Merge branch 'main' into dependabot/github_actions/github/codeql-action-4.35.4

Author: cary-ilm

.readthedocs.yml

@@ -11,7 +11,8 @@ version: 2
 build:
   os: "ubuntu-22.04"
   tools:
-    python: "3.9"
+    # urllib3>=2.7 (website/requirements.txt) requires Python >=3.10
+    python: "3.11"
 
 sphinx:
   configuration: website/conf.py

CHANGES.md

@@ -3,6 +3,7 @@
 
 # OpenEXR Release Notes
 
+* [Version 3.4.11](#version-3411-april-29-2026) April 29, 2026
 * [Version 3.4.10](#version-3410-april-17-2026) April 17, 2026
 * [Version 3.4.9](#version-349-april--3-2026) April  3, 2026
 * [Version 3.4.8](#version-348-march-26-2026) March 26, 2026
@@ -14,6 +15,7 @@
 * [Version 3.4.2](#version-342-october-15-2025) October 15, 2025
 * [Version 3.4.1](#version-341-october-8-2025) October 8, 2025
 * [Version 3.4.0](#version-340-september-5-2025) September 5, 2025
+* [Version 3.3.11](#version-3311-april-29-2026) April 29, 2026
 * [Version 3.3.10](#version-339-april-17-2026) April 17, 2026
 * [Version 3.3.9](#version-339-april--4-2026) April  4, 2026
 * [Version 3.3.8](#version-338-march-1-2026) March 1, 2026
@@ -25,6 +27,7 @@
 * [Version 3.3.2](#version-332-november-11-2024) November 11, 2024
 * [Version 3.3.1](#version-331-october-8-2024) October 8, 2024
 * [Version 3.3.0](#version-330-september-30-2024) September 30, 2024
+* [Version 3.2.9](#version-329-april-29-2026) April 29, 2026
 * [Version 3.2.8](#version-328-april-17-2026) April 17, 2026
 * [Version 3.2.7](#version-327-april-3-2026) April 3, 2026
 * [Version 3.2.6](#version-326-march-1-2026) March 1, 2026
@@ -100,6 +103,68 @@
 * [Version 1.0.1](#version-101)
 * [Version 1.0](#version-10)
 
+## Version 3.4.11 (April 29, 2026)
+
+Patch release that addresses the following security vulnerabilities:
+
+* [CVE-2026-42217](https://www.cve.org/CVERecord?id=CVE-2026-42217)
+Shift exponent overflow in `readVariableLengthInteger()` (`ImfIDManifest.cpp`)
+* [CVE-2026-42216](https://www.cve.org/CVERecord?id=CVE-2026-42216)
+Out-of-bounds read in `IDManifest::init()` during prefix expansion
+* [CVE-2026-41142](https://www.cve.org/CVERecord?id=CVE-2026-41142)
+Integer overflow in `ImageChannel::resize` leads to heap OOB write via OpenEXRUtil public API
+
+Also:
+
+* OSS-fuzz [504280155](https://issues.oss-fuzz.com/issues/504280155)
+Heap-buffer-overflow in `DwaCompressor_uncompress`
+* OSS-fuzz [505062709](https://issues.oss-fuzz.com/issues/505062709)
+Null-dereference READ in `Imf_3_3::prefixFromLayerName`
+
+Build fixes:
+
+- Fix Windows ARM64EC build issues and correct SIMD ARM NEON path for ARM64/EC
+
+Also, some minor documentation updates:
+
+- GitHub Security Advisories are the preferred way of reporting
+  vulnerabilities, not email.
+- Some clarification around handling of UFT-8 of file paths
+
+### Merged Pull Requests
+
+* [2383](https://github.com/AcademySoftwareFoundation/openexr/pull/2383)
+validate that the uncompressed sizes recorded in the dwa header are valid
+* [2382](https://github.com/AcademySoftwareFoundation/openexr/pull/2382)
+Fix Null-dereference READ in prefixFromLayerName
+* [2378](https://github.com/AcademySoftwareFoundation/openexr/pull/2378)
+Harden IDManifest parsing against illegal shift and string prefix OOB
+* [2377](https://github.com/AcademySoftwareFoundation/openexr/pull/2377)
+Fix OOB read when expanding IDManifest prefix-compressed strings
+* [2375](https://github.com/AcademySoftwareFoundation/openexr/pull/2375)
+Minor changes to website index page to make some sentences clearer. A…
+* [2368](https://github.com/AcademySoftwareFoundation/openexr/pull/2368)
+Add release notes and news for v3.4.10, v3.3.10, v3.2.8
+* [2367](https://github.com/AcademySoftwareFoundation/openexr/pull/2367)
+Fix int overflow in ImageChannel::resize pixel count
+* [2364](https://github.com/AcademySoftwareFoundation/openexr/pull/2364)
+Recommend GH Security Advisories for vulnerability reporting
+* [2361](https://github.com/AcademySoftwareFoundation/openexr/pull/2361)
+Add documentation and test for UTF-8 file paths
+* [2344](https://github.com/AcademySoftwareFoundation/openexr/pull/2344)
+Fix Windows ARM64EC build issues and correct SIMD ARM NEON path for ARM64/EC
+
+### Merged Workflow Pull Requests
+
+* [2370](https://github.com/AcademySoftwareFoundation/openexr/pull/2370)
+Bump msys2/setup-msys2 from 2.31.0 to 2.31.1
+* [2366](https://github.com/AcademySoftwareFoundation/openexr/pull/2366)
+Add workflow dispatch trigger to release-sign.yml
+* [2363](https://github.com/AcademySoftwareFoundation/openexr/pull/2363)
+Bump vmactions/freebsd-vm from 1.4.4 to 1.4.5
+* [2362](https://github.com/AcademySoftwareFoundation/openexr/pull/2362)
+Bump github/codeql-action from 4.35.1 to 4.35.2
+
 ## Version 3.4.10 (April 17, 2026)
 
