Headline
CVE-2020-16589: Fix for #494: validate tile coordinates when doing copyPixels · AcademySoftwareFoundation/openexr@6bb3671
A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.cpp that can cause a denial of service via a crafted EXR file.
@@ -1313,6 +1313,13 @@ TiledInputFile::rawTileData (int &dx, int &dy,
throw IEX_NAMESPACE::ArgExc (“rawTileData read the wrong tile”);
}
}
else
{
if(!isValidTile (dx, dy, lx, ly) )
{
throw IEX_NAMESPACE::IoExc (“rawTileData read an invalid tile”);
}
}
pixelData = tileBuffer->buffer;
}
catch (IEX_NAMESPACE::BaseExc &e)
Related news
CVE-2020-15306: openexr/CHANGES.md at main · AcademySoftwareFoundation/openexr
An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp.