Merge branch 'AcademySoftwareFoundation:main' into R3D

Author: 1div0

.github/workflows/build-steps.yml

@@ -88,6 +88,9 @@ on:
         type: string
       build_local_deps:
         type: string
+      oiio_python_bindings_backend:
+        type: string
+        default: ''
     secrets:
         PASSED_GITHUB_TOKEN:
           required: false
@@ -136,6 +139,7 @@ jobs:
       OpenImageIO_BUILD_LOCAL_DEPS: ${{inputs.build_local_deps}}
       SETENVS: ${{inputs.setenvs}}
       DEPCMDS: ${{inputs.depcmds}}
+      OIIO_PYTHON_BINDINGS_BACKEND: ${{ inputs.oiio_python_bindings_backend }}
 
     steps:
       - name: install nodejs20glibc2.17

.github/workflows/ci.yml

@@ -353,8 +353,9 @@ jobs:
       # Override required_deps to be 'all' and explicitly list as optional
       # only the ones we are intentionally not testing for those jobs.
       required_deps: ${{ matrix.required_deps || 'all' }}
-      optional_deps: ${{ matrix.optional_deps || 'CUDAToolkit;DCMTK;JXL;Nuke;OpenGL;openjph;OpenVDB;Ptex;pystring;Qt5;R3DSDK;' }}${{matrix.optional_deps_append}}
+      optional_deps: ${{ matrix.optional_deps || 'CUDAToolkit;DCMTK;JXL;Nuke;OpenGL;openjph;OpenVDB;Ptex;pystring;Qt5;R3DSDK;Libheif;' }}${{matrix.optional_deps_append}}
       build_local_deps: ${{ matrix.build_local_deps }}
+      oiio_python_bindings_backend: ${{ matrix.oiio_python_bindings_backend || '' }}
     strategy:
       fail-fast: false
       matrix:
@@ -381,6 +382,7 @@ jobs:
 
           - desc: latest releases gcc13 C++20 py3.12 avx2 exr3.4 ocio2.4
             nametag: linux-latest-releases
+            oiio_python_bindings_backend: both
             runner: ubuntu-24.04
             cc_compiler: gcc-13
             cxx_compiler: g++-13
@@ -656,6 +658,7 @@ jobs:
       required_deps: ${{ matrix.required_deps || 'all' }}
       optional_deps: ${{ matrix.optional_deps || 'Nuke;R3DSDK;' }}${{matrix.optional_deps_append}}
       build_local_deps: ${{ matrix.build_local_deps }}
+      oiio_python_bindings_backend: ${{ matrix.oiio_python_bindings_backend || '' }}
     strategy:
       fail-fast: false
       matrix:
@@ -676,6 +679,7 @@ jobs:
           - desc: MacOS-14-ARM aclang15/C++20/py3.13
             runner: macos-14
             nametag: macos14-arm-py313
+            oiio_python_bindings_backend: both
             cc_compiler: /usr/bin/clang
             cxx_compiler: /usr/bin/clang++
             cxx_std: 20
@@ -739,6 +743,7 @@ jobs:
       required_deps: ${{ matrix.required_deps || 'all' }}
       optional_deps: ${{ matrix.optional_deps || 'BZip2;CUDAToolkit;DCMTK;FFmpeg;GIF;JXL;Libheif;LibRaw;Nuke;OpenCV;OpenGL;OpenJPEG;openjph;OpenCV;OpenVDB;Ptex;pystring;Qt5;Qt6;TBB;R3DSDK;${{matrix.optional_deps_append}}' }}
       build_local_deps: ${{ matrix.build_local_deps }}
+      oiio_python_bindings_backend: ${{ matrix.oiio_python_bindings_backend || '' }}
     strategy:
       fail-fast: false
       matrix:
@@ -753,6 +758,7 @@ jobs:
           - desc: Windows-2025 VS2022
             runner: windows-2025
             nametag: windows-2025
+            oiio_python_bindings_backend: both
             generator: "Visual Studio 17 2022"
             python_ver: "3.12"
             ctest_test_timeout: "240"

CHANGES.md

@@ -4,7 +4,7 @@
 
 cmake_minimum_required (VERSION 3.18.2...4.0)
 
-set (OpenImageIO_VERSION "3.2.0.1")
+set (OpenImageIO_VERSION "3.2.0.2")
 set (OpenImageIO_VERSION_OVERRIDE "" CACHE STRING
      "Version override (use with caution)!")
 mark_as_advanced (OpenImageIO_VERSION_OVERRIDE)

CMakeLists.txt

@@ -50,6 +50,15 @@ None known
 
 Most recent fixes listed first, more or less:
 
