enforce xSampling/ySampling==1 in CompositeDeepScanLine #1209
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
meshula
approved these changes
Nov 29, 2021
|
CVE-2021-45942 is assigned to this. Can you release a new version of OpenEXR (3.1.4)? |
|
3.1.4 is in the works, out shortly. |
cary-ilm
pushed a commit
to cary-ilm/openexr
that referenced
this pull request
Jan 19, 2022
…areFoundation#1209) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
cary-ilm
pushed a commit
that referenced
this pull request
Jan 23, 2022
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Feb 2, 2022
## Version 3.1.4 (January 26, 2022) Patch release that addresses various issues: * Several bug fixes to properly reject invalid input upon read * A check to enable SSE2 when building with Visual Studio * A check to fix building with VisualStudio on ARM64 * Update the automatically-downloaded version of Imath to v3.1.4 * Miscellaneous documentation improvements This addresses one public security vulnerability: * [CVE-2021-45942](https://nvd.nist.gov/vuln/detail/CVE-2021-45942) Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute Specific OSS-fuzz issues: * OSS-fuzz [43961](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43961) Heap-buffer-overflow in generic_unpack * OSS-fuzz [43916](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43916) Heap-buffer-overflow in hufDecode * OSS-fuzz [43763](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43763) Heap-buffer-overflow in internal_huf_decompress * OSS-fuzz [43745](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43745) Floating-point-exception in internal_exr_compute_tile_information * OSS-fuzz [43744](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43744) Divide-by-zero in internal_exr_compute_tile_information * OSS-fuzz [42197](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42197) Out-of-memory in openexr_exrcheck_fuzzer * OSS-fuzz [42001](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42001) Timeout in openexr_exrcheck_fuzzer * OSS-fuzz [41999](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41999) Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute * OSS-fuzz [41669](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41669) Integer-overflow in Imf_3_1::rleUncompress * OSS-fuzz [41625](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41625) Heap-buffer-overflow in uncompress_b44_impl * OSS-fuzz [41416](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416) Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute * OSS-fuzz [41075](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41075) Integer-overflow in Imf_3_1::copyIntoDeepFrameBuffer * OSS-fuzz [40704](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40704) Crash in Imf_3_1::DeepTiledInputFile::readPixelSampleCounts * OSS-fuzz [40702](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40702) Null-dereference in bool Imf_3_1::readDeepTile<Imf_3_1::DeepTiledInputFile> * OSS-fuzz [40701](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40701) Null-dereference in bool Imf_3_1::readDeepTile<Imf_3_1::DeepTiledInputPart> * OSS-fuzz [40423](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40423) Out-of-memory in openexr_exrcheck_fuzzer * OSS-fuzz [40234](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40234) Heap-buffer-overflow in generic_unpack * OSS-fuzz [40231](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40231) Heap-buffer-overflow in hufDecode * OSS-fuzz [40091](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40091) Heap-buffer-overflow in hufDecode Merged Pull Requests: * [1225](AcademySoftwareFoundation/openexr#1225) Bazel build: Update Imath * [1224](AcademySoftwareFoundation/openexr#1224) Add error check to prevent corrupt files trying to unpack * [1223](AcademySoftwareFoundation/openexr#1223) Fix issues with a a "short" huf table and checking boundary conditions, missing return value * [1222](AcademySoftwareFoundation/openexr#1222) Fix OSS Fuzz 43763, 43745 * [1218](AcademySoftwareFoundation/openexr#1218) OSS-Fuzz pass 15jan2022 * [1217](AcademySoftwareFoundation/openexr#1217) Added missing check _M_IX86 or _M_X64 when using __lzcnt. * [1216](AcademySoftwareFoundation/openexr#1216) Corrected the check to enable SSE2 when building with Visual Studio. * [1214](AcademySoftwareFoundation/openexr#1214) prevent overflow in allocation of RLE buufer * [1213](AcademySoftwareFoundation/openexr#1213) add check for decompressed deepscanline datasize * [1209](AcademySoftwareFoundation/openexr#1209) enforce xSampling/ySampling==1 in CompositeDeepScanLine * [1208](AcademySoftwareFoundation/openexr#1208) Reduce memory consumption with very large deepscanline images * [1206](AcademySoftwareFoundation/openexr#1206) Update INSTALL.md * [1205](AcademySoftwareFoundation/openexr#1205) DeepScanlineInputFile now uses chunk size test from DeepTiledInputFile * [1200](AcademySoftwareFoundation/openexr#1200) Corrected Deep Docs & Example Code * [1199](AcademySoftwareFoundation/openexr#1199) Fix C++ DeepTile reading in Imf::CheckFile * [1195](AcademySoftwareFoundation/openexr#1195) Fix bugs in ImfCheckFile.cpp:readDeepTile() * [1193](AcademySoftwareFoundation/openexr#1193) mention multipart files in multiview doc * [1191](AcademySoftwareFoundation/openexr#1191) Replace Doxygen/Sphinx targets with "docs" * [1190](AcademySoftwareFoundation/openexr#1190) Add Compression section to "Reading and Writing Image Files" doc * [1189](AcademySoftwareFoundation/openexr#1189) Fix typo in readthedocs url
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416
OpenEXR API generally enforces that FrameBuffer xSampling and ySampling match whatever is in the file. For deep scanline and tile images, xSampling and ySampling must be 1, so the FrameBuffer passed to CompositeDeepScanLine::setFrameBuffer should also enforce that
The test file in this case is a deep file with "Y" and "BY" channels, both with sampling 1, so RgbaInputFile API composites the deep data to a regular scanline image, then attempts a FromYCA conversion, which requires "BY" and "RY" have sampling set to 2. Although OpenEXR doesn't support chroma-subsampled deep files, it does support luma-only deepscanline files with a "Y" channel, and those should be readable using the RgbaInputFile API into an Rgba pixel.
Signed-off-by: Peter Hillman peterh@wetafx.co.nz