From 4870b77eb0f859b07e3dac5d6c662bfdcd725dfd Mon Sep 17 00:00:00 2001
From: Peter Hillman <peterh@wetafx.co.nz>
Date: Tue, 9 Jul 2019 21:34:54 +1200
Subject: [PATCH 1/3] Fix for #263: prevent overflow in multipart chunk offset
 table reconstruction

---
 OpenEXR/IlmImf/ImfMultiPartInputFile.cpp | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp b/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp
index 55bdcaa1e4..7a019203d6 100644
--- a/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp
+++ b/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp
@@ -511,7 +511,7 @@ MultiPartInputFile::Data::chunkOffsetReconstruction(OPENEXR_IMF_INTERNAL_NAMESPA
     
     vector<TileOffsets*> tileOffsets(parts.size());
     
-    // for scanline-based parts, number of scanlines in each part
+    // for scanline-based parts, number of scanlines in each chunk
     vector<int> rowsizes(parts.size());
         
     for(size_t i = 0 ; i < parts.size() ; i++)
@@ -639,13 +639,18 @@ MultiPartInputFile::Data::chunkOffsetReconstruction(OPENEXR_IMF_INTERNAL_NAMESPA
                 int y_coordinate;
                 OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, y_coordinate);
                 
+                
+                if(y_coordinate < header.dataWindow().min.y || y_coordinate > header.dataWindow().max.y)
+                {
+                    // bail to exception catcher: y out of range. Test now to prevent overflow in following arithmetic
+                   throw int();
+                }
                 y_coordinate -= header.dataWindow().min.y;
                 y_coordinate /= rowsizes[partNumber];   
                 
                 if(y_coordinate < 0 || y_coordinate >= int(parts[partNumber]->chunkOffsets.size()))
                 {
-                    //std::cout << "aborting reconstruction: bad data " << y_coordinate << endl;
-                    //bail to exception catcher: broken scanline
+                    //bail to exception catcher: broken scanline: out of range of chunk table size
                     throw int();
                 }
                 

From 5fb54802ba16db3cf4e0a8d0b15e5e6136eabea9 Mon Sep 17 00:00:00 2001
From: Peter Hillman <peterh@wetafx.co.nz>
Date: Thu, 11 Jul 2019 10:11:41 +1200
Subject: [PATCH 2/3] throw better exceptions in multipart chunk reconstruction

---
 OpenEXR/IlmImf/ImfMultiPartInputFile.cpp | 17 +++++------------
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp b/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp
index 7a019203d6..1a375f1601 100644
--- a/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp
+++ b/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp
@@ -573,8 +573,7 @@ MultiPartInputFile::Data::chunkOffsetReconstruction(OPENEXR_IMF_INTERNAL_NAMESPA
             
             if(partNumber<0 || partNumber>int(parts.size()))
             {
-                // bail here - bad part number
-                throw int();
+                throw IEX_NAMESPACE::IoExc("part number out of range");
             }
             
             Header& header = parts[partNumber]->header;
@@ -601,14 +600,13 @@ MultiPartInputFile::Data::chunkOffsetReconstruction(OPENEXR_IMF_INTERNAL_NAMESPA
                 {
                     // this shouldn't actually happen - we should have allocated a valid
                     // tileOffsets for any part which isTiled
-                    throw int();
+                    throw IEX_NAMESPACE::IoExc("part not tiled");
                     
                 }
                 
                 if(!tileOffsets[partNumber]->isValidTile(tilex,tiley,levelx,levely))
                 {
-                    //std::cout << "invalid tile : aborting\n";
-                    throw int();
+                    throw IEX_NAMESPACE::IoExc("invalid tile coordinates");
                 }
                 
                 (*tileOffsets[partNumber])(tilex,tiley,levelx,levely)=chunk_start;
@@ -642,20 +640,17 @@ MultiPartInputFile::Data::chunkOffsetReconstruction(OPENEXR_IMF_INTERNAL_NAMESPA
                 
                 if(y_coordinate < header.dataWindow().min.y || y_coordinate > header.dataWindow().max.y)
                 {
-                    // bail to exception catcher: y out of range. Test now to prevent overflow in following arithmetic
-                   throw int();
+                   throw IEX_NAMESPACE::IoExc("y out of range");
                 }
                 y_coordinate -= header.dataWindow().min.y;
                 y_coordinate /= rowsizes[partNumber];   
                 
                 if(y_coordinate < 0 || y_coordinate >= int(parts[partNumber]->chunkOffsets.size()))
                 {
-                    //bail to exception catcher: broken scanline: out of range of chunk table size
-                    throw int();
+                   throw IEX_NAMESPACE::IoExc("chunk index out of range");
                 }
                 
                 parts[partNumber]->chunkOffsets[y_coordinate]=chunk_start;
-                //std::cout << "chunk_start for " << y_coordinate << ':' << chunk_start << std::endl;
                 
                 if(header.type()==DEEPSCANLINE)
                 {
@@ -683,8 +678,6 @@ MultiPartInputFile::Data::chunkOffsetReconstruction(OPENEXR_IMF_INTERNAL_NAMESPA
             
             chunk_start+=size_of_chunk;
             
-            //std::cout << " next chunk +"<<size_of_chunk << " = " << chunk_start << std::endl;
-            
             is.seekg(chunk_start);
             
         }

From 53dcb3d94f6cb8af9a7493b9182bd188bf51e8c3 Mon Sep 17 00:00:00 2001
From: Peter Hillman <peterh@wetafx.co.nz>
Date: Thu, 11 Jul 2019 13:57:02 +1200
Subject: [PATCH 3/3] use static_cast in error test

---
 OpenEXR/IlmImf/ImfMultiPartInputFile.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp b/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp
index 1a375f1601..6a1fbfdd3b 100644
--- a/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp
+++ b/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp
@@ -571,7 +571,7 @@ MultiPartInputFile::Data::chunkOffsetReconstruction(OPENEXR_IMF_INTERNAL_NAMESPA
             
             
             
-            if(partNumber<0 || partNumber>int(parts.size()))
+            if(partNumber<0 || partNumber> static_cast<int>(parts.size()))
             {
                 throw IEX_NAMESPACE::IoExc("part number out of range");
             }