAmount = 2 * pixelCount * OPENEXR_IMF_NAMESPACE::pixelTypeSize (_channelData[chan].type); rleBufferSize += rleAmount; } @@ -2981,8 +2990,7 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize) case UNKNOWN: - unknownBufferSize += numScanLines() * (_max[0] - _min[0] + 1) * - OPENEXR_IMF_NAMESPACE::pixelTypeSize (_channelData[chan].type); + unknownBufferSize += pixelCount * OPENEXR_IMF_NAMESPACE::pixelTypeSize (_channelData[chan].type); break; default: @@ -2999,13 +3007,13 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize) // which could take slightly more space // - maxOutBufferSize += (int)compressBound ((uLongf)rleBufferSize); + maxOutBufferSize += static_cast(compressBound (rleBufferSize)); // // And the same goes for the UNKNOWN data // - maxOutBufferSize += (int)compressBound ((uLongf)unknownBufferSize); + maxOutBufferSize += static_cast(compressBound (unknownBufferSize)); // // Allocate a zip/deflate compressor big enought to hold the DC data @@ -3052,7 +3060,7 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize) // to Huffman encoding // - if (static_cast(maxLossyDctAcSize * numLossyDctChans) > _packedAcBufferSize) + if (maxLossyDctAcSize * numLossyDctChans > _packedAcBufferSize) { _packedAcBufferSize = maxLossyDctAcSize * numLossyDctChans; if (_packedAcBuffer != 0) @@ -3064,7 +3072,7 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize) // _packedDcBuffer holds one quantized DCT coef per 8x8 block // - if (static_cast(maxLossyDctDcSize * numLossyDctChans) > _packedDcBufferSize) + if (maxLossyDctDcSize * numLossyDctChans > _packedDcBufferSize) { _packedDcBufferSize = maxLossyDctDcSize * numLossyDctChans; if (_packedDcBuffer != 0) @@ -3072,7 +3080,7 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize) _packedDcBuffer = new char[_packedDcBufferSize]; } - if (static_cast(rleBufferSize) > _rleBufferSize) + if ( rleBufferSize > _rleBufferSize ) { _rleBufferSize = rleBufferSize; if (_rleBuffer != 0) @@ -3091,7 +3099,7 @@ DwaCompressor::initializeBuffers (size_t &outBufferSize) // all in one swoop (for each compression scheme). // - int planarUncBufferSize[NUM_COMPRESSOR_SCHEMES]; + Int64 planarUncBufferSize[NUM_COMPRESSOR_SCHEMES]; for (int i=0; i 0) { - planarUncBufferSize[UNKNOWN] = - compressBound ((uLongf)planarUncBufferSize[UNKNOWN]); + planarUncBufferSize[UNKNOWN] = + static_cast( compressBound (planarUncBufferSize[UNKNOWN]) ); } for (int i = 0; i < NUM_COMPRESSOR_SCHEMES; ++i) { - if (static_cast(planarUncBufferSize[i]) > _planarUncBufferSize[i]) + if ( planarUncBufferSize[i] > _planarUncBufferSize[i]) { _planarUncBufferSize[i] = planarUncBufferSize[i]; if (_planarUncBuffer[i] != 0) delete[] _planarUncBuffer[i]; + + if (planarUncBufferSize[i] > std::numeric_limits::max()) + { + throw IEX_NAMESPACE::ArgExc("DWA buffers too large"); + } + _planarUncBuffer[i] = new char[planarUncBufferSize[i]]; } } diff --git a/OpenEXR/IlmImf/ImfDwaCompressor.h b/OpenEXR/IlmImf/ImfDwaCompressor.h index 04550a1..012819c 100644 --- a/OpenEXR/IlmImf/ImfDwaCompressor.h +++ b/OpenEXR/IlmImf/ImfDwaCompressor.h @@ -169,16 +169,16 @@ class DwaCompressor: public Compressor std::vector _cscSets; std::vector _channelRules; - char *_packedAcBuffer; - size_t _packedAcBufferSize; - char *_packedDcBuffer; - size_t _packedDcBufferSize; - char *_rleBuffer; - size_t _rleBufferSize; - char *_outBuffer; - size_t _outBufferSize; - char *_planarUncBuffer[NUM_COMPRESSOR_SCHEMES]; - size_t _planarUncBufferSize[NUM_COMPRESSOR_SCHEMES]; + char* _packedAcBuffer; + Int64 _packedAcBufferSize; + char* _packedDcBuffer; + Int64 _packedDcBufferSize; + char* _rleBuffer; + Int64 _rleBufferSize; + char* _outBuffer; + Int64 _outBufferSize; + char* _planarUncBuffer[NUM_COMPRESSOR_SCHEMES]; + Int64 _planarUncBufferSize[NUM_COMPRESSOR_SCHEMES]; Zip *_zip; float _dwaCompressionLevel;