port AcademySoftwareFoundation/openexr@8bedf10 to fix CVE 2023 5841

zhangha182 · zhangha182 · commit 33088a54b710 · 2025-08-07T20:48:07.000+08:00
diff --git a/pxr/imaging/hio/OpenEXR/OpenEXRCore/decoding.c b/pxr/imaging/hio/OpenEXR/OpenEXRCore/decoding.c
@@ -288,6 +288,9 @@ default_decompress_chunk (exr_decode_pipeline_t* decode)
         uint64_t sampsize =
             (((uint64_t) decode->chunk.width) *
              ((uint64_t) decode->chunk.height));
+
+        if ((decode->decode_flags & EXR_DECODE_SAMPLE_COUNTS_AS_INDIVIDUAL))
+            sampsize += 1;
         sampsize *= sizeof (int32_t);
 
         rv = decompress_data (
@@ -340,7 +343,7 @@ unpack_sample_table (
     exr_result_t rv           = EXR_ERR_SUCCESS;
     int32_t      w            = decode->chunk.width;
     int32_t      h            = decode->chunk.height;
-    int32_t      totsamp      = 0;
+    uint64_t     totsamp      = 0;
     int32_t*     samptable    = decode->sample_count_table;
     size_t       combSampSize = 0;
 
@@ -351,38 +354,44 @@ unpack_sample_table (
     {
         for (int32_t y = 0; y < h; ++y)
         {
+            int32_t *cursampline = samptable + y * w;
             int32_t prevsamp = 0;
             for (int32_t x = 0; x < w; ++x)
             {
                 int32_t nsamps =
-                    (int32_t) one_to_native32 ((uint32_t) samptable[y * w + x]);
-                if (nsamps < 0) return EXR_ERR_INVALID_SAMPLE_DATA;
-                samptable[y * w + x] = nsamps - prevsamp;
-                prevsamp             = nsamps;
+                    (int32_t) one_to_native32 ((uint32_t) cursampline[x]);
+                if (nsamps < prevsamp) return EXR_ERR_INVALID_SAMPLE_DATA;
+
+                cursampline[x] = nsamps - prevsamp;
+                prevsamp       = nsamps;
             }
-            totsamp += prevsamp;
+            totsamp += (uint64_t)prevsamp;
         }
-        samptable[w * h] = totsamp;
+        if (totsamp >= (uint64_t)INT32_MAX)
+            return EXR_ERR_INVALID_SAMPLE_DATA;
+        samptable[w * h] = (int32_t)totsamp;
     }
     else
     {
         for (int32_t y = 0; y < h; ++y)
         {
+            int32_t *cursampline = samptable + y * w;
             int32_t prevsamp = 0;
             for (int32_t x = 0; x < w; ++x)
             {
                 int32_t nsamps =
-                    (int32_t) one_to_native32 ((uint32_t) samptable[y * w + x]);
-                if (nsamps < 0) return EXR_ERR_INVALID_SAMPLE_DATA;
-                samptable[y * w + x] = nsamps;
-                prevsamp             = nsamps;
+                    (int32_t) one_to_native32 ((uint32_t) cursampline[x]);
+                if (nsamps < prevsamp) return EXR_ERR_INVALID_SAMPLE_DATA;
+
+                cursampline[x] = nsamps;
+                prevsamp = nsamps;
             }
-            totsamp += prevsamp;
+
+            totsamp += (uint64_t)prevsamp;
         }
     }
 
-    if (totsamp < 0 ||
-        (((uint64_t) totsamp) * combSampSize) > decode->chunk.unpacked_size)
+    if ((totsamp * combSampSize) > decode->chunk.unpacked_size)
     {
         rv = pctxt->report_error (
             pctxt, EXR_ERR_INVALID_SAMPLE_DATA, "Corrupt sample count table");
diff --git a/pxr/imaging/hio/OpenEXR/OpenEXRCore/unpack.c b/pxr/imaging/hio/OpenEXR/OpenEXRCore/unpack.c
@@ -1196,9 +1196,10 @@ generic_unpack_deep_pointers (exr_decode_pipeline_t* decode)
                 if (outpix)
                 {
                     uint8_t* cdata = outpix;
+
                     UNPACK_SAMPLES (samps)
                 }
-                srcbuffer += bpc * samps;
+                srcbuffer += ((size_t) bpc) * ((size_t) samps);
             }
         }
         sampbuffer += w;
@@ -1242,12 +1243,14 @@ generic_unpack_deep (exr_decode_pipeline_t* decode)
                 }
                 else
                     prevsamps = sampbuffer[w - 1];
+
                 srcbuffer += ((size_t) bpc) * ((size_t) prevsamps);
 
