openexr/patches/003-openexr-1.6.1-CVE-2009-1720.patch

147N/A--- IlmImf/ImfPxr24Compressor.cpp   2006-08-08 17:22:39.000000000 -0700
147N/A+++ IlmImf/ImfPxr24Compressor.cpp   2011-02-15 10:02:21.249206726 -0800
147N/A@@ -73,6 +73,7 @@
147N/A #include <zlib.h>
147N/A #include <assert.h>
147N/A #include <algorithm>
147N/A+#include <climits>
147N/A
147N/A using namespace std;
147N/A using namespace Imath;
147N/A@@ -187,6 +188,9 @@
147N/A {
147N/A     int maxInBytes = maxScanLineSize * numScanLines;
147N/A
147N/A+    if (static_cast<unsigned int>(maxScanLineSize) > static_cast<unsigned int>(INT_MAX) / static_cast<unsigned int>(numScanLines))
147N/A+   throw Iex::InputExc ("Error: maxScanLineSize * numScanLines overflow!");
147N/A+
147N/A     _tmpBuffer = new unsigned char [maxInBytes];
147N/A     _outBuffer = new char [int (ceil (maxInBytes * 1.01)) + 100];
147N/A
147N/A--- IlmImf/ImfRleCompressor.cpp 2006-10-13 20:06:39.000000000 -0700
147N/A+++ IlmImf/ImfRleCompressor.cpp 2011-02-15 10:04:37.515213450 -0800
147N/A@@ -42,6 +42,7 @@
147N/A
147N/A #include <ImfRleCompressor.h>
147N/A #include "Iex.h"
147N/A+#include <climits>
147N/A
147N/A namespace Imf {
147N/A namespace {
147N/A@@ -164,6 +165,9 @@
147N/A     _tmpBuffer (0),
147N/A     _outBuffer (0)
147N/A {
147N/A+    if (static_cast<unsigned int>(maxScanLineSize) > static_cast<unsigned int>(INT_MAX / 3))
147N/A+   throw Iex::InputExc ("Error: maxScanLineSize * 3 overflow!");
147N/A+
147N/A     _tmpBuffer = new char [maxScanLineSize];
147N/A     _outBuffer = new char [maxScanLineSize * 3 / 2];
147N/A }
147N/A--- IlmImf/ImfZipCompressor.cpp 2006-10-13 20:07:17.000000000 -0700
147N/A+++ IlmImf/ImfZipCompressor.cpp 2011-02-15 10:06:55.097529328 -0800
147N/A@@ -43,6 +43,7 @@
147N/A #include <ImfZipCompressor.h>
147N/A #include "Iex.h"
147N/A #include <zlib.h>
147N/A+#include <climits>
147N/A
147N/A namespace Imf {
147N/A
147N/A@@ -58,6 +59,9 @@
147N/A     _tmpBuffer (0),
147N/A     _outBuffer (0)
147N/A {
147N/A+    if (static_cast<unsigned int>(maxScanLineSize) > static_cast<unsigned int>(INT_MAX) / static_cast<unsigned int>(numScanLines))
147N/A+   throw Iex::InputExc ("Error: maxScanLineSize * numScanLines overflow!");
147N/A+
147N/A     _tmpBuffer =
147N/A    new char [maxScanLineSize * numScanLines];
147N/A
147N/A--- IlmImf/ImfPreviewImage.cpp  2006-06-05 22:58:16.000000000 -0700
147N/A+++ IlmImf/ImfPreviewImage.cpp  2011-02-15 10:10:00.946063574 -0800
147N/A@@ -41,6 +41,7 @@
147N/A
147N/A #include <ImfPreviewImage.h>
147N/A #include "Iex.h"
147N/A+#include <climits>
147N/A
147N/A namespace Imf {
147N/A
147N/A@@ -51,6 +52,10 @@
147N/A {
147N/A     _width = width;
147N/A     _height = height;
147N/A+
147N/A+    if ((_height && (_width > (UINT_MAX / _height))) || ((_width * _height) > (UINT_MAX / sizeof(PreviewRgba))))
147N/A+   throw Iex::ArgExc ("Error: Invalid height and/or width!");
147N/A+
147N/A     _pixels = new PreviewRgba [_width * _height];
147N/A
147N/A     if (pixels)
147N/A--- IlmImf/ImfPizCompressor.cpp 2007-09-20 21:17:46.000000000 -0700
147N/A+++ IlmImf/ImfPizCompressor.cpp 2011-02-15 10:10:24.179648473 -0800
147N/A@@ -53,6 +53,7 @@
147N/A #include <ImfAutoArray.h>
147N/A #include <string.h>
147N/A #include <assert.h>
147N/A+#include <climits>
147N/A
147N/A namespace Imf {
147N/A
147N/A@@ -181,6 +182,9 @@
147N/A     _channels (hdr.channels()),
147N/A     _channelData (0)
147N/A {
147N/A+    if (static_cast<unsigned int>(maxScanLineSize) > static_cast<unsigned int>(INT_MAX - 65536 - 8192) / static_cast<unsigned int>(numScanLines))
147N/A+   throw InputExc ("Error: maxScanLineSize * numScanLines overflow!");
147N/A+
147N/A     _tmpBuffer = new unsigned short [maxScanLineSize * numScanLines / 2];
147N/A     _outBuffer = new char [maxScanLineSize * numScanLines + 65536 + 8192];
147N/A