OpenEXR v2.5.4 Release Notes
Release Date: 2020-12-31 // over 3 years ago-
๐ Patch release with various bug/sanitizer/security fixes, primarily related to reading corrupted input files.
๐ Security vulnerabilities fixed:
- CVE-2021-20296 Segv on unknown address in Imf_2_5::hufUncompress - Null Pointer dereference
- CVE-2021-3479 Out-of-memory in openexr_exrenvmap_fuzzer
- CVE-2021-3478 Out-of-memory in openexr_exrcheck_fuzzer
- CVE-2021-3477 Heap-buffer-overflow in Imf_2_5::DeepTiledInputFile::readPixelSampleCounts
- CVE-2021-3476 Undefined-shift in Imf_2_5::unpack14
- CVE-2021-3475 Integer-overflow in Imf_2_5::calculateNumTiles
- CVE-2021-3474 Undefined-shift in Imf_2_5::FastHufDecoder::FastHufDecoder
Specific OSS-fuzz issues include:
- OSS-fuzz 24854 Segv on unknown address in Imf_2_5::hufUncompress
- OSS-fuzz 24831 Undefined-shift in Imf_2_5::FastHufDecoder::FastHufDecoder
- OSS-fuzz 24969 Invalid-enum-value in Imf_2_5::TypedAttribute::writeValueTo
- OSS-fuzz 25297 Integer-overflow in Imf_2_5::calculateNumTiles
- OSS-fuzz 24787 Undefined-shift in Imf_2_5::unpack14
- OSS-fuzz 25326 Out-of-memory in openexr_scanlines_fuzzer
- OSS-fuzz 25399 Heap-buffer-overflow in Imf_2_5::FastHufDecoder::FastHufDecoder
- OSS-fuzz 25415 Abrt in __cxxabiv1::failed_throw
- OSS-fuzz 25370 Out-of-memory in openexr_exrenvmap_fuzzer
- OSS-fuzz 25501 Out-of-memory in openexr_scanlines_fuzzer
- OSS-fuzz 25505 Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
- OSS-fuzz 25562 Integer-overflow in Imf_2_5::hufUncompress
- OSS-fuzz 25740 Null-dereference READ in Imf_2_5::Header::operator
- OSS-fuzz 25743 Null-dereference in Imf_2_5::MultiPartInputFile::header
- OSS-fuzz 25913 Out-of-memory in openexr_exrenvmap_fuzzer
- OSS-fuzz 26229 Undefined-shift in Imf_2_5::hufDecode
- OSS-fuzz 26658 Out-of-memory in openexr_scanlines_fuzzer
- OSS-fuzz 26956 Heap-buffer-overflow in Imf_2_5::DeepTiledInputFile::readPixelSampleCounts
- OSS-fuzz 27409 Out-of-memory in openexr_exrcheck_fuzzer
- OSS-fuzz 25892 Divide-by-zero in Imf_2_5::calculateNumTiles
- OSS-fuzz 25894 Floating-point-exception in Imf_2_5::precalculateTileInfo
๐ Merged Pull Requests
- 817 double-check unpackedBuffer created in DWA uncompress (OSS-fuzz 24854)
- 818 compute Huf codelengths using 64 bit to prevent shift overrflow (OSS-fuzz 24831)
- โ 820 suppress sanitizer warnings when writing invalid enums (OSS-fuzz 24969)
- 825 Avoid overflow in calculateNumTiles when size=MAX_INT (OSS-fuzz 25297)
- 826 restrict maximum tile size to INT_MAX byte limit (OSS-fuzz 25297)
- 832 ignore unused bits in B44 mode detection (OSS-fuzz 24787)
- 827 lighter weight reading of Luma-only images via RgbaInputFile (OSS-fuzz 25326)
- 829 fix buffer overflow check in PIZ decompression (OSS-fuzz 25399, OSS-fuzz 25415)
- ๐จ 830 refactor channel filling in InputFile API with tiled source (OSS-fuzz 25370 , OSS-fuzz 25501)
- 831 Use Int64 in dataWindowForTile to prevent integer overflow (OSS-fuzz 25505)
- 836 prevent overflow in hufUncompress if nBits is large (OSS-fuzz 25562)
- 840 add sanity check for reading multipart files with no parts (OSS-fuzz 25740 , OSS-fuzz 25743)
- ๐ป 841 more elegant exception handling in exrmaketiled (ZhiWei Sun from Topsec Alpha Lab)
- 843 reduce B44 _tmpBufferSize (was allocating two bytes per byte) (OSS-fuzz 25913)
- 844 check EXRAllocAligned succeeded to allocate ScanlineInputFile lineBuffers (ZhiWei Sun from Topsec Alpha Lab)
- โ 845 test channels are DCT compressed before DWA decompression (ZhiWei Sun from Topsec Alpha Lab)
- 849 check for valid Huf code lengths (OSS-fuzz 26229)
- 860 check 1 part files with 'nonimage' bit have type attribute (OSS-fuzz 26658)
- 861 Fix overflow computing deeptile sample table size (OSS-fuzz 26956)
- 863 re-order shift/compare in FastHuf to prevent undefined shift overflow (OSS-fuzz 27409)
- ๐ Also, partial fixes from 842 which do not change the ABI: (OSS-fuzz 25892 , OSS-fuzz 25894)
๐ฒ Commits [ git log v2.5.3...v2.5.4]
- โ 0c2b46f6 Cherry-pick PRs from master branch which fix issues reported by fuzz tests (#875) ([peterhillman](@[email protected]) 2020-12-31)