PXR24: reject zlib output that does not match packed payload size (#2310)

cary-ilm · web-flow · commit c48f23ce68c2 · 2026-03-22T16:18:52.000-07:00
* PXR24: reject zlib output that does not match packed payload size

PXR24 stores zlib-compressed packed channel data (e.g. 3 bytes/sample
for float), while chunk `unpacked_size` is the native layout (4
bytes/sample).  After inflate, validate the decompressed length
against the packed byte count derived from the same geometry as
encode/decode, not `unpacked_size`.

A truncated-but-valid zlib stream previously produced success with a
short `actual_out` while the decoder advanced through scratch as if
the full packed block were present, reading uninitialized heap into
pixels.

Add `pxr24_packed_zlib_size()` (aligned with `apply_pxr24_impl`) and
require `outSize ==` that value after `exr_uncompress_buffer()`
succeeds.

Analysis and solution with the the help of Cursor / Claude Opus 4.5

Signed-off-by: Cary Phillips &lt;cary@ilm.com&gt;

* replace comparison to uncompressed_size with outSize

A simpler solution: remove `pxr24_packed_zlib_size()` entirely detect
corrupt chunks by comparing against `outSize` instead of
`uncompressed_size`.

Signed-off-by: Cary Phillips &lt;cary@ilm.com&gt;

---------

Signed-off-by: Cary Phillips &lt;cary@ilm.com&gt;
diff --git a/src/lib/OpenEXRCore/compression.c b/src/lib/OpenEXRCore/compression.c
@@ -201,7 +201,11 @@ exr_uncompress_buffer (
         }
         else if (res == LIBDEFLATE_SHORT_OUTPUT)
         {
-            /* TODO: is this an error? */
+            /* Decompression succeeded; *actual_out is the byte count. This is
+             * not an error when out_bytes_avail exceeds the true uncompressed
+             * size (e.g. PXR24/ZIP use padded scratch buffers). Callers that
+             * need an exact payload size must compare *actual_out (see e.g.
+             * undo_pxr24_impl). */
             return EXR_ERR_SUCCESS;
         }
         return EXR_ERR_CORRUPT_CHUNK;
diff --git a/src/lib/OpenEXRCore/internal_pxr24.c b/src/lib/OpenEXRCore/internal_pxr24.c
@@ -320,7 +320,7 @@ undo_pxr24_impl (
                     ptr[3] = lastIn;
                     lastIn += w;
 
-                    if (nDec + nBytes > uncompressed_size)
+                    if (nDec + nBytes > outSize)
                         return EXR_ERR_CORRUPT_CHUNK;
 
                     for (int x = 0; x < w; ++x)
@@ -347,7 +347,7 @@ undo_pxr24_impl (
                     ptr[1] = lastIn;
                     lastIn += w;
 
-                    if (nDec + nBytes > uncompressed_size)
+                    if (nDec + nBytes > outSize)
                         return EXR_ERR_CORRUPT_CHUNK;
 
                     for (int x = 0; x < w; ++x)
@@ -374,7 +374,7 @@ undo_pxr24_impl (
                     ptr[2] = lastIn;
                     lastIn += w;
 
-                    if (nDec + (uint64_t) (w * 3) > uncompressed_size)
+                    if (nDec + (uint64_t) (w * 3) > outSize)
                         return EXR_ERR_CORRUPT_CHUNK;
 
                     for (int x = 0; x < w; ++x)

Original file line number	Diff line number	Diff line change
`@@ -201,7 +201,11 @@ exr_uncompress_buffer (`
`201`	`201`	`}`
`202`	`202`	`else if (res == LIBDEFLATE_SHORT_OUTPUT)`
`203`	`203`	`{`
`204`		`- /* TODO: is this an error? */`
	`204`	`+ /* Decompression succeeded; *actual_out is the byte count. This is`
	`205`	`+ * not an error when out_bytes_avail exceeds the true uncompressed`
	`206`	`+ * size (e.g. PXR24/ZIP use padded scratch buffers). Callers that`
	`207`	`+ * need an exact payload size must compare *actual_out (see e.g.`
	`208`	`+ * undo_pxr24_impl). */`
`205`	`209`	`return EXR_ERR_SUCCESS;`
`206`	`210`	`}`
`207`	`211`	`return EXR_ERR_CORRUPT_CHUNK;`