rpms/OpenEXR/EL-5 openexr-1.4.0-CVE-2009-1722.patch, NONE, 1.1 openexr-1.4.0-gcc43.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1720-1.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1720-2.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1721.patch, NONE, 1.1 OpenEXR.spec, 1.13, 1.14

Thu Jul 30 19:14:40 UTC 2009

Author: rdieter

Update of /cvs/pkgs/rpms/OpenEXR/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1573

Modified Files:
	OpenEXR.spec 
Added Files:
	openexr-1.4.0-CVE-2009-1722.patch openexr-1.4.0-gcc43.patch 
	openexr-1.6.1-CVE-2009-1720-1.patch 
	openexr-1.6.1-CVE-2009-1720-2.patch 
	openexr-1.6.1-CVE-2009-1721.patch 
Log Message:
* Thu Jul 30 2009 Rex Dieter <rdieter at fedoraproject.org> 1.4.0a-5
- CVE-2009-1720 OpenEXR: Multiple integer overflows (#513995)
- CVE-2009-1721 OpenEXR: Invalid pointer free by image decompression (#514003)
- CVE-2009-1722 OpenEXR: Integer overflow in decompression of range of values
  in the pixel data (#514016)


openexr-1.4.0-CVE-2009-1722.patch:
 ImfHeader.cpp        |   73 ++++++++++++++++++++++++++++++++++++++++++++++++---
 ImfHeader.h          |   20 +++++++++++++
 ImfPizCompressor.cpp |    7 ++++
 3 files changed, 96 insertions(+), 4 deletions(-)

--- NEW FILE openexr-1.4.0-CVE-2009-1722.patch ---
diff -up openexr-1.4.0/IlmImf/ImfHeader.cpp.CVE-2009-1722 openexr-1.4.0/IlmImf/ImfHeader.cpp
--- openexr-1.4.0/IlmImf/ImfHeader.cpp.CVE-2009-1722	2006-06-04 21:04:52.000000000 -0500
+++ openexr-1.4.0/IlmImf/ImfHeader.cpp	2009-07-30 14:01:07.213632289 -0500
@@ -80,6 +80,12 @@ using IlmThread::Lock;
 
 namespace {
 
+int maxImageWidth = 0;
+int maxImageHeight = 0;
+int maxTileWidth = 0;
+int maxTileHeight = 0;
+
+
 void
 initialize (Header &header,
 	    const Box2i &displayWindow,
@@ -514,21 +520,50 @@ void		
 Header::sanityCheck (bool isTiled) const
 {
     //
-    // The display window and the data window
-    // must contain at least one pixel each.
+    // The display window and the data window must each
+    // contain at least one pixel.  In addition, the
+    // coordinates of the window corners must be small
+    // enough to keep expressions like max-min+1 or
+    // max+min from overflowing.
     //
 
     const Box2i &displayWindow = this->displayWindow();
 
     if (displayWindow.min.x > displayWindow.max.x ||
-	displayWindow.min.y > displayWindow.max.y)
+	displayWindow.min.y > displayWindow.max.y ||
+	displayWindow.min.x <= -(INT_MAX / 2) ||
+	displayWindow.min.y <= -(INT_MAX / 2) ||
+	displayWindow.max.x >=  (INT_MAX / 2) ||
+	displayWindow.max.y >=  (INT_MAX / 2))
+    {
 	throw Iex::ArgExc ("Invalid display window in image header.");
+    }
 
     const Box2i &dataWindow = this->dataWindow();
 
     if (dataWindow.min.x > dataWindow.max.x ||
-	dataWindow.min.y > dataWindow.max.y)
+	dataWindow.min.y > dataWindow.max.y ||
+	dataWindow.min.x <= -(INT_MAX / 2) ||
+	dataWindow.min.y <= -(INT_MAX / 2) ||
+	dataWindow.max.x >=  (INT_MAX / 2) ||
+	dataWindow.max.y >=  (INT_MAX / 2))
+    {
 	throw Iex::ArgExc ("Invalid data window in image header.");
+    }
+
+    if (maxImageWidth > 0 &&
+	maxImageWidth < dataWindow.max.x - dataWindow.min.x + 1)
+    {
+	THROW (Iex::ArgExc, "The width of the data window exceeds the "
+			    "maximum width of " << maxImageWidth << "pixels.");
+    }
+
+    if (maxImageHeight > 0 &&
+	maxImageHeight < dataWindow.max.y - dataWindow.min.y + 1)
+    {
+	THROW (Iex::ArgExc, "The width of the data window exceeds the "
+			    "maximum width of " << maxImageHeight << "pixels.");
+    }
 
