From b85ae402f86008674ef5a1adbef41b0614c15285 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sep 29 2020 07:05:42 +0000
Subject: import OpenEXR-1.7.1-8.el7


---

diff --git a/SOURCES/CVE-2020-11761.patch b/SOURCES/CVE-2020-11761.patch
new file mode 100644
index 0000000..9108572
--- /dev/null
+++ b/SOURCES/CVE-2020-11761.patch
@@ -0,0 +1,15 @@
+diff -urNp a/IlmImf/ImfHuf.cpp b/IlmImf/ImfHuf.cpp
+--- a/IlmImf/ImfHuf.cpp	2020-06-02 12:35:17.259513392 +0200
++++ b/IlmImf/ImfHuf.cpp	2020-06-02 12:51:34.629524885 +0200
+@@ -1058,6 +1058,11 @@ hufUncompress (const char compressed[],
+ 
+     const char *ptr = compressed + 20;
+ 
++    if ( ptr + (nBits+7 )/8 > compressed+nCompressed)
++    {
++        throw InputExc("invalid bit count for data size in Huf data");
++    }
++
+     AutoArray <Int64, HUF_ENCSIZE> freq;
+     AutoArray <HufDec, HUF_DECSIZE> hdec;
+ 
diff --git a/SOURCES/CVE-2020-11763.patch b/SOURCES/CVE-2020-11763.patch
new file mode 100644
index 0000000..25a6817
--- /dev/null
+++ b/SOURCES/CVE-2020-11763.patch
@@ -0,0 +1,15 @@
+diff -urNp a/IlmImf/ImfRleCompressor.cpp b/IlmImf/ImfRleCompressor.cpp
+--- a/IlmImf/ImfRleCompressor.cpp	2020-06-02 12:29:00.823667417 +0200
++++ b/IlmImf/ImfRleCompressor.cpp	2020-06-02 12:32:51.134011377 +0200
+@@ -135,6 +135,11 @@ rleUncompress (int inLength, int maxLeng
+ 	    if (0 > (maxLength -= count))
+ 		return 0;
+ 
++        // check the input buffer is big enough to contain
++        // 'count' bytes of remaining data
++        if (inLength < 0)
++          return 0;
++
+ 	    while (count-- > 0)
+ 		*out++ = *(char *) (in++);
+ 	}
diff --git a/SOURCES/CVE-2020-11764.patch b/SOURCES/CVE-2020-11764.patch
new file mode 100644
index 0000000..113cb83
--- /dev/null
+++ b/SOURCES/CVE-2020-11764.patch
@@ -0,0 +1,12 @@
+diff -urNp a/IlmImf/ImfHeader.cpp b/IlmImf/ImfHeader.cpp
+--- a/IlmImf/ImfHeader.cpp	2020-06-02 12:22:29.671798164 +0200
++++ b/IlmImf/ImfHeader.cpp	2020-06-02 12:24:15.802826230 +0200
+@@ -708,7 +708,7 @@ Header::sanityCheck (bool isTiled) const
+ 
+ 	const TileDescription &tileDesc = tileDescription();
+ 
+-	if (tileDesc.xSize <= 0 || tileDesc.ySize <= 0)
++	if (tileDesc.xSize <= 0 || tileDesc.ySize <= 0 || tileDesc.xSize > INT_MAX || tileDesc.ySize > INT_MAX )
+ 	    throw Iex::ArgExc ("Invalid tile size in image header.");
+ 
+ 	if (maxTileWidth > 0 &&
diff --git a/SPECS/OpenEXR.spec b/SPECS/OpenEXR.spec
index b6d382e..ec6ba6b 100644
--- a/SPECS/OpenEXR.spec
+++ b/SPECS/OpenEXR.spec
@@ -1,7 +1,7 @@
 
 Name:	 OpenEXR
 Version: 1.7.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 Summary: A high dynamic-range (HDR) image file format
 
 Group:	 System Environment/Libraries
@@ -23,6 +23,10 @@ Patch0: openexr-1.7.1-so6.patch
 BuildRequires: automake libtool
 %endif
 
+Patch1: CVE-2020-11764.patch
+Patch2: CVE-2020-11763.patch
+Patch3: CVE-2020-11761.patch
+
 Obsoletes: openexr < %{version}-%{release}
 Provides:  openexr = %{version}-%{release}
 
@@ -63,6 +67,10 @@ Group:   System Environment/Libraries
 ./bootstrap
 %endif
 
+%patch1 -p1 -b .CVE-2020-11764
+%patch2 -p1 -b .CVE-2020-11763
+%patch3 -p1 -b .CVE-2020-11761
+
 %build
 %configure --disable-static
 
@@ -115,6 +123,11 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Tue Jun 02 2020 Josef Ridky <jridky@redhat.com> - 1.7.1-8
+- fix CVE-2020-11764 (#1833552)
+- fix CVE-2020-11763 (#1833566)
+- fix CVE-2020-11761 (#1834461)
+
 * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.7.1-7
 - Mass rebuild 2014-01-24