 Patch release that addresses the following security vulnerabilities:
@@ -255,40 +320,44 @@ Patch release bug/build fixes:
 * Fix build failure with glibc 2.43
 * Fix Windows symbol visibility warnings
 
+Full changelog: [v3.4.6..v3.4.7](https://github.com/AcademySoftwareFoundation/openexr/compare/v3.4.6..v3.4.7)
+
 This version addresses the following security vulnerabilities:
 
 * [CVE-2026-34545](https://www.cve.org/CVERecord?id=CVE-2026-34545)
   integer overflow lead to OOB in HTJ2K decoder
 
-### Merged Pull Requests:
-
-* [2292](https://github.com/AcademySoftwareFoundation/openexr/pull/2292)
-Bump actions/download-artifact from 8.0.0 to 8.0.1
+### Merged Pull Requests
 
 * [2291](https://github.com/AcademySoftwareFoundation/openexr/pull/2291)
 Fix integer overflow in htj2k decode with width > 32767
 
-* [2289](https://github.com/AcademySoftwareFoundation/openexr/pull/2289)
-Bump scikit-build-core from 0.12.1 to 0.12.2
-
-* [2288](https://github.com/AcademySoftwareFoundation/openexr/pull/2288)
-Bump jmertic/slack-release-notifier from 6fa159048d5313ff1177d248ad84beb627571670 to 35fad060af5559c24decdec0f701e6ba93566704
-
-* [2287](https://github.com/AcademySoftwareFoundation/openexr/pull/2287)
-Bump pypa/cibuildwheel from 3.3 to 3.4
-
 * [2283](https://github.com/AcademySoftwareFoundation/openexr/pull/2283)
 update SECURITY with CVE info for PR #2256
 
 * [2282](https://github.com/AcademySoftwareFoundation/openexr/pull/2282)
-Remove website_preview_link workflow
+Remove `website_preview_link` workflow
 
 * [2281](https://github.com/AcademySoftwareFoundation/openexr/pull/2281)
 Disable visibility attributes on Windows to fix msys2 -Wattributes warning
 
 * [2262](https://github.com/AcademySoftwareFoundation/openexr/pull/2262)
 Fix build failure with glibc 2.43 due to C11 threads.h conflicts
 