     //
     // The pixel aspect ratio must be greater than 0.
@@ -587,6 +622,20 @@ Header::sanityCheck (bool isTiled) const
 	if (tileDesc.xSize <= 0 || tileDesc.ySize <= 0)
 	    throw Iex::ArgExc ("Invalid tile size in image header.");
 
+	if (maxTileWidth > 0 &&
+	    maxTileWidth < tileDesc.xSize)
+	{
+	    THROW (Iex::ArgExc, "The width of the tiles exceeds the maximum "
+				"width of " << maxTileWidth << "pixels.");
+	}
+
+	if (maxTileHeight > 0 &&
+	    maxTileHeight < tileDesc.ySize)
+	{
+	    THROW (Iex::ArgExc, "The width of the tiles exceeds the maximum "
+				"width of " << maxTileHeight << "pixels.");
+	}
+
 	if (tileDesc.mode != ONE_LEVEL &&
 	    tileDesc.mode != MIPMAP_LEVELS &&
 	    tileDesc.mode != RIPMAP_LEVELS)
@@ -725,6 +774,22 @@ Header::sanityCheck (bool isTiled) const
 }
 
 
+void		
+Header::setMaxImageSize (int maxWidth, int maxHeight)
+{
+    maxImageWidth = maxWidth;
+    maxImageHeight = maxHeight;
+}
+
+
+void		
+Header::setMaxTileSize (int maxWidth, int maxHeight)
+{
+    maxTileWidth = maxWidth;
+    maxTileHeight = maxHeight;
+}
+
+
 Int64
 Header::writeTo (OStream &os, bool isTiled) const
 {
diff -up openexr-1.4.0/IlmImf/ImfHeader.h.CVE-2009-1722 openexr-1.4.0/IlmImf/ImfHeader.h
--- openexr-1.4.0/IlmImf/ImfHeader.h.CVE-2009-1722	2006-06-04 21:04:52.000000000 -0500
+++ openexr-1.4.0/IlmImf/ImfHeader.h	2009-07-30 14:01:07.213632289 -0500
@@ -299,6 +299,26 @@ class Header
     void			sanityCheck (bool isTiled = false) const;
 
 
+    //----------------------------------------------------------------
+    // Maximum image size and maximim tile size:
+    //
+    // sanityCheck() will throw an exception if the width or height of
+    // the data window exceeds the maximum image width or height, or
+    // if the size of a tile exceeds the maximum tile width or height.
+    // 
+    // At program startup the maximum image and tile width and height
+    // are set to zero, meaning that width and height are unlimited.
+    //
+    // Limiting image and tile width and height limits how much memory
+    // will be allocated when a file is opened.  This can help protect
+    // applications from running out of memory while trying to read
+    // a damaged image file.
+    //----------------------------------------------------------------
+
+    static void			setMaxImageSize (int maxWidth, int maxHeight);
+    static void			setMaxTileSize (int maxWidth, int maxHeight);
+
+
     //------------------------------------------------------------------
     // Input and output:
     //
diff -up openexr-1.4.0/IlmImf/ImfPizCompressor.cpp.CVE-2009-1722 openexr-1.4.0/IlmImf/ImfPizCompressor.cpp
--- openexr-1.4.0/IlmImf/ImfPizCompressor.cpp.CVE-2009-1722	2009-07-30 14:01:07.205616394 -0500
+++ openexr-1.4.0/IlmImf/ImfPizCompressor.cpp	2009-07-30 14:01:07.214632487 -0500
@@ -60,6 +60,7 @@ using Imath::divp;
 using Imath::modp;
 using Imath::Box2i;
 using Imath::V2i;
+using Iex::InputExc;
 
 namespace {
 
@@ -556,6 +557,12 @@ PizCompressor::uncompress (const char *i
     Xdr::read <CharPtrIO> (inPtr, minNonZero);
     Xdr::read <CharPtrIO> (inPtr, maxNonZero);
 
+    if (maxNonZero >= BITMAP_SIZE)
+    {
+	throw InputExc ("Error in header for PIZ-compressed data "
+			"(invalid bitmap size).");
+    }
+
     if (minNonZero <= maxNonZero)
     {
 	Xdr::read <CharPtrIO> (inPtr, (char *) &bitmap[0] + minNonZero,

openexr-1.4.0-gcc43.patch:
 exrenvmap/main.cpp    |    3 ++-
 exrmaketiled/main.cpp |    2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

