Fix scenario where malformed dwa file could read past end of buffer (A…

…cademySoftwareFoundation#1439)

Fixes OSS-Fuzz 59382

Signed-off-by: Kimball Thurston <kdt3rd@gmail.com>

src/lib/OpenEXRCore/internal_dwa_compressor.h

@@ -789,9 +789,10 @@ DwaCompressor_uncompress (
     uint64_t compressedSize;
     const uint8_t* dataPtr;
     uint64_t       dataLeft;
-    uint8_t* outBufferEnd;
-    uint8_t* packedAcBufferEnd;
-    uint8_t* packedDcBufferEnd;
+    uint8_t*       outBufferEnd;
+    uint8_t*       packedAcBufferEnd;
+    uint8_t*       packedDcBufferEnd;
+    const uint8_t* dataPtrEnd;
     const uint8_t* compressedUnknownBuf;
     const uint8_t* compressedAcBuf;
     const uint8_t* compressedDcBuf;
@@ -829,6 +830,7 @@ DwaCompressor_uncompress (
     compressedSize = unknownCompressedSize + acCompressedSize +
         dcCompressedSize + rleCompressedSize;
 
+    dataPtrEnd = inPtr + iSize;
     dataPtr  = inPtr + headerSize;
     dataLeft = iSize - headerSize;
 
@@ -909,6 +911,18 @@ DwaCompressor_uncompress (
     compressedRleBuf =
         compressedDcBuf + (ptrdiff_t) (dcCompressedSize);
 
+    if (compressedUnknownBuf >= dataPtrEnd ||
+        dataPtr > compressedAcBuf ||
+        compressedAcBuf >= dataPtrEnd ||
+        dataPtr > compressedDcBuf ||
+        compressedDcBuf >= dataPtrEnd ||
+        dataPtr > compressedRleBuf ||
+        compressedRleBuf >= dataPtrEnd ||
+        (compressedRleBuf + rleCompressedSize) > dataPtrEnd)
+    {
+        return EXR_ERR_CORRUPT_CHUNK;
+    }
+
     //
     // Sanity check that the version is something we expect. Right now,
     // we can decode version 0, 1, and 2. v1 adds 'end of block' symbols