Patch release that addresses several bugs, primarily involving properly rejecting corrupt input data.
Specifically:
- Buffer overflow in PyOpenEXR_old's
channels()andchannel()in legacy python, reported by Joshua Rogers (GitHub: MegaManSec). - Use after free in
PyObject_StealAttrStringin legacy python, reported by Joshua Rogers (GitHub: MegaManSec). - Use of Uninitialized Memory in openexr, reported by Aldo Ristori (GitHub: Kaldreic).
- Heap-based Buffer Overflow Remote Code Execution Vulnerability, reported by Trend Micro Zero Day Initiative.
Also:
- OSS-fuzz 456158449 Heap-buffer-overflow in
generic_unpack - OSS-fuzz 447429458 Heap-buffer-overflow in
DwaCompressor_uncompress - OSS-fuzz 439237843 Heap-buffer-overflow in
internal_exr_undo_ht - OSS-fuzz 436037111 Heap-buffer-overflow in
generic_unpack - OSS-fuzz 435779241 Heap-buffer-overflow in
generic_unpack - OSS-fuzz 420744464 Abrt in
__cxxabiv1::failed_throw
Other fixes:
- Fix a bug with re-reading a scanline file with a different set of channels.
- Only populate
CMAKE_DEBUG_POSTFIXwith_dif it is undefined, which makes it possible to setCMAKE_DEBUG_POSTFIX="".
This version also bumps the auto-fetched version of OpenJPH to 0.24.5. OpenJPH 0.24.5 addresses these OSS-Fuzz issues:
- OSS-fuzz 456837230 Crash in
ojph::local::param_cod::~param_cod - OSS-fuzz 456248580 Null-dereference READ in
ojph::local::param_cod::~param_cod - OSS-fuzz 455374208 Floating-point-exception in
ojph::local::tile::pre_alloc - OSS-fuzz 444963190 Index-out-of-bounds in
ojph::local::param_qcd::read_qcc - OSS-fuzz 444889300 Heap-buffer-overflow in
ojph::mem_infile::read - OSS-fuzz 444878558 Segv on unknown address in
ojph::local::param_qcd::~param_qcd - OSS-fuzz 444878557 Null-dereference READ in
ojph::local::param_qcd::~param_qcd
Full changelog: v3.4.2..v3.4.3