AcademySoftwareFoundation · cary-ilm · Apr 30, 2020 · Apr 29, 2020
diff --git a/OpenEXR/IlmImf/ImfCompositeDeepScanLine.cpp b/OpenEXR/IlmImf/ImfCompositeDeepScanLine.cpp
@@ -44,6 +44,7 @@
 
 #include <Iex.h>
 #include <vector>
+#include <stddef.h>
 OPENEXR_IMF_INTERNAL_NAMESPACE_SOURCE_ENTER
 
 using std::vector;
@@ -179,7 +180,7 @@ CompositeDeepScanLine::Data::handleDeepFrameBuffer (DeepFrameBuffer& buf,
                                                     int start,
                                                     int end)
 {
-    int width=_dataWindow.size().x+1;
+    ptrdiff_t width=_dataWindow.size().x+1;
     size_t pixelcount = width * (end-start+1);
     pointers.resize(_channels.size());
     counts.resize(pixelcount);

diff --git a/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp b/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp
@@ -915,8 +915,7 @@ void DeepScanLineInputFile::initialize(const Header& header)
     }
     catch (...)
     {
-        delete _data;
-        _data=NULL;
+        // Don't delete _data here, leave that to caller
         throw;
     }
 }
@@ -932,8 +931,15 @@ DeepScanLineInputFile::DeepScanLineInputFile(InputPartData* part)
     _data->memoryMapped = _data->_streamData->is->isMemoryMapped();
     _data->version = part->version;
 
-    initialize(part->header);
-
+    try
+    {
+       initialize(part->header);
+    }
+    catch(...)
+    {
+        delete _data;
+        throw;
+    }
     _data->lineOffsets = part->chunkOffsets;
 
     _data->partNumber = part->partNumber;
@@ -945,7 +951,6 @@ DeepScanLineInputFile::DeepScanLineInputFile
 :
      _data (new Data (numThreads))
 {
-    _data->_streamData = new InputStreamMutex();
     _data->_deleteStream = true;
     OPENEXR_IMF_INTERNAL_NAMESPACE::IStream* is = 0;
 
@@ -955,12 +960,29 @@ DeepScanLineInputFile::DeepScanLineInputFile
         readMagicNumberAndVersionField(*is, _data->version);
         //
         // Backward compatibility to read multpart file.
-        //
+        // multiPartInitialize will create _streamData
         if (isMultiPart(_data->version))
         {
             compatibilityInitialize(*is);
             return;
         }
+    }
+    catch (IEX_NAMESPACE::BaseExc &e)
+    {
+        if (is)          delete is;
+        if (_data)       delete _data;
+
+        REPLACE_EXC (e, "Cannot read image file "
+                     "\"" << fileName << "\". " << e.what());
+        throw;
+    }
+
+    // 
+    // not multiPart - allocate stream data and intialise as normal
+    //
+    try
+    { 
+        _data->_streamData = new InputStreamMutex();
         _data->_streamData->is = is;
         _data->memoryMapped = is->isMemoryMapped();
         _data->header.readFrom (*_data->_streamData->is, _data->version);
@@ -976,7 +998,10 @@ DeepScanLineInputFile::DeepScanLineInputFile
     catch (IEX_NAMESPACE::BaseExc &e)
     {
         if (is)          delete is;
-        if (_data && _data->_streamData) delete _data->_streamData;
+        if (_data && _data->_streamData)
+        {
+            delete _data->_streamData;
+        }
         if (_data)       delete _data;
 
         REPLACE_EXC (e, "Cannot read image file "
@@ -986,7 +1011,10 @@ DeepScanLineInputFile::DeepScanLineInputFile
     catch (...)
     {
         if (is)          delete is;
-        if (_data && _data->_streamData) delete _data->_streamData;
+        if (_data && _data->_streamData)
+        {
+            delete _data->_streamData;
+        }
         if (_data)       delete _data;
 
         throw;
@@ -1010,7 +1038,18 @@ DeepScanLineInputFile::DeepScanLineInputFile
 
     _data->version =version;
 
