Backport fix for CVE-2026-34544 in OpenEXRCore

cary-ilm · pixar-oss · commit 6e96fe123b8e · 2026-04-06T14:03:39.000-07:00
This backports AcademySoftwareFoundation/openexr@35e7aa3 from OpenEXR upstream to address https://www.cve.org/CVERecord?id=CVE-2026-34544 and GHSA-h762-rhv3-h25v. Closes #4028 (Internal change: 2403675)
diff --git a/pxr/imaging/plugin/hioOpenEXR/OpenEXR/OpenEXRCore/internal_b44.c b/pxr/imaging/plugin/hioOpenEXR/OpenEXR/OpenEXRCore/internal_b44.c
@@ -390,13 +390,13 @@ compress_b44_impl (exr_encode_pipeline_t* encode, int flat_field)
             // rightmost column and the bottom row.
             //
             uint16_t *row0, *row1, *row2, *row3;
+            /* row offset in elements: use uint64_t so y*nx cannot overflow int */
+            uint64_t row_off = (uint64_t) (y) * (uint64_t) (nx);
 
-            row0 = (uint16_t*) scratch;
-            row0 += y * nx;
-
-            row1 = row0 + nx;
-            row2 = row1 + nx;
-            row3 = row2 + nx;
+            row0 = (uint16_t*) scratch + row_off;
+            row1 = row0 + (uint64_t) nx;
+            row2 = row1 + (uint64_t) nx;
+            row3 = row2 + (uint64_t) nx;
 
             if (y + 3 >= ny)
             {
@@ -512,11 +512,12 @@ uncompress_b44_impl (
 
         for (int y = 0; y < ny; y += 4)
         {
-            row0 = (uint16_t*) scratch;
-            row0 += y * nx;
-            row1 = row0 + nx;
-            row2 = row1 + nx;
-            row3 = row2 + nx;
+            /* row offset in elements: use uint64_t so y*nx cannot overflow int */
+            uint64_t row_off = (uint64_t) (y) * (uint64_t) (nx);
+            row0 = (uint16_t*) scratch + row_off;
+            row1 = row0 + (uint64_t) nx;
+            row2 = row1 + (uint64_t) nx;
+            row3 = row2 + (uint64_t) nx;
             for (int x = 0; x < nx; x += 4)
             {
                 if (bIn + 3 > comp_buf_size) return EXR_ERR_OUT_OF_MEMORY;