+### Merged Workflow Pull Requests
+
+* [2292](https://github.com/AcademySoftwareFoundation/openexr/pull/2292)
+Bump actions/download-artifact from 8.0.0 to 8.0.1
+
+* [2289](https://github.com/AcademySoftwareFoundation/openexr/pull/2289)
+Bump scikit-build-core from 0.12.1 to 0.12.2
+
+* [2288](https://github.com/AcademySoftwareFoundation/openexr/pull/2288)
+Bump jmertic/slack-release-notifier from 6fa159048d5313ff1177d248ad84beb627571670 to 35fad060af5559c24decdec0f701e6ba93566704
+
+* [2287](https://github.com/AcademySoftwareFoundation/openexr/pull/2287)
+Bump pypa/cibuildwheel from 3.3 to 3.4
+
 ## Version 3.4.6 (March 1, 2026)
 
 Patch release with several bug fixes, enhancements, and build improvements.
@@ -867,6 +936,34 @@ Fetch master branch of libdeflate on main
 * [1852](https://github.com/AcademySoftwareFoundation/openexr/pull/1852)
 Add an option to use TBB as the global provider
 
+## Version 3.3.11 (April 29, 2026)
+
+Patch release for 3.3 that addresses the following security
+vulnerabilities:
+
+* [CVE-2026-42217](https://www.cve.org/CVERecord?id=CVE-2026-42217)
+Shift exponent overflow in `readVariableLengthInteger()` (`ImfIDManifest.cpp`)
+* [CVE-2026-42216](https://www.cve.org/CVERecord?id=CVE-2026-42216)
+Out-of-bounds read in `IDManifest::init()` during prefix expansion
+* [CVE-2026-41142](https://www.cve.org/CVERecord?id=CVE-2026-41142)
+Integer overflow in `ImageChannel::resize` leads to heap OOB write via OpenEXRUtil public API
+
+Also:
+
+* OSS-fuzz [504280155](https://issues.oss-fuzz.com/issues/504280155)
+Heap-buffer-overflow in `DwaCompressor_uncompress`
+
+### Merged Pull Requests
+
+* [2383](https://github.com/AcademySoftwareFoundation/openexr/pull/2383)
+validate that the uncompressed sizes recorded in the dwa header are valid
+* [2378](https://github.com/AcademySoftwareFoundation/openexr/pull/2378)
+Harden IDManifest parsing against illegal shift and string prefix OOB
+* [2377](https://github.com/AcademySoftwareFoundation/openexr/pull/2377)
+Fix OOB read when expanding IDManifest prefix-compressed strings
+* [2367](https://github.com/AcademySoftwareFoundation/openexr/pull/2367)
+Fix int overflow in ImageChannel::resize pixel count
+
 ## Version 3.3.10 (April 17, 2026)
 
 Patch release that addresses the following security vulnerabilities:
@@ -1564,6 +1661,34 @@ Fix macOS arm64 build
 Propagate dwa core 3 1
 * [1418](https://github.com/AcademySoftwareFoundation/openexr/pull/1418)
 
+## Version 3.2.9 (April 29, 2026)
+
+Patch release for 3.2 that addresses the following security
+vulnerabilities:
+
+* [CVE-2026-42217](https://www.cve.org/CVERecord?id=CVE-2026-42217)
+Shift exponent overflow in `readVariableLengthInteger()` (`ImfIDManifest.cpp`)
+* [CVE-2026-42216](https://www.cve.org/CVERecord?id=CVE-2026-42216)
+Out-of-bounds read in `IDManifest::init()` during prefix expansion
+* [CVE-2026-41142](https://www.cve.org/CVERecord?id=CVE-2026-41142)
+Integer overflow in `ImageChannel::resize` leads to heap OOB write via OpenEXRUtil public API
+
+Also:
+
+* OSS-fuzz [504280155](https://issues.oss-fuzz.com/issues/504280155)
+Heap-buffer-overflow in `DwaCompressor_uncompress`
+
+### Merged Pull Requests
+
+* [2383](https://github.com/AcademySoftwareFoundation/openexr/pull/2383)
+validate that the uncompressed sizes recorded in the dwa header are valid
+* [2378](https://github.com/AcademySoftwareFoundation/openexr/pull/2378)
+Harden IDManifest parsing against illegal shift and string prefix OOB
+* [2377](https://github.com/AcademySoftwareFoundation/openexr/pull/2377)
+Fix OOB read when expanding IDManifest prefix-compressed strings
+* [2367](https://github.com/AcademySoftwareFoundation/openexr/pull/2367)
+Fix int overflow in ImageChannel::resize pixel count
+
 ## Version 3.2.8 (April 17, 2026)
 
 Patch release that addresses the following security vulnerabilities:

MODULE.bazel

@@ -9,6 +9,6 @@ module(
 bazel_dep(name = "bazel_skylib", version = "1.9.0")
 bazel_dep(name = "imath", version = "3.2.2.bcr.1")
 bazel_dep(name = "libdeflate", version = "1.25")
-bazel_dep(name = "openjph", version = "0.26.3.bcr.1")
+bazel_dep(name = "openjph", version = "0.27.0")
 bazel_dep(name = "platforms", version = "1.1.0")
 bazel_dep(name = "rules_cc", version = "0.2.18")

SECURITY.md

@@ -20,6 +20,10 @@ rapidly and post patches within 14 days if possible.
 
 | CVE | Affected Versions | Patched Versions |
 | --- | ----------------- | ---------------- |
+
+| [CVE-2026-42217](https://www.cve.org/CVERecord?id=CVE-2026-42217) | 3.2.0–3.2.8, 3.3.0–3.3.10, 3.4.0–3.4.10 | 3.2.9, 3.3.11, 3.4.11 |
+| [CVE-2026-42216](https://www.cve.org/CVERecord?id=CVE-2026-42216) | 3.2.0–3.2.8, 3.3.0–3.3.10, 3.4.0–3.4.10 | 3.2.9, 3.3.11, 3.4.11 |
+| [CVE-2026-41142](https://www.cve.org/CVERecord?id=CVE-2026-41142) | 3.2.0–3.2.8, 3.3.0–3.3.10, 3.4.0–3.4.10 | 3.2.9, 3.3.11, 3.4.11 |
 | [CVE-2026-40250](https://www.cve.org/CVERecord?id=CVE-2026-40250) | 3.2.0–3.2.7, 3.3.0–3.3.9, 3.4.0–3.4.9 | 3.2.8, 3.3.10, 3.4.10 |
 | [CVE-2026-40244](https://www.cve.org/CVERecord?id=CVE-2026-40244) | 3.2.0–3.2.7, 3.3.0–3.3.9, 3.4.0–3.4.9 | 3.2.8, 3.3.10, 3.4.10 |
 | [CVE-2026-39886](https://www.cve.org/CVERecord?id=CVE-2026-39886) | 3.4.0–3.4.9 | 3.4.10 |

src/lib/OpenEXR/ImfCompression.cpp

@@ -180,13 +180,13 @@ static const CompressionDesc IdToDesc[] = {
         "htj2k256",
         "High-Throughput JPEG 2000 (256 lines)",
         256,
-        true,
+        false,
         false),
     CompressionDesc (
         "htj2k32",
         "High-Throughput JPEG 2000 (32 lines)",
         32,
-        true,
+        false,
         false),
 };
 // clang-format on

src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp

@@ -617,6 +617,21 @@ DeepScanLineInputFile::Data::readMemData (
     std::vector<DeepSlice> fills;
     ScanLineProcess proc;
 
+    if (countsOnly)
+    {
+        const Slice& scslice = fb.getSampleCountSlice ();
+        if (!scslice.base)
+        {
+            throw IEX_NAMESPACE::ArgExc (
+                "Invalid base pointer, please set a proper sample count slice.");
+        }
+        if (scslice.type != OPENEXR_IMF_INTERNAL_NAMESPACE::UINT)
+        {
+            throw IEX_NAMESPACE::ArgExc (
+                "The type of sample count slice should be UINT.");
+        }
+    }
+
     if (!countsOnly)
         prepFillList(fb, fills);
 
@@ -986,6 +1001,17 @@ void ScanLineProcess::copy_sample_count (
 {
     const Slice& scslice = outfb->getSampleCountSlice ();
 