                 if (incr_tot) totsamps += (size_t) prevsamps;
 
                 continue;
             }
+
             cdata += totsamps * ((size_t) ubpc);
 
             for (int x = 0; x < w; ++x)
@@ -1263,7 +1266,7 @@ generic_unpack_deep (exr_decode_pipeline_t* decode)
 
                 UNPACK_SAMPLES (samps)
 
-                srcbuffer += bpc * samps;
+                srcbuffer += ((size_t) bpc) * ((size_t) samps);
                 if (incr_tot) totsamps += (size_t) samps;
             }
         }
@@ -1301,7 +1304,7 @@ internal_exr_match_decode (
 
     if (isdeep)
     {
-        if ((decode->decode_flags & EXR_DECODE_SAMPLE_COUNTS_AS_INDIVIDUAL))
+        if ((decode->decode_flags & EXR_DECODE_NON_IMAGE_DATA_AS_POINTERS))
             return &generic_unpack_deep_pointers;
         return &generic_unpack_deep;
     }

Original file line number	Diff line number	Diff line change
`@@ -1196,9 +1196,10 @@ generic_unpack_deep_pointers (exr_decode_pipeline_t* decode)`
`1196`	`1196`	`if (outpix)`
`1197`	`1197`	`{`
`1198`	`1198`	`uint8_t* cdata = outpix;`
	`1199`	`+`
`1199`	`1200`	`UNPACK_SAMPLES (samps)`
`1200`	`1201`	`}`
`1201`		`- srcbuffer += bpc * samps;`
	`1202`	`+ srcbuffer += ((size_t) bpc) * ((size_t) samps);`
`1202`	`1203`	`}`
`1203`	`1204`	`}`
`1204`	`1205`	`sampbuffer += w;`
`@@ -1242,12 +1243,14 @@ generic_unpack_deep (exr_decode_pipeline_t* decode)`
`1242`	`1243`	`}`
`1243`	`1244`	`else`
`1244`	`1245`	`prevsamps = sampbuffer[w - 1];`
	`1246`	`+`
`1245`	`1247`	`srcbuffer += ((size_t) bpc) * ((size_t) prevsamps);`
`1246`	`1248`
`1247`	`1249`	`if (incr_tot) totsamps += (size_t) prevsamps;`
`1248`	`1250`
`1249`	`1251`	`continue;`
`1250`	`1252`	`}`
	`1253`	`+`
`1251`	`1254`	`cdata += totsamps * ((size_t) ubpc);`
`1252`	`1255`
`1253`	`1256`	`for (int x = 0; x < w; ++x)`
`@@ -1263,7 +1266,7 @@ generic_unpack_deep (exr_decode_pipeline_t* decode)`
`1263`	`1266`
`1264`	`1267`	`UNPACK_SAMPLES (samps)`
`1265`	`1268`
`1266`		`- srcbuffer += bpc * samps;`
	`1269`	`+ srcbuffer += ((size_t) bpc) * ((size_t) samps);`
`1267`	`1270`	`if (incr_tot) totsamps += (size_t) samps;`
`1268`	`1271`	`}`
`1269`	`1272`	`}`
`@@ -1301,7 +1304,7 @@ internal_exr_match_decode (`
`1301`	`1304`
`1302`	`1305`	`if (isdeep)`
`1303`	`1306`	`{`
`1304`		`- if ((decode->decode_flags & EXR_DECODE_SAMPLE_COUNTS_AS_INDIVIDUAL))`
	`1307`	`+ if ((decode->decode_flags & EXR_DECODE_NON_IMAGE_DATA_AS_POINTERS))`
`1305`	`1308`	`return &generic_unpack_deep_pointers;`
`1306`	`1309`	`return &generic_unpack_deep;`
`1307`	`1310`	`}`