--- NEW FILE openexr-1.4.0-gcc43.patch ---
diff -up openexr-1.4.0/exrenvmap/main.cpp.gcc43 openexr-1.4.0/exrenvmap/main.cpp
--- openexr-1.4.0/exrenvmap/main.cpp.gcc43	2004-03-22 22:23:39.000000000 -0600
+++ openexr-1.4.0/exrenvmap/main.cpp	2009-07-30 14:08:20.174867457 -0500
@@ -42,9 +42,10 @@
 #include <makeCubeMap.h>
 #include <makeLatLongMap.h>
 #include <ImfEnvmap.h>
+#include <cstring>
 #include <iostream>
 #include <exception>
-#include <stdlib.h>
+#include <cstdlib>
 
 using namespace Imf;
 using namespace std;
diff -up openexr-1.4.0/exrmaketiled/main.cpp.gcc43 openexr-1.4.0/exrmaketiled/main.cpp
--- openexr-1.4.0/exrmaketiled/main.cpp.gcc43	2004-12-06 19:49:33.000000000 -0600
+++ openexr-1.4.0/exrmaketiled/main.cpp	2009-07-30 14:07:38.338618026 -0500
@@ -44,7 +44,7 @@
 
 #include <iostream>
 #include <exception>
-#include <string>
+#include <cstring>
 #include <stdlib.h>
 
 using namespace Imf;

openexr-1.6.1-CVE-2009-1720-1.patch:
 ImfPreviewImage.cpp |    4 ++++
 1 file changed, 4 insertions(+)

--- NEW FILE openexr-1.6.1-CVE-2009-1720-1.patch ---
diff -up openexr-1.6.1/IlmImf/ImfPreviewImage.cpp.CVE-2009-1720-1 openexr-1.6.1/IlmImf/ImfPreviewImage.cpp
--- openexr-1.6.1/IlmImf/ImfPreviewImage.cpp.CVE-2009-1720-1	2006-06-06 00:58:16.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfPreviewImage.cpp	2009-07-29 13:27:39.087038617 -0500
@@ -41,6 +41,7 @@
 
 #include <ImfPreviewImage.h>
 #include "Iex.h"
+#include <limits.h>
 
 namespace Imf {
 
@@ -51,6 +52,9 @@ PreviewImage::PreviewImage (unsigned int
 {
     _width = width;
     _height = height;
+    if (_height && _width > UINT_MAX / _height || _width * _height > UINT_MAX / sizeof(PreviewRgba)) {
+        throw Iex::ArgExc ("Invalid height and width.");
+    }
     _pixels = new PreviewRgba [_width * _height];
 
     if (pixels)
diff -up openexr-1.6.1/IlmImf/ImfPreviewImage.h.CVE-2009-1720-1 openexr-1.6.1/IlmImf/ImfPreviewImage.h

openexr-1.6.1-CVE-2009-1720-2.patch:
 ImfPizCompressor.cpp |    3 +++
 ImfRleCompressor.cpp |    3 +++
 ImfZipCompressor.cpp |    3 +++
 3 files changed, 9 insertions(+)

--- NEW FILE openexr-1.6.1-CVE-2009-1720-2.patch ---
diff -up openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfPizCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2	2007-09-20 23:17:46.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfPizCompressor.cpp	2009-07-29 13:15:41.883288491 -0500
@@ -181,6 +181,9 @@ PizCompressor::PizCompressor
     _channels (hdr.channels()),
     _channelData (0)
 {
+    if ((unsigned) maxScanLineSize > (INT_MAX - 65536 - 8192)  / (unsigned) numScanLines) {
+        throw InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+    }
     _tmpBuffer = new unsigned short [maxScanLineSize * numScanLines / 2];
     _outBuffer = new char [maxScanLineSize * numScanLines + 65536 + 8192];
 
diff -up openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfRleCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2	2006-10-13 22:06:39.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfRleCompressor.cpp	2009-07-29 13:17:39.505037955 -0500
@@ -164,6 +164,9 @@ RleCompressor::RleCompressor (const Head
     _tmpBuffer (0),
     _outBuffer (0)
 {
+    if ((unsigned) maxScanLineSize > INT_MAX / 3) {
+        throw Iex::InputExc ("Error: maxScanLineSize * 3 would overflow.");
+    }
     _tmpBuffer = new char [maxScanLineSize];
     _outBuffer = new char [maxScanLineSize * 3 / 2];
 }
diff -up openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfZipCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2	2006-10-13 22:07:17.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfZipCompressor.cpp	2009-07-29 13:18:25.223038291 -0500
@@ -58,6 +58,9 @@ ZipCompressor::ZipCompressor
     _tmpBuffer (0),
     _outBuffer (0)
 {
+    if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines) {
+        throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+    }
     _tmpBuffer =
 	new char [maxScanLineSize * numScanLines];
 

