fix potential buffer overwrite with zip data (#1974)

If the zipped data unpacks to a buffer which is too large, but still within the scratch buffer size, could potentially write past the end of the buffer Signed-off-by: Kimball Thurston <[email protected]>
AcademySoftwareFoundation · Feb 8, 2025 · 928f9a4 · 928f9a4
1 parent 7044bc9
commit 928f9a4
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/lib/OpenEXRCore/internal_zip.c b/src/lib/OpenEXRCore/internal_zip.c
@@ -298,7 +298,7 @@ undo_zip_impl (
     if (res == EXR_ERR_SUCCESS)
     {
         decode->bytes_decompressed = actual_out_bytes;
-        if (comp_buf_size > actual_out_bytes)
+        if (comp_buf_size > actual_out_bytes || actual_out_bytes > uncompressed_size)
             res = EXR_ERR_CORRUPT_CHUNK;
         else
             internal_zip_reconstruct_bytes (