+- CVE yet to be assigned: Signed integer overflow in SwapRGBABytes loop index leads to out-of-bounds read/write in DPX ABGR decoder / [advisory](https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-g267-j53j-5258) / [Fix: PR5170](https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/5170) (Fixed in 3.0.18.1, 3.1.13.1)
+- CVE yet to be assigned: Signed integer overflow in ConvertCbYCrYToRGB leads to heap out-of-bounds write in DPX 4:2:2 decoder / [advisory](https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-2jr5-q49v-3858) / [Fix: PR5170](https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/5170) (Fixed in 3.0.18.1, 3.1.13.1)
+- CVE yet to be assigned: Integer overflow in QueryRGBBufferSizeInternal leads to heap out-of-bounds write in DPX decoder (kCbYCr and kABGR) / [advisory](https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-cq46-hp4h-cvfr) / [Fix: PR5170](https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/5170) (Fixed in 3.0.18.1, 3.1.13.1)
+- CVE yet to be assigned: Integer wraparound in bounds check of decode_pixel leads to out-of-bounds read in TGA paletted image decoder / [advisory](https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-mq8j-73c4-cr55) / [Fix: PR5165](https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/5165) (Fixed in 3.2.0.1, 3.1.13.0, 3.0.18.0)
+- CVE yet to be assigned: HEIF Heap overflow / [advisory](https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-gmrp-x952-3m66) / [Fix: PR5166](https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/5166) (Fixed in 3.2.0.1, 3.1.13.0, 3.0.18.0)
+- CVE yet to be assigned: JPEG2000 (OpenJPH) signed integer overflow in buffer allocation / [advisory](https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-pj45-cf3g-28gq) / [Fix: PR5143](https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/5143) (Fixed in 3.2.0.1, 3.1.13.0, 3.0.18.0)
+- CVE yet to be assigned: Softimage PIC RLE decoder heap buffer overflow — longCount not clamped to image width / [advisory](https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-4499-j545-7q33) / [Fix: PR5142](https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/5142) (Fixed in 3.2.0.1, 3.1.13.0, 3.0.18.0)
+- CVE yet to be assigned: SGI RLE decoder heap buffer overflow — OIIO_DASSERT bounds checks are no-ops in release builds / [advisory](https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-jg3q-vm3q-2j35) / [#5141](https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/5141) (Fixed in 3.2.0.1, 3.1.13.0, 3.0.18.0)
+- CVE-2026-7582: DDS Image ddsinput.cpp out-of-bounds write. [#5131](https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/5131) (Fixed in 3.2.0.1, 3.1.13.0, 3.0.18.0)
 - CVE-2024-40630: Fixed incorrect image size for certain HEIC files.
   [advisory](https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-jjm9-9m4m-c8p2) (Fixed in 2.5.13.1)
 - CVE-2023-42295: Fix signed integer overflow when computing total number of pixels while reading BMP files. [#3948](https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/3948) (by xiaoxiaoafeifei) (Fixed in 2.5.3.0/2.6.0.1)

SECURITY.md

@@ -25,6 +25,10 @@ if [[ "$USE_SIMD" != "" ]] ; then
     OIIO_CMAKE_FLAGS="$OIIO_CMAKE_FLAGS -DUSE_SIMD=$USE_SIMD"
 fi
 
+if [[ -n "${OIIO_PYTHON_BINDINGS_BACKEND:-}" ]] ; then
+    OIIO_CMAKE_FLAGS="$OIIO_CMAKE_FLAGS -DOIIO_PYTHON_BINDINGS_BACKEND=${OIIO_PYTHON_BINDINGS_BACKEND}"
+fi
+
 if [[ -n "$CODECOV" ]] ; then
     OIIO_CMAKE_FLAGS="$OIIO_CMAKE_FLAGS -DCODECOV=${CODECOV}"
 fi

src/build-scripts/ci-build.bash

@@ -0,0 +1,6 @@
+# CI-only: nanobind for CMake (`python -m nanobind --cmake_dir`). Used on Linux
+# (gh-installdeps) and Windows (gh-win-installdeps) with pip --require-hashes.
+# macOS CI uses `brew install nanobind` instead (install_homebrew_deps.bash).
+# When bumping pip pin: https://pypi.org/pypi/nanobind/<ver>/json → wheel sha256.
+nanobind==2.12.0 \
+    --hash=sha256:a10d3d88e691dcdf22696f9acd893fda3c5a05635763aea238829d274fcad480

src/build-scripts/ci-requirements-nanobind.txt

@@ -230,5 +230,16 @@ fi
 df -h .
 df -h /host/root || true
 
+# nanobind's CMake config is discovered via `python -m nanobind --cmake_dir`.
+# Version + wheel hash: src/build-scripts/ci-requirements-nanobind.txt (CodeQL / supply chain).
+if [[ "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "both" || "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "nanobind" ]] ; then
+    _oiio_nanobind_requirements_file="$PWD/src/build-scripts/ci-requirements-nanobind.txt"
+    if [[ "$ASWF_ORG" != ""  ]] ; then
+        time pip3 install -r "$_oiio_nanobind_requirements_file" --require-hashes || true
+    else
+        time pip3${PIP_SUFFIX} install -r "$_oiio_nanobind_requirements_file" --require-hashes
+    fi
+fi
+
 # Save the env for use by other stages
 src/build-scripts/save-env.bash

src/build-scripts/gh-installdeps.bash

@@ -39,6 +39,11 @@ elif [[ "$PYTHON_VERSION" == "3.14" ]] ; then
 fi
 pip install numpy
 
+if [[ "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "both" || "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "nanobind" ]] ; then
+    _oiio_nanobind_requirements_file="$PWD/src/build-scripts/ci-requirements-nanobind.txt"
+    "${Python_EXECUTABLE:-python}" -m pip install -r "$_oiio_nanobind_requirements_file" --require-hashes
+fi
+
 
 # In case we need vcpkg, example:
 # echo "All pre-installed VCPkg installs:"

src/build-scripts/gh-win-installdeps.bash

@@ -57,6 +57,9 @@ if [[ "$OIIO_BREW_INSTALL_PACKAGES" == "" ]] ; then
     if [[ "${USE_QT:=1}" != "0" ]] && [[ "${INSTALL_QT:=1}" != "0" ]] ; then
         OIIO_BREW_INSTALL_PACKAGES+=" qt${QT_VERSION}"
     fi
+    if [[ "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "both" || "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "nanobind" ]] ; then
+        OIIO_BREW_INSTALL_PACKAGES+=" nanobind"
+    fi
 fi
 brew install --display-times -q $OIIO_BREW_INSTALL_PACKAGES $OIIO_BREW_EXTRA_INSTALL_PACKAGES || true