Fix open ossfuzz 26 sept 2024 (#1850)

* always return if all we need are the sample counts regardless of 0 sample counts or not, return if that is all we need, as unpack buffers will not have been allocated for data Signed-off-by: Kimball Thurston <[email protected]> * do not allow string lengths larger than the remaining data within the string vector Signed-off-by: Kimball Thurston <[email protected]> * simplify safety check logic The file size would have already been checked by the attrsz check, so this check works implicitly, and works when the file size is not available (streams) Signed-off-by: Kimball Thurston <[email protected]> --------- Signed-off-by: Kimball Thurston <[email protected]>
AcademySoftwareFoundation · Sep 26, 2024 · 80c69c9 · 80c69c9
1 parent b2d8156
commit 80c69c9
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/src/lib/OpenEXRCore/compression.c b/src/lib/OpenEXRCore/compression.c
@@ -506,9 +506,10 @@ exr_uncompress_chunk (exr_decode_pipeline_t* decode)
                 decode->chunk.sample_count_table_size,
                 (uint64_t) sampsize);
         }
-        if ((decode->decode_flags & EXR_DECODE_SAMPLE_DATA_ONLY)) return rv;
     }
 
+    if ((decode->decode_flags & EXR_DECODE_SAMPLE_DATA_ONLY)) return rv;
+
     if (rv == EXR_ERR_SUCCESS &&
         decode->chunk.packed_size > 0 &&
         decode->chunk.unpacked_size > 0)

diff --git a/src/lib/OpenEXRCore/parse_header.c b/src/lib/OpenEXRCore/parse_header.c
@@ -607,7 +607,7 @@ extract_attr_string_vector (
 
         pulled += sizeof (int32_t);
         nlen = (int32_t) one_to_native32 ((uint32_t) nlen);
-        if (nlen < 0 || (ctxt->file_size > 0 && nlen > ctxt->file_size))
+        if (nlen < 0 || nlen > (attrsz - pulled))
         {
             rv = ctxt->print_error (
                 ctxt,