packages/OpenEXR
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!42 [sync] PR-34: fix CVE-2021-3605

Browse Source 
From: @openeuler-sync-bot
Reviewed-by: @small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-09-06 02:25:08 +00:00 committed by Gitee
commit 564f685300
2 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
CVE-2021-3605.patch Normal file
View File

@ -0,0 +1,27 @@
From 2a4f6d9ecd0c9ab2dfaf6bdb99ec962aa1ad09e9 Mon Sep 17 00:00:00 2001
From: peterhillman <peterh@wetafx.co.nz>
Date: Fri,4 Jun 2021 11:12:16 +1200
Subject: [PATCH] detect buffer overflow in RleUncompress(#1036)
---
IlmImf/ImfRle.cpp | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/IlmImf/ImfRle.cpp b/IlmImf/ImfRle.cpp
index f6992fa..458f261 100644
--- a/IlmImf/ImfRle.cpp
+++ b/IlmImf/ImfRle.cpp
@@ -145,6 +145,10 @@ rleUncompress (int inLength, int maxLength, const signed char in[], char out[])
if (0 > (maxLength -= count + 1))
return 0;
+ //check the input buffer is big enough to contain
+ //byte to be duplicated
+ if (inLength < 0)
+ return 0;
memset(out, *(char*)in, count+1);
out += count+1;
--
2.27.0

6
OpenEXR.spec
View File

@ -1,7 +1,7 @@
Name: OpenEXR Name: OpenEXR
Summary: A high dynamic-range (HDR) image file format for use in computer imaging applications Summary: A high dynamic-range (HDR) image file format for use in computer imaging applications
Version: 2.2.0 Version: 2.2.0
Release: 22 Release: 23
License: BSD License: BSD
URL: http://www.openexr.com/ URL: http://www.openexr.com/
Source0: http://download.savannah.nongnu.org/releases/openexr/openexr-%{version}.tar.gz Source0: http://download.savannah.nongnu.org/releases/openexr/openexr-%{version}.tar.gz
@ -27,6 +27,7 @@ Patch0017: CVE-2021-3598.patch
Patch0018: CVE-2020-11758-to-CVE-2020-11765.patch Patch0018: CVE-2020-11758-to-CVE-2020-11765.patch
Patch0019: CVE-2020-15305.patch Patch0019: CVE-2020-15305.patch
Patch0020: CVE-2020-15306.patch Patch0020: CVE-2020-15306.patch
Patch0021: CVE-2021-3605.patch
BuildConflicts: %{name}-devel < 2.2.0 BuildConflicts: %{name}-devel < 2.2.0
BuildRequires: gcc-c++ ilmbase-devel >= %{version} zlib-devel pkgconfig BuildRequires: gcc-c++ ilmbase-devel >= %{version} zlib-devel pkgconfig
@ -90,6 +91,9 @@ test "$(pkg-config --modversion OpenEXR)" = "%{version}"
%{_libdir}/pkgconfig/OpenEXR.pc %{_libdir}/pkgconfig/OpenEXR.pc
%changelog %changelog
* Wed Sat 1 2021 liwu<liwu13@huawei.com> - 2.2.0-23
- fix CVE-2021-3605
* Mon Jul 12 2021 yaoxin <yaoxin30@huawei.com> - 2.2.0-22 * Mon Jul 12 2021 yaoxin <yaoxin30@huawei.com> - 2.2.0-22
- fix CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765 CVE-2020-15305 CVE-2020-15306 - fix CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765 CVE-2020-15305 CVE-2020-15306