Fix HTJ2K channel map permutation validation#2515
Conversation
Validate that the channel map is a true permutation of [0, channel_count): range check alone permitted duplicate file_index values, leaving channels unwritten in the scratch buffer and returning stale heap data. Addresses https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-8ggg-fhxp-95p9 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Cary Phillips <cary@ilm.com>
palemieux
left a comment
There was a problem hiding this comment.
Since this is a malformed header, it should be addressed in read_header () at src/lib/OpenEXRCore/internal_ht_common.cpp
| if (static_cast<std::size_t>(decode->channel_count) != cs_to_file_ch.size ()) | ||
| return EXR_ERR_CORRUPT_CHUNK; | ||
|
|
||
| std::vector<bool> seen (decode->channel_count, false); |
There was a problem hiding this comment.
ideally, we'd avoid an additional memory alloc here - we could put the seen flag into the CodestreamChannelInfo struct which is internal, which would reduce it back to just the one alloc in the vector of those (and in #2440 I put that vector into the context object to avoid an allocation every decode)
There was a problem hiding this comment.
I think we can reduce the number of new allocations to one: see #2516.
I am not super excited to add scratch fields, which are hard to maintain and explain.
|
See #2516 for an alternative where the check is moved to the point where the header is read (since this is a malformed header issue). |
Validate that the channel map is a true permutation of [0, channel_count): range check alone permitted duplicate file_index values, leaving channels unwritten in the scratch buffer and returning stale heap data.
Addresses https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-8ggg-fhxp-95p9