rpms/OpenEXR/devel openexr-1.6.1-CVE-2009-1720-1.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1720-2.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1721.patch, NONE, 1.1 OpenEXR.spec, 1.28, 1.29

Rex Dieter rdieter at fedoraproject.org
Wed Jul 29 18:31:48 UTC 2009 

Author: rdieter

Update of /cvs/pkgs/rpms/OpenEXR/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3310

Modified Files:
	OpenEXR.spec 
Added Files:
	openexr-1.6.1-CVE-2009-1720-1.patch 
	openexr-1.6.1-CVE-2009-1720-2.patch 
	openexr-1.6.1-CVE-2009-1721.patch 
Log Message:
* Wed Jul 29 2009 Rex Dieter <rdieter at fedoraproject.org> 1.6.1-8
- CVE-2009-1720 OpenEXR: Multiple integer overflows (#513995)
- CVE-2009-1721 OpenEXR: Invalid pointer free by image decompression (#514003)


openexr-1.6.1-CVE-2009-1720-1.patch:
 ImfPreviewImage.cpp |    4 ++++
 1 file changed, 4 insertions(+)

--- NEW FILE openexr-1.6.1-CVE-2009-1720-1.patch ---
diff -up openexr-1.6.1/IlmImf/ImfPreviewImage.cpp.CVE-2009-1720-1 openexr-1.6.1/IlmImf/ImfPreviewImage.cpp
--- openexr-1.6.1/IlmImf/ImfPreviewImage.cpp.CVE-2009-1720-1	2006-06-06 00:58:16.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfPreviewImage.cpp	2009-07-29 13:27:39.087038617 -0500
@@ -41,6 +41,7 @@
 
 #include <ImfPreviewImage.h>
 #include "Iex.h"
+#include <limits.h>
 
 namespace Imf {
 
@@ -51,6 +52,9 @@ PreviewImage::PreviewImage (unsigned int
 {
     _width = width;
     _height = height;
+    if (_height && _width > UINT_MAX / _height || _width * _height > UINT_MAX / sizeof(PreviewRgba)) {
+        throw Iex::ArgExc ("Invalid height and width.");
+    }
     _pixels = new PreviewRgba [_width * _height];
 
     if (pixels)
diff -up openexr-1.6.1/IlmImf/ImfPreviewImage.h.CVE-2009-1720-1 openexr-1.6.1/IlmImf/ImfPreviewImage.h

openexr-1.6.1-CVE-2009-1720-2.patch:
 ImfPizCompressor.cpp |    3 +++
 ImfRleCompressor.cpp |    3 +++
 ImfZipCompressor.cpp |    3 +++
 3 files changed, 9 insertions(+)

--- NEW FILE openexr-1.6.1-CVE-2009-1720-2.patch ---
diff -up openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfPizCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2	2007-09-20 23:17:46.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfPizCompressor.cpp	2009-07-29 13:15:41.883288491 -0500
@@ -181,6 +181,9 @@ PizCompressor::PizCompressor
     _channels (hdr.channels()),
     _channelData (0)
 {
+    if ((unsigned) maxScanLineSize > (INT_MAX - 65536 - 8192)  / (unsigned) numScanLines) {
+        throw InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+    }
     _tmpBuffer = new unsigned short [maxScanLineSize * numScanLines / 2];
     _outBuffer = new char [maxScanLineSize * numScanLines + 65536 + 8192];
 
diff -up openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfRleCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2	2006-10-13 22:06:39.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfRleCompressor.cpp	2009-07-29 13:17:39.505037955 -0500
@@ -164,6 +164,9 @@ RleCompressor::RleCompressor (const Head
     _tmpBuffer (0),
     _outBuffer (0)
 {
+    if ((unsigned) maxScanLineSize > INT_MAX / 3) {
+        throw Iex::InputExc ("Error: maxScanLineSize * 3 would overflow.");
+    }
     _tmpBuffer = new char [maxScanLineSize];
     _outBuffer = new char [maxScanLineSize * 3 / 2];
 }
diff -up openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfZipCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2	2006-10-13 22:07:17.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfZipCompressor.cpp	2009-07-29 13:18:25.223038291 -0500
@@ -58,6 +58,9 @@ ZipCompressor::ZipCompressor
     _tmpBuffer (0),
     _outBuffer (0)
 {
+    if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines) {
+        throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+    }
     _tmpBuffer =
 	new char [maxScanLineSize * numScanLines];
 

openexr-1.6.1-CVE-2009-1721.patch:
 ImfAutoArray.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE openexr-1.6.1-CVE-2009-1721.patch ---
diff -up openexr-1.6.1/IlmImf/ImfAutoArray.h.CVE-2009-1721 openexr-1.6.1/IlmImf/ImfAutoArray.h
--- openexr-1.6.1/IlmImf/ImfAutoArray.h.CVE-2009-1721	2007-04-23 20:26:56.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfAutoArray.h	2009-07-29 13:22:08.309288375 -0500
@@ -57,7 +57,7 @@ namespace Imf {
     {
       public:
 
-	 AutoArray (): _data (new T [size]) {}
+	 AutoArray (): _data (new T [size]) {memset(_data, 0, size * sizeof(T));}
 	~AutoArray () {delete [] _data;}
 
 	operator T * ()			{return _data;}


Index: OpenEXR.spec
===================================================================
RCS file: /cvs/pkgs/rpms/OpenEXR/devel/OpenEXR.spec,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -p -r1.28 -r1.29
--- OpenEXR.spec	29 Jul 2009 18:19:19 -0000	1.28
+++ OpenEXR.spec	29 Jul 2009 18:31:47 -0000	1.29
@@ -23,10 +23,9 @@ Patch1: OpenEXR-1.6.1-pkgconfig.patch
 Patch2: openexr-1.6.1-gcc43.patch
 
 ## upstream patches
-Patch100: openexr-1.6.1-CVS-2009-1720-1.patch 
-Patch101: openexr-1.6.1-CVS-2009-1720-2.patch
-Patch102: openexr-CVE-2009-1721-drew-yao-proposed-fix.patch
-
+Patch100: openexr-1.6.1-CVE-2009-1720-1.patch 
+Patch101: openexr-1.6.1-CVE-2009-1720-2.patch
+Patch102: openexr-1.6.1-CVE-2009-1721.patch
 
 BuildRequires:  automake libtool
 BuildRequires:  ilmbase-devel
@@ -69,11 +68,9 @@ Group:   System Environment/Libraries
 %patch1 -p1 -b .pkgconfig
 %patch2 -p1 -b .gcc43
 
-pushd IlmImf
-%patch100 -p2 -b .CVE-2009-1720-1
-%patch101 -p2 -b .CVE-2009-1720-2
-%patch102 -p0 -b .CVE-2009-1721
-popd
+%patch100 -p1 -b .CVE-2009-1720-1
+%patch101 -p1 -b .CVE-2009-1720-2
+%patch102 -p1 -b .CVE-2009-1721
 
 # work to remove rpaths, recheck on new releases
 aclocal -Im4

More information about the fedora-extras-commits mailing list