Sophie: OpenEXR-1.6.1-5mdv2010.1 src

OpenEXR-1.6.1-5mdv2010.1.src.rpm

Fix integer overflows in compressor constructors, CVE-2009-1720 [2/2].
--- a/IlmImf/ImfPizCompressor.cpp
+++ b/IlmImf/ImfPizCompressor.cpp
@@ -53,6 +53,7 @@
 #include <ImfAutoArray.h>
 #include <string.h>
 #include <assert.h>
+#include <climits>
 
 namespace Imf {
 
@@ -181,6 +182,9 @@ PizCompressor::PizCompressor
     _channels (hdr.channels()),
     _channelData (0)
 {
+    if ((unsigned) maxScanLineSize > (INT_MAX - 65536 - 8192) / (unsigned) numScanLines)
+        throw InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+
     _tmpBuffer = new unsigned short [maxScanLineSize * numScanLines / 2];
     _outBuffer = new char [maxScanLineSize * numScanLines + 65536 + 8192];
 
--- a/IlmImf/ImfPxr24Compressor.cpp
+++ b/IlmImf/ImfPxr24Compressor.cpp
@@ -73,6 +73,7 @@
 #include <zlib.h>
 #include <assert.h>
 #include <algorithm>
+#include <climits>
 
 using namespace std;
 using namespace Imath;
@@ -187,6 +188,9 @@ Pxr24Compressor::Pxr24Compressor (const 
 {
     int maxInBytes = maxScanLineSize * numScanLines;
 
+    if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines)
+        throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+
     _tmpBuffer = new unsigned char [maxInBytes];
     _outBuffer = new char [int (ceil (maxInBytes * 1.01)) + 100];
 
--- a/IlmImf/ImfRleCompressor.cpp
+++ b/IlmImf/ImfRleCompressor.cpp
@@ -41,6 +41,7 @@
 //-----------------------------------------------------------------------------
 
 #include <ImfRleCompressor.h>
+#include <climits>
 #include "Iex.h"
 
 namespace Imf {
@@ -164,6 +165,9 @@ RleCompressor::RleCompressor (const Head
     _tmpBuffer (0),
     _outBuffer (0)
 {
+    if ((unsigned) maxScanLineSize > INT_MAX / 3)
+        throw Iex::InputExc ("Error: maxScanLineSize * 3 would overflow");
+
     _tmpBuffer = new char [maxScanLineSize];
     _outBuffer = new char [maxScanLineSize * 3 / 2];
 }
--- a/IlmImf/ImfZipCompressor.cpp
+++ b/IlmImf/ImfZipCompressor.cpp
@@ -43,6 +43,7 @@
 #include <ImfZipCompressor.h>
 #include "Iex.h"
 #include <zlib.h>
+#include <climits>
 
 namespace Imf {
 
@@ -58,6 +59,9 @@ ZipCompressor::ZipCompressor
     _tmpBuffer (0),
     _outBuffer (0)
 {
+    if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines)
+        throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+
     _tmpBuffer =
 	new char [maxScanLineSize * numScanLines];