From e7c26f6ef5bf7ae8ea21ecf19963186cd1391720 Mon Sep 17 00:00:00 2001 From: Peter Hillman <peterh@wetafx.co.nz> Date: Wed, 22 Jan 2020 17:31:22 +1300 Subject: [PATCH 12/23] abort when file claims to have excessive scanline data requirements Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> --- OpenEXR/IlmImf/ImfMisc.cpp | 6 +++--- OpenEXR/IlmImf/ImfScanLineInputFile.cpp | 8 ++++++++ 2 files changed, 11 insertions(+), 3 deletions(-) --- a/IlmImf/ImfMisc.cpp +++ b/IlmImf/ImfMisc.cpp @@ -114,9 +114,9 @@ bytesPerLineTable (const Header &header, c != channels.end(); ++c) { - int nBytes = pixelTypeSize (c.channel().type) * - (dataWindow.max.x - dataWindow.min.x + 1) / - c.channel().xSampling; + size_t nBytes = size_t(pixelTypeSize (c.channel().type)) * + size_t(dataWindow.max.x - dataWindow.min.x + 1) / + size_t(c.channel().xSampling); for (int y = dataWindow.min.y, i = 0; y <= dataWindow.max.y; ++y, ++i) if (modp (y, c.channel().ySampling) == 0) --- a/IlmImf/ImfScanLineInputFile.cpp +++ b/IlmImf/ImfScanLineInputFile.cpp @@ -1113,6 +1113,12 @@ void ScanLineInputFile::initialize(const size_t maxBytesPerLine = bytesPerLineTable (_data->header, _data->bytesPerLine); + + if(maxBytesPerLine > INT_MAX) + { + throw IEX_NAMESPACE::InputExc("maximum bytes per scanline exceeds maximum permissible size"); + } + for (size_t i = 0; i < _data->lineBuffers.size(); i++) { @@ -1147,6 +1153,8 @@ void ScanLineInputFile::initialize(const } catch (...) { + if (_data->partNumber == -1) + delete _streamData; delete _data; _data=NULL; throw;