From b0bbe24152b603afa5fed50e8f2203d0a88925fe Mon Sep 17 00:00:00 2001 From: peterhillman Date: Sun, 6 Sep 2020 05:56:11 +1200 Subject: [PATCH] fix buffer overflow check in PIZ decompression (#829) Signed-off-by: Peter Hillman --- OpenEXR/IlmImf/ImfFastHuf.cpp | 4 ++-- OpenEXR/IlmImf/ImfPizCompressor.cpp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/OpenEXR/IlmImf/ImfFastHuf.cpp b/OpenEXR/IlmImf/ImfFastHuf.cpp index 1c95fc7774..97782f8051 100644 --- a/OpenEXR/IlmImf/ImfFastHuf.cpp +++ b/OpenEXR/IlmImf/ImfFastHuf.cpp @@ -127,7 +127,7 @@ FastHufDecoder::FastHufDecoder for (Int64 symbol = static_cast(minSymbol); symbol <= static_cast(maxSymbol); symbol++) { - if (currByte - table > numBytes) + if (currByte - table >= numBytes) { throw IEX_NAMESPACE::InputExc ("Error decoding Huffman table " "(Truncated table data)."); @@ -144,7 +144,7 @@ FastHufDecoder::FastHufDecoder if (codeLen == (Int64) LONG_ZEROCODE_RUN) { - if (currByte - table > numBytes) + if (currByte - table >= numBytes) { throw IEX_NAMESPACE::InputExc ("Error decoding Huffman table " "(Truncated table data)."); diff --git a/OpenEXR/IlmImf/ImfPizCompressor.cpp b/OpenEXR/IlmImf/ImfPizCompressor.cpp index edc141ad9d..ffcd9e9aa9 100644 --- a/OpenEXR/IlmImf/ImfPizCompressor.cpp +++ b/OpenEXR/IlmImf/ImfPizCompressor.cpp @@ -594,7 +594,7 @@ Xdr::read (inPtr, (char *) &bitmap[0] + minNonZero, int length; Xdr::read (inPtr, length); - if (length > inSize) + if (inPtr + length > inputEnd || length<0 ) { throw InputExc ("Error in header for PIZ-compressed data " "(invalid array length).");