Releases: AcademySoftwareFoundation/openexr
Releases · AcademySoftwareFoundation/openexr
v2.4.3
Patch release for v2.4 that addresses the following security vulnerabilities:
- CVE-2021-20296 Segv on unknown address in Imf_2_5::hufUncompress - Null Pointer dereference (817)
- CVE-2021-3479 Out-of-memory in openexr_exrenvmap_fuzzer (830)
- CVE-2021-3478 Out-of-memory in openexr_exrcheck_fuzzer (863)
- CVE-2021-3477 Heap-buffer-overflow in Imf_2_5::DeepTiledInputFile::readPixelSampleCounts (861)
- CVE-2021-3476 Undefined-shift in Imf_2_5::unpack14 (832)
- CVE-2021-3475 Integer-overflow in Imf_2_5::calculateNumTiles (825)
- CVE-2021-3474 Undefined-shift in Imf_2_5::FastHufDecoder::FastHufDecoder (818)
Also:
- 1013 Fixed regression in Imath::succf() and Imath::predf() when negative values are given
v2.5.6
v3.0.1
Major release with major build restructuring, security improvements, and new features:
Restructuring:
- The IlmBase/PyIlmBase submodules have been separated into the Imath project, now included by OpenEXR via a CMake submodule dependency, fetched automatically via CMake's FetchContent if necessary.
- The library is now called
libOpenEXR(instead oflibIlmImf). No header files have been renamed; they retain theImfprefix. - Symbol linkage visibility is limited to specific public symbols. See SymbolVisibility.md for more details.
Build improvements:
- No more simultaneous static/shared build option.
- Community-provided support for bazel.
- Gnu autoconf/bootstrap/configure build setup has been retired.
New Features:
- ID Manifest Attributes, as described in "A Scheme for Storing Object ID Manifests in OpenEXR Images", Peter Hillman, DigiPro 18: Proceedings of the 8th Annual Digital Production Symposium, August 2018.
- New program: exrcheck validates the contents of an EXR file.
Changes:
- EXR files with no channels are no longer allowed.
- Hard limit on the size of deep tile sizes; tiles must be less than 230 pixels.
- Tiled DWAB files used STATIC_HUFFMAN compression.
Int64andSInt64types are deprecated in favor ofuint64_tandint64_t.- Header files have been pruned of extraneous #include's ("Include What You Use"), which may generate compiler errors in application source
code from undefined symbols or partially-defined types. These can be resolved by identifying and including the appropriate header. - See the porting guide for details about differences from previous releases and how to address them.
- Also refer to the porting guide for details about changes to Imath.
v3.0.1-beta
Beta patch release:
- OSS-fuzz 32370 Out-of-memory in openexr_exrcheck_fuzzer
- OSS-fuzz 32067 account for size of pixels when estimating memory
Merged Pull Requests:
- 988 Remove deprecated argument to getChunkOffsetTableSize()
- 987 exrcheck: reduceMemory now checks pixel size and scanline compression mode
- 983 Reduce warnigns reported in #982
- 980 Bazel cherry picks
- 968 Fix typos in Int64/SInt64 deprecation warnings
- 966 exrcheck: account for size of pixels when estimating memory
v3.0.0-beta
Major release with major build restructuring, security improvements, and new features:
Restructuring:
- The IlmBase/PyIlmBase submodules have been separated into the Imath project, now included by OpenEXR via a CMake submodule dependency, fetched automatically via CMake's FetchContent if necessary.
- The library is now called
libOpenEXR(instead oflibIlmImf). No header files have been renamed; they retain theImfprefix. - Symbol linkage visibility is limited to specific public symbols. See SymbolVisibility.md for more details.
Build improvements:
- No more simultaneous static/shared build option.
- Community-provided support for bazel.
- Gnu autoconf/bootstrap/configure build setup has been retired.
New Features:
- ID Manifest Attributes, as described in "A Scheme for Storing Object ID Manifests in OpenEXR Images", Peter Hillman, DigiPro 18: Proceedings of the 8th Annual Digital Production Symposium, August 2018.
- New program: exrcheck validates the contents of an EXR file.
Changes:
- EXR files with no channels are no longer allowed.
- Hard limit on the size of deep tile sizes; tiles must be less than 230 pixels.
- Tiled DWAB files used STATIC_HUFFMAN compression.
