27 lines
865 B
Plaintext
27 lines
865 B
Plaintext
$OpenBSD: patch-IlmImf_ImfPizCompressor_cpp,v 1.1 2009/07/30 11:56:40 jasper Exp $
|
|
|
|
Security fix for CVE-2009-1720, patch from Debian.
|
|
Fix integer overflows in compressor constructors.
|
|
|
|
--- IlmImf/ImfPizCompressor.cpp.orig Thu Jul 30 13:45:30 2009
|
|
+++ IlmImf/ImfPizCompressor.cpp Thu Jul 30 13:46:20 2009
|
|
@@ -53,6 +53,7 @@
|
|
#include <ImfAutoArray.h>
|
|
#include <string.h>
|
|
#include <assert.h>
|
|
+#include <climits>
|
|
|
|
namespace Imf {
|
|
|
|
@@ -181,6 +182,10 @@ PizCompressor::PizCompressor
|
|
_channels (hdr.channels()),
|
|
_channelData (0)
|
|
{
|
|
+
|
|
+ if ((unsigned) maxScanLineSize > (INT_MAX - 65536 - 8192) / (unsigned) numScanLines)
|
|
+ throw InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
|
|
+
|
|
_tmpBuffer = new unsigned short [maxScanLineSize * numScanLines / 2];
|
|
_outBuffer = new char [maxScanLineSize * numScanLines + 65536 + 8192];
|
|
|