OpenEXR/CVE-2020-15306.patch

From 6a9f8af6e89547bcd370ae3cec2b12849eee0b54 Mon Sep 17 00:00:00 2001
From: peterhillman <peterh@wetafx.co.nz>
Date: Wed, 27 May 2020 13:50:54 +1200
Subject: [PATCH] always ignore chunkCount attribute unless it cannot be
 computed (#738)

--- openexr-2.2.1.orig/IlmImf/ImfDeepTiledOutputFile.cpp
+++ openexr-2.2.1/IlmImf/ImfDeepTiledOutputFile.cpp
@@ -1228,7 +1228,7 @@ DeepTiledOutputFile::initialize (const H
                                       _data->numYTiles);
                                       
     //ignore the existing value of chunkCount - correct it if it's wrong
-    _data->header.setChunkCount(getChunkOffsetTableSize(_data->header,true));                                   
+    _data->header.setChunkCount(getChunkOffsetTableSize(_data->header));
                                       
     _data->maxSampleCountTableSize = _data->tileDesc.ySize *
                                      _data->tileDesc.xSize *
--- openexr-2.2.1.orig/IlmImf/ImfMisc.cpp
+++ openexr-2.2.1/IlmImf/ImfMisc.cpp
@@ -1896,18 +1896,30 @@ int
 getTiledChunkOffsetTableSize(const Header& header);
 
 int
-getChunkOffsetTableSize(const Header& header,bool ignore_attribute)
+getChunkOffsetTableSize(const Header& header,bool)
 {
-    if(!ignore_attribute && header.hasChunkCount())
-    {
-        return header.chunkCount();
-    }
-    
+    //
+    // if there is a type in the header which indicates the part is not a currently supported type,
+    // use the chunkCount attribute
+    //
+
+
     if(header.hasType()  && !isSupportedType(header.type()))
     {
-        throw IEX_NAMESPACE::ArgExc ("unsupported header type to "
-        "get chunk offset table size");
+        if(header.hasChunkCount())
+        {
+           return header.chunkCount();
+        }
+        else
+        {
+           throw IEX_NAMESPACE::ArgExc ("unsupported header type to "
+           "get chunk offset table size");
+        }
     }
+
+    //
+    // part is a known type - ignore the header attribute and compute the chunk size from the header
+    //
     if (isTiled(header.type()) == false)
         return getScanlineChunkOffsetTableSize(header);
     else
--- openexr-2.2.1.orig/IlmImf/ImfMisc.h
+++ openexr-2.2.1/IlmImf/ImfMisc.h
@@ -452,13 +452,16 @@ bool usesLongNames (const Header &header
 
 
 //
-// compute size of chunk offset table - if ignore_attribute set to true
-// will compute from the image size and layout, rather than the attribute
-// The default behaviour is to read the attribute
+// compute size of chunk offset table - for existing types, computes
+// the chunk size from the image size, compression type, and tile description
+// (for tiled types). If the type is not supported, uses the chunkCount attribute
+// if present, or throws an exception otherwise
+// deprecated_attribute is no longer used by this function
+//
 //
 
 IMF_EXPORT
-int getChunkOffsetTableSize(const Header& header,bool ignore_attribute=false);
+int getChunkOffsetTableSize(const Header& header,bool deprecated_attribute=false);
 
 OPENEXR_IMF_INTERNAL_NAMESPACE_HEADER_EXIT
 
--- openexr-2.2.1.orig/IlmImf/ImfMultiPartInputFile.cpp
+++ openexr-2.2.1/IlmImf/ImfMultiPartInputFile.cpp
@@ -735,7 +735,7 @@ MultiPartInputFile::Data::readChunkOffse
 
     for (size_t i = 0; i < parts.size(); i++)
     {
-        int chunkOffsetTableSize = getChunkOffsetTableSize(parts[i]->header,false);
+        int chunkOffsetTableSize = getChunkOffsetTableSize(parts[i]->header);
         parts[i]->chunkOffsets.resize(chunkOffsetTableSize);
 
         for (int j = 0; j < chunkOffsetTableSize; j++)
--- openexr-2.2.1.orig/IlmImf/ImfMultiPartOutputFile.cpp
+++ openexr-2.2.1/IlmImf/ImfMultiPartOutputFile.cpp
@@ -145,7 +145,7 @@ MultiPartOutputFile::Data::do_header_san
     if (isMultiPart)
     {
         // multipart files must contain a chunkCount attribute
-        _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0],true));
+        _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0]));
         
         for (size_t i = 1; i < parts; i++)
         {
@@ -153,7 +153,7 @@ MultiPartOutputFile::Data::do_header_san
                 throw IEX_NAMESPACE::ArgExc ("Every header in a multipart file should have a type");
             
             
-            _headers[i].setChunkCount(getChunkOffsetTableSize(_headers[i],true));
+            _headers[i].setChunkCount(getChunkOffsetTableSize(_headers[i]));
             _headers[i].sanityCheck (_headers[i].hasTileDescription(), isMultiPart);
             
             
@@ -185,7 +185,7 @@ MultiPartOutputFile::Data::do_header_san
         
         if (_headers[0].hasType() && isImage(_headers[0].type()) == false)
         {
-            _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0],true));
+            _headers[0].setChunkCount(getChunkOffsetTableSize(_headers[0]));
         }
         
     }
@@ -494,7 +494,7 @@ MultiPartOutputFile::Data::writeChunkTab
 {
     for (size_t i = 0; i < parts.size(); i++)
     {
-        int chunkTableSize = getChunkOffsetTableSize(parts[i]->header,false);
+        int chunkTableSize = getChunkOffsetTableSize(parts[i]->header);
 
         Int64 pos = os->tellp();