+    if (!scslice.base)
+    {
+        throw IEX_NAMESPACE::ArgExc (
+            "Invalid base pointer, please set a proper sample count slice.");
+    }
+    if (scslice.type != OPENEXR_IMF_INTERNAL_NAMESPACE::UINT)
+    {
+        throw IEX_NAMESPACE::ArgExc (
+            "The type of sample count slice should be UINT.");
+    }
+
     int     end = cinfo.height - decoder.user_line_end_ignore;
     int64_t xS = int64_t (scslice.xStride);
     int64_t yS = int64_t (scslice.yStride);

src/lib/OpenEXR/ImfDeepTiledInputFile.cpp

@@ -279,6 +279,18 @@ DeepTiledInputFile::setFrameBuffer (const DeepFrameBuffer& frameBuffer)
                        "subsampling factors.");
     }
 
+    const Slice& sampleCountSlice = frameBuffer.getSampleCountSlice ();
+    if (!sampleCountSlice.base)
+    {
+        throw IEX_NAMESPACE::ArgExc (
+            "Invalid base pointer, please set a proper sample count slice.");
+    }
+    if (sampleCountSlice.type != UINT)
+    {
+        throw IEX_NAMESPACE::ArgExc (
+            "The type of sample count slice should be UINT.");
+    }
+
     _data->frameBuffer = frameBuffer;
     _data->frameBufferValid = true;
 }
@@ -1199,6 +1211,14 @@ void TileProcess::copy_sample_count (
     if (s.xSampling != 1 || s.ySampling != 1)
         throw IEX_NAMESPACE::ArgExc ("Tiled data should not have subsampling.");
 
+    if (s.base == nullptr)
+        throw IEX_NAMESPACE::ArgExc (
+            "Deep frame buffer is missing sample counts; call insertSampleCountSlice before reading.");
+
+    if (s.type != UINT)
+        throw IEX_NAMESPACE::ArgExc (
+            "The type of sample count slice should be UINT.");
+
     int xOffset = s.xTileCoords ? 0 : t_absX;
     int yOffset = s.yTileCoords ? 0 : t_absY;
 

src/lib/OpenEXR/ImfMisc.h

@@ -438,6 +438,7 @@ int getChunkOffsetTableSize (const Header& header);
 // Convert a UTF-8 filename to a wide string (for example for Windows APIs).
 //
 
+OPENEXR_DEPRECATED ("To be removed in future releases.")
 IMF_EXPORT
 std::wstring WidenFilename (const char* filename);
 

src/lib/OpenEXRCore/internal_ht.cpp

@@ -204,12 +204,25 @@ ht_undo_impl (
 
     ojph::ui32 image_height =
         siz.get_image_extent ().y - siz.get_image_offset ().y;
+    ojph::ui32 image_width =
+        siz.get_image_extent ().x - siz.get_image_offset ().x;
 
-    if (decode->chunk.width != siz.get_image_extent ().x - siz.get_image_offset ().x
+    if (decode->chunk.width != image_width
         || decode->chunk.height != image_height
         || decode->channel_count != siz.get_num_components())
         return EXR_ERR_CORRUPT_CHUNK;
 
+    for (int cs_i = 0; cs_i < decode->channel_count; cs_i++)
+    {
+        int file_i = cs_to_file_ch[cs_i].file_index;
+
+        if (decode->channels[file_i].height != siz.get_recon_height (cs_i) ||
+            decode->channels[file_i].width != siz.get_recon_width (cs_i) ||
+            decode->channels[file_i].height != image_height / siz.get_downsampling (cs_i).y ||
+            decode->channels[file_i].width != image_width / siz.get_downsampling (cs_i).x)
+            return EXR_ERR_CORRUPT_CHUNK;
+    }
+
     int64_t bpl     = 0;
     bool is_planar  = false;
     for (int16_t c = 0; c < decode->channel_count; c++)
@@ -235,9 +248,6 @@ ht_undo_impl (
         for (int16_t c = 0; c < decode->channel_count; c++)
         {
             int file_c = cs_to_file_ch[c].file_index;
-            assert (
-                siz.get_recon_height (c) == decode->channels[file_c].height);
-            assert (decode->channels[file_c].width == siz.get_recon_width (c));
 
             if (decode->channels[file_c].height == 0) continue;