From dbe7e5b262ee4cb1a003f0ed02e08c7183f2c750 Mon Sep 17 00:00:00 2001 From: Kimball Thurston Date: Sat, 25 Sep 2021 14:35:53 +1200 Subject: [PATCH 1/2] Clarify error message Signed-off-by: Kimball Thurston --- src/lib/OpenEXRCore/attributes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/OpenEXRCore/attributes.c b/src/lib/OpenEXRCore/attributes.c index 50eeae25c6..9fd221384c 100644 --- a/src/lib/OpenEXRCore/attributes.c +++ b/src/lib/OpenEXRCore/attributes.c @@ -612,7 +612,7 @@ validate_attr_arguments ( return ctxt->print_error ( ctxt, EXR_ERR_INVALID_ARGUMENT, - "Entry '%s' (type %s) already in list but requesting additional data", + "Attribute '%s' (type %s) already in list but requesting additional data", name, nattr->type_name); } From 8828ee13cfc0e37979ed0a2d2152e7c870b73c52 Mon Sep 17 00:00:00 2001 From: Kimball Thurston Date: Sat, 25 Sep 2021 14:38:15 +1200 Subject: [PATCH 2/2] Fix memory leaks with duplicate attribute names while parsing a header, if someone has injected a duplicate attribute name as an attack vector, fix memory leak for certain attribute types Signed-off-by: Kimball Thurston --- src/lib/OpenEXRCore/parse_header.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/lib/OpenEXRCore/parse_header.c b/src/lib/OpenEXRCore/parse_header.c index 5e0fc72a2f..4dd9071cfd 100644 --- a/src/lib/OpenEXRCore/parse_header.c +++ b/src/lib/OpenEXRCore/parse_header.c @@ -422,6 +422,8 @@ extract_attr_float_vector ( if (rv == EXR_ERR_SUCCESS && n > 0) { + /* in case of duplicate attr name in header (mostly fuzz testing) */ + exr_attr_float_vector_destroy ((exr_context_t) ctxt, attrdata); rv = exr_attr_float_vector_init ((exr_context_t) ctxt, attrdata, n); if (rv != EXR_ERR_SUCCESS) return rv; @@ -561,14 +563,17 @@ extract_attr_string_vector ( pulled += nlen; } + // just in case someone injected a duplicate attribute name into the header + exr_attr_string_vector_destroy ((exr_context_t) ctxt, attrdata); attrdata->n_strings = nstr; attrdata->alloc_size = nalloced; attrdata->strings = clist; - return 0; + return EXR_ERR_SUCCESS; extract_string_vector_fail: for (int32_t i = 0; i < nstr; ++i) exr_attr_string_destroy ((exr_context_t) ctxt, clist + i); if (clist) ctxt->free_fn (clist); + return rv; } @@ -639,6 +644,7 @@ extract_attr_opaque ( rv = check_bad_attrsz (ctxt, attrsz, 1, aname, tname, &n); if (rv != EXR_ERR_SUCCESS) return rv; + exr_attr_opaquedata_destroy ((exr_context_t) ctxt, attrdata); rv = exr_attr_opaquedata_init ( (exr_context_t) ctxt, attrdata, (uint64_t) attrsz); if (rv != EXR_ERR_SUCCESS) return rv; @@ -715,6 +721,7 @@ extract_attr_preview ( sz[1]); } + exr_attr_preview_destroy ((exr_context_t) ctxt, attrdata); rv = exr_attr_preview_init ((exr_context_t) ctxt, attrdata, sz[0], sz[1]); if (rv != EXR_ERR_SUCCESS) return rv; @@ -772,6 +779,7 @@ check_populate_channels ( 0, NULL, &(curpart->channels)); + if (rv != EXR_ERR_SUCCESS) { exr_attr_chlist_destroy ((exr_context_t) ctxt, &tmpchans); @@ -782,6 +790,7 @@ check_populate_channels ( EXR_REQ_CHANNELS_STR); } + exr_attr_chlist_destroy ((exr_context_t) ctxt, curpart->channels->chlist); *(curpart->channels->chlist) = tmpchans; return rv; }