-    initialize (header);
+    try
+    {
+        initialize (header);
+    }
+    catch (...)
+    {
+        if (_data && _data->_streamData)
+        {
+            delete _data->_streamData;
+        }
+        if (_data)       delete _data;
+   }
 
     readLineOffsets (*_data->_streamData->is,
                      _data->lineOrder,
@@ -1042,8 +1081,9 @@ DeepScanLineInputFile::~DeepScanLineInputFile ()
         //
 
         if (_data->partNumber == -1 && _data->_streamData)
+        {
             delete _data->_streamData;
-
+        }
         delete _data;
     }
 }

diff --git a/OpenEXR/IlmImf/ImfDeepTiledInputFile.cpp b/OpenEXR/IlmImf/ImfDeepTiledInputFile.cpp
@@ -283,7 +283,8 @@ DeepTiledInputFile::Data::Data (int numThreads):
     multiPartBackwardSupport(false),
     numThreads(numThreads),
     memoryMapped(false),
-    _streamData(NULL),
+    sampleCountTableComp(nullptr),
+    _streamData(nullptr),
     _deleteStream(false)
 {
     //
@@ -308,6 +309,8 @@ DeepTiledInputFile::Data::~Data ()
 
     for (size_t i = 0; i < slices.size(); i++)
         delete slices[i];
+
+    delete sampleCountTableComp;
 }
 
 
@@ -927,7 +930,15 @@ DeepTiledInputFile::DeepTiledInputFile (InputPartData* part) :
     _data (new Data (part->numThreads))
 {
     _data->_deleteStream=false;
-    multiPartInitialize(part);
+    try
+    {
+       multiPartInitialize(part);
+    }
+    catch(...)
+    {
+        delete _data;
+        throw;
+    }
 }
 
 

diff --git a/OpenEXR/IlmImf/ImfDwaCompressor.cpp b/OpenEXR/IlmImf/ImfDwaCompressor.cpp
@@ -265,8 +265,9 @@ struct DwaCompressor::Classifier
                                 " (truncated rule).");
 
         {
-            char suffix[Name::SIZE];
-            memset (suffix, 0, Name::SIZE);
+            // maximum length of string plus one byte for terminating NULL
+            char suffix[Name::SIZE+1];
+            memset (suffix, 0, Name::SIZE+1);
             Xdr::read<CharPtrIO> (ptr, std::min(size, Name::SIZE-1), suffix);
             _suffix = std::string(suffix);
         }
@@ -2409,7 +2410,7 @@ DwaCompressor::uncompress
         unsigned short ruleSize = 0;
         Xdr::read<CharPtrIO>(dataPtr, ruleSize);
 
-        if (ruleSize < 0) 
+        if (ruleSize < Xdr::size<unsigned short>())
             throw Iex::InputExc("Error uncompressing DWA data"
                                 " (corrupt header file).");
 
@@ -2806,6 +2807,14 @@ DwaCompressor::uncompress
                     if (Imath::modp (y, cd->ySampling) != 0)
                         continue;
 
+                    //
+                    // sanity check for buffer data lying within range
+                    //
+                    if (cd->planarUncBufferEnd + dstScanlineSize - _planarUncBuffer[UNKNOWN] > _planarUncBufferSize[UNKNOWN] )
+                    {
+                        throw Iex::InputExc("DWA data corrupt");
+                    }
+
                     memcpy (rowPtrs[chan][row],
                             cd->planarUncBufferEnd,
                             dstScanlineSize);

diff --git a/OpenEXR/IlmImf/ImfFastHuf.cpp b/OpenEXR/IlmImf/ImfFastHuf.cpp
@@ -256,14 +256,29 @@ FastHufDecoder::FastHufDecoder
         int symbol  = *i >> 6;
 
         if (mapping[codeLen] >= _numSymbols)
+        {
+            delete[] _idToSymbol;
+            _idToSymbol = NULL;
             throw Iex::InputExc ("Huffman decode error "
                                   "(Invalid symbol in header).");
-
+        }
         _idToSymbol[mapping[codeLen]] = symbol;
         mapping[codeLen]++;
     }
 
