devel/OpenEXR/openexr-1.6.1-CVE-2009-1720-2.patch

diff -up openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfPizCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2	2007-09-20 23:17:46.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfPizCompressor.cpp	2009-07-29 13:15:41.883288491 -0500
@@ -181,6 +181,9 @@ PizCompressor::PizCompressor
     _channels (hdr.channels()),
     _channelData (0)
 {
+    if ((unsigned) maxScanLineSize > (INT_MAX - 65536 - 8192)  / (unsigned) numScanLines) {
+        throw InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+    }
     _tmpBuffer = new unsigned short [maxScanLineSize * numScanLines / 2];
     _outBuffer = new char [maxScanLineSize * numScanLines + 65536 + 8192];
 
diff -up openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfRleCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2	2006-10-13 22:06:39.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfRleCompressor.cpp	2009-07-29 13:17:39.505037955 -0500
@@ -164,6 +164,9 @@ RleCompressor::RleCompressor (const Head
     _tmpBuffer (0),
     _outBuffer (0)
 {
+    if ((unsigned) maxScanLineSize > INT_MAX / 3) {
+        throw Iex::InputExc ("Error: maxScanLineSize * 3 would overflow.");
+    }
     _tmpBuffer = new char [maxScanLineSize];
     _outBuffer = new char [maxScanLineSize * 3 / 2];
 }
diff -up openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfZipCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2	2006-10-13 22:07:17.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfZipCompressor.cpp	2009-07-29 13:18:25.223038291 -0500
@@ -58,6 +58,9 @@ ZipCompressor::ZipCompressor
     _tmpBuffer (0),
     _outBuffer (0)
 {
+    if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines) {
+        throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+    }
     _tmpBuffer =
 	new char [maxScanLineSize * numScanLines];
 
1	diff -up openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfPizCompressor.cpp
2	--- openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2 2007-09-20 23:17:46.000000000 -0500
3	+++ openexr-1.6.1/IlmImf/ImfPizCompressor.cpp 2009-07-29 13:15:41.883288491 -0500
4	@@ -181,6 +181,9 @@ PizCompressor::PizCompressor
5	_channels (hdr.channels()),
6	_channelData (0)
7	{
8	+ if ((unsigned) maxScanLineSize > (INT_MAX - 65536 - 8192) / (unsigned) numScanLines) {
9	+ throw InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
10	+ }
11	_tmpBuffer = new unsigned short [maxScanLineSize * numScanLines / 2];
12	_outBuffer = new char [maxScanLineSize * numScanLines + 65536 + 8192];
13
14	diff -up openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfRleCompressor.cpp
15	--- openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2 2006-10-13 22:06:39.000000000 -0500
16	+++ openexr-1.6.1/IlmImf/ImfRleCompressor.cpp 2009-07-29 13:17:39.505037955 -0500
17	@@ -164,6 +164,9 @@ RleCompressor::RleCompressor (const Head
18	_tmpBuffer (0),
19	_outBuffer (0)
20	{
21	+ if ((unsigned) maxScanLineSize > INT_MAX / 3) {
22	+ throw Iex::InputExc ("Error: maxScanLineSize * 3 would overflow.");
23	+ }
24	_tmpBuffer = new char [maxScanLineSize];
25	_outBuffer = new char [maxScanLineSize * 3 / 2];
26	}
27	diff -up openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfZipCompressor.cpp
28	--- openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2 2006-10-13 22:07:17.000000000 -0500
29	+++ openexr-1.6.1/IlmImf/ImfZipCompressor.cpp 2009-07-29 13:18:25.223038291 -0500
30	@@ -58,6 +58,9 @@ ZipCompressor::ZipCompressor
31	_tmpBuffer (0),
32	_outBuffer (0)
33	{
34	+ if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines) {
35	+ throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
36	+ }
37	_tmpBuffer =
38	new char [maxScanLineSize * numScanLines];
39
admin@fedoraproject.org	ViewVC Help
Powered by ViewVC 1.1.2