fixes for DWA uncompress: sanity check unknown data reading, off-by-o…

…ne error on max suffix string length Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
AcademySoftwareFoundation · Jan 20, 2020 · 749ac87 · 749ac87
1 parent d0303d1
commit 749ac87
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/OpenEXR/IlmImf/ImfDwaCompressor.cpp b/OpenEXR/IlmImf/ImfDwaCompressor.cpp
@@ -268,8 +268,9 @@ struct DwaCompressor::Classifier
                                 " (truncated rule).");
 
         {
-            char suffix[Name::SIZE];
-            memset (suffix, 0, Name::SIZE);
+            // maximum length of string plus one byte for terminating NULL
+            char suffix[Name::SIZE+1];
+            memset (suffix, 0, Name::SIZE+1);
             Xdr::read<CharPtrIO> (ptr, std::min(size, Name::SIZE-1), suffix);
             _suffix = std::string(suffix);
         }
@@ -2816,6 +2817,14 @@ DwaCompressor::uncompress
                     if (IMATH_NAMESPACE::modp (y, cd->ySampling) != 0)
                         continue;
 
+                    //
+                    // sanity check for buffer data lying within range
+                    //
+                    if (cd->planarUncBufferEnd + dstScanlineSize - _planarUncBuffer[UNKNOWN] > _planarUncBufferSize[UNKNOWN] )
+                    {
+                        throw Iex::InputExc("DWA data corrupt");
+                    }
+
                     memcpy (rowPtrs[chan][row],
                             cd->planarUncBufferEnd,
                             dstScanlineSize);