openexr-1.6.1-CVE-2009-1721.patch:
 ImfAutoArray.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE openexr-1.6.1-CVE-2009-1721.patch ---
diff -up openexr-1.6.1/IlmImf/ImfAutoArray.h.CVE-2009-1721 openexr-1.6.1/IlmImf/ImfAutoArray.h
--- openexr-1.6.1/IlmImf/ImfAutoArray.h.CVE-2009-1721	2007-04-23 20:26:56.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfAutoArray.h	2009-07-29 13:22:08.309288375 -0500
@@ -57,7 +57,7 @@ namespace Imf {
     {
       public:
 
-	 AutoArray (): _data (new T [size]) {}
+	 AutoArray (): _data (new T [size]) {memset(_data, 0, size * sizeof(T));}
 	~AutoArray () {delete [] _data;}
 
 	operator T * ()			{return _data;}


Index: OpenEXR.spec
===================================================================
RCS file: /cvs/pkgs/rpms/OpenEXR/EL-5/OpenEXR.spec,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -p -r1.13 -r1.14
--- OpenEXR.spec	12 Jun 2007 03:09:34 -0000	1.13
+++ OpenEXR.spec	30 Jul 2009 19:14:40 -0000	1.14
@@ -4,7 +4,7 @@
 
 Name:	 OpenEXR
 Version: %{ver}%{?beta} 
-Release: 4%{?dist}
+Release: 5%{?dist}
 Summary: A high dynamic-range (HDR) image file format
 
 Group:	 System Environment/Libraries
@@ -20,6 +20,13 @@ Provides:  openexr = %{version}-%{releas
 Patch1: openexr-1.4.0-no_undefined.patch
 # Use Libs.private
 Patch2: openexr-1.4.0-pkgconfig.patch
+Patch3: openexr-1.4.0-gcc43.patch
+
+## upstream patches
+Patch100: openexr-1.6.1-CVE-2009-1720-1.patch
+Patch101: openexr-1.6.1-CVE-2009-1720-2.patch
+Patch102: openexr-1.6.1-CVE-2009-1721.patch
+Patch103: openexr-1.4.0-CVE-2009-1722.patch
 
 BuildRequires:  fltk-devel >= 1.1
 BuildRequires:  zlib-devel
@@ -46,6 +53,12 @@ Requires: pkgconfig
 
 %patch1 -p1 -b .no_undefined
 %patch2 -p1 -b .pkgconfig
+%patch3 -p1 -b .gcc43
+
+%patch100 -p1 -b .CVE-2009-1720-1
+%patch101 -p1 -b .CVE-2009-1720-2
+%patch102 -p1 -b .CVE-2009-1721
+%patch103 -p1 -b .CVE-2009-1722
 
 # for patch1
 ./bootstrap
@@ -89,18 +102,29 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-,root,root,-)
 %doc AUTHORS ChangeLog LICENSE NEWS README
 %{_bindir}/*
-%{_libdir}/lib*.so.*
+%{_libdir}/libHalf.so.4*
+%{_libdir}/libIex.so.4*
+%{_libdir}/libIlmImf.so.4*
+%{_libdir}/libIlmThread.so.4*
+%{_libdir}/libImath.so.4*
 
 %files devel
 %defattr(-,root,root,-)
-%doc rpmdocs/examples 
-%{_datadir}/aclocal/*
+#omit for now, they're mostly useless, and include multilib conflicts (#342781)
+#doc rpmdocs/examples
+%{_datadir}/aclocal/openexr.m4
 %{_includedir}/OpenEXR/
 %{_libdir}/lib*.so
-%{_libdir}/pkgconfig/*
+%{_libdir}/pkgconfig/OpenEXR.pc
 
 
 %changelog
+* Thu Jul 30 2009 Rex Dieter <rdieter at fedoraproject.org> 1.4.0a-5
+- CVE-2009-1720 OpenEXR: Multiple integer overflows (#513995)
+- CVE-2009-1721 OpenEXR: Invalid pointer free by image decompression (#514003)
+- CVE-2009-1722 OpenEXR: Integer overflow in decompression of range of values
+  in the pixel data (#514016)
+
 * Sat Oct 28 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.4.0a-4
 - Obsoletes/Provides: openexr(-devel) (rpmforge compatibility)
 