-    buildTables(base, offset);
+    //
+    // exceptions can be thrown whilst building tables. Delete
+    // _idToSynmbol before re-throwing to prevent memory leak
+    //
+    try
+    {
+      buildTables(base, offset);
+    }catch(...)
+    {
+            delete[] _idToSymbol;
+            _idToSymbol = NULL;
+            throw;
+    }
 }
 
 

diff --git a/OpenEXR/IlmImf/ImfHeader.cpp b/OpenEXR/IlmImf/ImfHeader.cpp
@@ -869,6 +869,7 @@ Header::sanityCheck (bool isTiled, bool isMultipartFile) const
     }
 
     const std::string & part_type=hasType() ? type() : "";
+
 
     if(part_type!="" && !isSupportedType(part_type))
     {
@@ -878,6 +879,7 @@ Header::sanityCheck (bool isTiled, bool isMultipartFile) const
         return;
     }
 
+    bool isDeep = isDeepData(part_type);
 
     //
     // If the file is tiled, verify that the tile description has reasonable
@@ -898,7 +900,7 @@ Header::sanityCheck (bool isTiled, bool isMultipartFile) const
 
 	const TileDescription &tileDesc = tileDescription();
 
-	if (tileDesc.xSize <= 0 || tileDesc.ySize <= 0)
+	if (tileDesc.xSize <= 0 || tileDesc.ySize <= 0 || tileDesc.xSize > INT_MAX || tileDesc.ySize > INT_MAX )
 	    throw IEX_NAMESPACE::ArgExc ("Invalid tile size in image header.");
 
 	if (maxTileWidth > 0 &&
@@ -945,7 +947,8 @@ Header::sanityCheck (bool isTiled, bool isMultipartFile) const
     if (!isValidCompression (this->compression()))
   	throw IEX_NAMESPACE::ArgExc ("Unknown compression type in image header.");
 
-    if(isDeepData(part_type))
+
+    if( isDeep )
     {
         if (!isValidDeepCompression (this->compression()))
             throw IEX_NAMESPACE::ArgExc ("Compression type in header not valid for deep data");
@@ -957,6 +960,8 @@ Header::sanityCheck (bool isTiled, bool isMultipartFile) const
     // If the file is tiled then for each channel, the type must be one of the
     // predefined values, and the x and y sampling must both be 1.
     //
+    // x and y sampling must currently also be 1 for deep scanline images
+    //
     // If the file is not tiled then for each channel, the type must be one
     // of the predefined values, the x and y coordinates of the data window's
     // upper left corner must be divisible by the x and y subsampling factors,
@@ -966,7 +971,7 @@ Header::sanityCheck (bool isTiled, bool isMultipartFile) const
 
     const ChannelList &channels = this->channels();
 
-    if (isTiled)
+    if (isTiled || isDeep)
     {
 	for (ChannelList::ConstIterator i = channels.begin();
 	     i != channels.end();

diff --git a/OpenEXR/IlmImf/ImfHuf.cpp b/OpenEXR/IlmImf/ImfHuf.cpp
@@ -1052,7 +1052,10 @@ hufUncompress (const char compressed[],
 	       unsigned short raw[],
 	       int nRaw)
 {
-    if (nCompressed == 0)
+    //
+    // need at least 20 bytes for header
+    //
+    if (nCompressed < 20 )
     {
 	if (nRaw != 0)
 	    notEnoughData();
@@ -1070,6 +1073,12 @@ hufUncompress (const char compressed[],
 
     const char *ptr = compressed + 20;
 
+    if ( ptr + (nBits+7 )/8 > compressed+nCompressed)
+    {
+        notEnoughData();
+        return;
+    }
+
     // 
     // Fast decoder needs at least 2x64-bits of compressed data, and
     // needs to be run-able on this platform. Otherwise, fall back

diff --git a/OpenEXR/IlmImf/ImfInputFile.cpp b/OpenEXR/IlmImf/ImfInputFile.cpp
@@ -474,7 +474,15 @@ InputFile::InputFile (InputPartData* part) :
     _data (new Data (part->numThreads))
 {
     _data->_deleteStream=false;
-    multiPartInitialize (part);
+    try
+    {
+       multiPartInitialize (part);
+    }
+    catch(...)
+    {
+        delete _data;
+        throw;
+    }
 }