Fix integer overflows in compressor constructors, CVE-2009-1720 [2/2]. --- a/IlmImf/ImfPizCompressor.cpp +++ b/IlmImf/ImfPizCompressor.cpp @@ -53,6 +53,7 @@ #include <ImfAutoArray.h> #include <string.h> #include <assert.h> +#include <climits> namespace Imf { @@ -181,6 +182,9 @@ PizCompressor::PizCompressor _channels (hdr.channels()), _channelData (0) { + if ((unsigned) maxScanLineSize > (INT_MAX - 65536 - 8192) / (unsigned) numScanLines) + throw InputExc ("Error: maxScanLineSize * numScanLines would overflow."); + _tmpBuffer = new unsigned short [maxScanLineSize * numScanLines / 2]; _outBuffer = new char [maxScanLineSize * numScanLines + 65536 + 8192]; --- a/IlmImf/ImfPxr24Compressor.cpp +++ b/IlmImf/ImfPxr24Compressor.cpp @@ -73,6 +73,7 @@ #include <zlib.h> #include <assert.h> #include <algorithm> +#include <climits> using namespace std; using namespace Imath; @@ -187,6 +188,9 @@ Pxr24Compressor::Pxr24Compressor (const { int maxInBytes = maxScanLineSize * numScanLines; + if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines) + throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would overflow."); + _tmpBuffer = new unsigned char [maxInBytes]; _outBuffer = new char [int (ceil (maxInBytes * 1.01)) + 100]; --- a/IlmImf/ImfRleCompressor.cpp +++ b/IlmImf/ImfRleCompressor.cpp @@ -41,6 +41,7 @@ //----------------------------------------------------------------------------- #include <ImfRleCompressor.h> +#include <climits> #include "Iex.h" namespace Imf { @@ -164,6 +165,9 @@ RleCompressor::RleCompressor (const Head _tmpBuffer (0), _outBuffer (0) { + if ((unsigned) maxScanLineSize > INT_MAX / 3) + throw Iex::InputExc ("Error: maxScanLineSize * 3 would overflow"); + _tmpBuffer = new char [maxScanLineSize]; _outBuffer = new char [maxScanLineSize * 3 / 2]; } --- a/IlmImf/ImfZipCompressor.cpp +++ b/IlmImf/ImfZipCompressor.cpp @@ -43,6 +43,7 @@ #include <ImfZipCompressor.h> #include "Iex.h" #include <zlib.h> +#include <climits> namespace Imf { @@ -58,6 +59,9 @@ ZipCompressor::ZipCompressor _tmpBuffer (0), _outBuffer (0) { + if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines) + throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would overflow."); + _tmpBuffer = new char [maxScanLineSize * numScanLines];