Backport fix for CVE-2026-34544 in OpenEXRCore#4028
Closed
musicinmybrain wants to merge 1 commit intoPixarAnimationStudios:devfrom
Closed
Backport fix for CVE-2026-34544 in OpenEXRCore#4028musicinmybrain wants to merge 1 commit intoPixarAnimationStudios:devfrom
musicinmybrain wants to merge 1 commit intoPixarAnimationStudios:devfrom
Conversation
…ationStudios#2312) The B44 and B44A decoder and encoder use channel width (`nx`) and height (`ny`) in row pointer math. `nx` and `ny` are `int`; the scratch buffer is correctly sized with `(uint64_t)ny * (uint64_t)nx * bytes_per_element`, but row bases were computed as: ``` row0 = (uint16_t*)scratch; row0 += y * nx; // int * int -> signed overflow when y*nx > INT_MAX ``` For large `nx` (e.g. 268435456), `y*nx` overflows, so `row0`/`row1`/`row2`/`row3` point before the scratch buffer. Fix: compute the row offset in `uint64_t` before pointer arithmetic in both `uncompress_b44_impl` (decoder) and `compress_b44_impl` (encoder). Analysis and solution with the help of Curor / Claude Opus 4.5 Signed-off-by: Cary Phillips <cary@ilm.com>
Contributor
|
Filed as internal issue #USD-12065 (This is an automated message. See here for more information.) |
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of Change(s)
This backports AcademySoftwareFoundation/openexr@35e7aa3 from OpenEXR upstream to address https://www.cve.org/CVERecord?id=CVE-2026-34544 / GHSA-h762-rhv3-h25v.
All I did was the following, in a git checkout of OpenUSD:
The following text is from the upstream commit message. Note that the upstream fix was LLM-assisted, but I did not use an LLM to backport it or to write this PR text.
Fix B44/B44A integer overflow: use uint64_t for row offset (#2312)
The B44 and B44A decoder and encoder use channel width (
nx) and height (ny) in row pointer math.nxandnyareint; the scratch buffer is correctly sized with(uint64_t)ny * (uint64_t)nx * bytes_per_element, but row bases were computed as:For large
nx(e.g. 268435456),y*nxoverflows, sorow0/row1/row2/row3point before the scratch buffer.Fix: compute the row offset in
uint64_tbefore pointer arithmetic in bothuncompress_b44_impl(decoder) andcompress_b44_impl(encoder).Analysis and solution with the help of Curor / Claude Opus 4.5
Fixes Issue(s)
N/A
Checklist
I have created this PR based on the dev branch
I have followed the coding conventions
I have added unit tests that exercise this functionality (Reference:
testing guidelines)
N/A; no new functionality
N/A; it is hard for me to run these locally
Contributor License Agreement instructions)