Int64andSInt64types are deprecated in favor ofuint64_tandint64_t.- Header files have been pruned of extraneous #include's ("Include What You Use"), which may generate compiler errors in application source
code from undefined symbols or partially-defined types. These can be resolved by identifying and including the appropriate header. - See the porting guide for details about differences from previous releases and how to address them.
- Also refer to the porting guide for details about changes to Imath.
v2.5.5
Patch release with various bug/sanitizer/security fixes, primarily related to reading corrupted input files, but also a fix for universal build support on macOS.
Specific OSS-fuzz issues include:
- OSS-fuzz #30291 Timeout in openexr_exrcheck_fuzzer
- OSS-fuzz #29106 Heap-buffer-overflow in Imf_2_5::FastHufDecoder::decode
- OSS-fuzz #28971 Undefined-shift in Imf_2_5::cachePadding
- OSS-fuzz #29829 Integer-overflow in Imf_2_5::DwaCompressor::initializeBuffers
- OSS-fuzz #30121 Out-of-memory in openexr_exrcheck_fuzzer
v2.5.4
Patch release with various bug/sanitizer/security fixes, primarily related to reading corrupted input files.
Specific OSS-fuzz issues include:
- OSS-fuzz #24854 Segv on unknown address in Imf_2_5::hufUncompress
- OSS-fuzz #24831 Undefined-shift in Imf_2_5::FastHufDecoder::FastHufDecoder
- OSS-fuzz #24969 Invalid-enum-value in Imf_2_5::TypedAttribute<Imf_2_5::Envmap>::writeVal
ueTo - OSS-fuzz #25297 Integer-overflow in Imf_2_5::calculateNumTiles
- OSS-fuzz #24787 Undefined-shift in Imf_2_5::unpack14
- OSS-fuzz #25326 Out-of-memory in openexr_scanlines_fuzzer
- OSS-fuzz #25399 Heap-buffer-overflow in Imf_2_5::FastHufDecoder::FastHufDecoder
- OSS-fuzz #25415 Abrt in __cxxabiv1::failed_throw
- OSS-fuzz #25370 Out-of-memory in openexr_exrenvmap_fuzzer
- OSS-fuzz #25501 Out-of-memory in openexr_scanlines_fuzzer
- OSS-fuzz #25505 Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
- OSS-fuzz #25562 Integer-overflow in Imf_2_5::hufUncompress
- OSS-fuzz #25740 Null-dereference READ in Imf_2_5::Header::operator
- OSS-fuzz #25743 Null-dereference in Imf_2_5::MultiPartInputFile::header
- OSS-fuzz #25913 Out-of-memory in openexr_exrenvmap_fuzzer
- OSS-fuzz #26229 Undefined-shift in Imf_2_5::hufDecode
- OSS-fuzz #26658 Out-of-memory in openexr_scanlines_fuzzer
- OSS-fuzz #26956 Heap-buffer-overflow in Imf_2_5::DeepTiledInputFile::readPixelSampleCoun
ts - OSS-fuzz #27409 Out-of-memory in openexr_exrcheck_fuzzer
- OSS-fuzz #25892 Divide-by-zero in Imf_2_5::calculateNumTiles
- OSS-fuzz #25894 Floating-point-exception in Imf_2_5::precalculateTileInfo
See CHANGES.md for more details.
v2.5.3
Patch release with various bug/security fixes and build/install fixes, plus a performance optimization:
v2.5.2
Patch release with various bug/security and build/install fixes:
- Invalid input could cause a heap-use-after-free error in DeepScanLineInputFile::DeepScanLineInputFile()
- Invalid chunkCount attributes could cause heap buffer overflow in getChunkOffsetTableSize()
- Invalid tiled input file could cause invalid memory access TiledInputFile::TiledInputFile()
- OpenEXRConfig.h now correctly sets OPENEXR_PACKAGE_STRING to "OpenEXR" (rather than "IlmBase")
- Various Windows build fixes
v2.4.2
Patch release that backports various recent bug/security fixes:
- Invalid input could cause a heap-use-after-free error in DeepScanLineInputFile::DeepScanLineInputFile()
- Invalid chunkCount attributes could cause heap buffer overflow in getChunkOffsetTableSize()
- Invalid tiled input file could cause invalid memory access TiledInputFile::TiledInputFile()
- OpenEXRConfig.h now correctly sets OPENEXR_PACKAGE_STRING to "OpenEXR" (rather than "IlmBase)"