Skip to content

Fix HTJ2K channel map permutation validation#2515

Open
cary-ilm wants to merge 1 commit into
AcademySoftwareFoundation:mainfrom
cary-ilm:fix-8ggg-fhxp-95p9
Open

Fix HTJ2K channel map permutation validation#2515
cary-ilm wants to merge 1 commit into
AcademySoftwareFoundation:mainfrom
cary-ilm:fix-8ggg-fhxp-95p9

Conversation

@cary-ilm

Copy link
Copy Markdown
Member

Validate that the channel map is a true permutation of [0, channel_count): range check alone permitted duplicate file_index values, leaving channels unwritten in the scratch buffer and returning stale heap data.

Addresses https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-8ggg-fhxp-95p9

Validate that the channel map is a true permutation of [0, channel_count):
range check alone permitted duplicate file_index values, leaving channels
unwritten in the scratch buffer and returning stale heap data.

Addresses https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-8ggg-fhxp-95p9

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Cary Phillips <cary@ilm.com>
@cary-ilm cary-ilm requested a review from palemieux June 29, 2026 14:17

@palemieux palemieux left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is a malformed header, it should be addressed in read_header () at src/lib/OpenEXRCore/internal_ht_common.cpp

if (static_cast<std::size_t>(decode->channel_count) != cs_to_file_ch.size ())
return EXR_ERR_CORRUPT_CHUNK;

std::vector<bool> seen (decode->channel_count, false);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ideally, we'd avoid an additional memory alloc here - we could put the seen flag into the CodestreamChannelInfo struct which is internal, which would reduce it back to just the one alloc in the vector of those (and in #2440 I put that vector into the context object to avoid an allocation every decode)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can reduce the number of new allocations to one: see #2516.

I am not super excited to add scratch fields, which are hard to maintain and explain.

@palemieux

Copy link
Copy Markdown
Collaborator

See #2516 for an alternative where the check is moved to the point where the header is read (since this is a malformed header issue).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants