CVS commit: pkgsrc/graphics/openexr

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Sun Nov 16 21:20:17 UTC 2025

Modified Files:
        pkgsrc/graphics/openexr: Makefile distinfo

Log Message:
openexr: update to 3.4.3.

## Version 3.4.3 (November 4, 2025)

Patch release that addresses several bugs, primarily involving
properly rejecting corrupt input data.

Specifically:

* Buffer overflow in PyOpenEXR_old's `channels()` and `channel()` in
  legacy python, reported by Joshua Rogers (GitHub: MegaManSec).
* Use after free in PyObject_StealAttrString in legacy python, reported
  by Joshua Rogers (GitHub: MegaManSec).
* Use of Uninitialized Memory in openexr, reported by Aldo Ristori
  (GitHub: Kaldreic).
* Heap-based Buffer Overflow Remote Code Execution Vulnerability,
  reported by Trend Micro Zero Day Initiative.

Also:

* OSS-fuzz [456158449](https://issues.oss-fuzz.com/issues/456158449)
Heap-buffer-overflow in `generic_unpack`
* OSS-fuzz [447429458](https://issues.oss-fuzz.com/issues/447429458)
Heap-buffer-overflow in `DwaCompressor_uncompress`
* OSS-fuzz [439237843](https://issues.oss-fuzz.com/issues/439237843)
Heap-buffer-overflow in `internal_exr_undo_ht`
* OSS-fuzz [436037111](https://issues.oss-fuzz.com/issues/436037111)
Heap-buffer-overflow in `generic_unpack`
* OSS-fuzz [435779241](https://issues.oss-fuzz.com/issues/435779241)
Heap-buffer-overflow in `generic_unpack`
* OSS-fuzz [420744464](https://issues.oss-fuzz.com/issues/420744464)
Abrt in `__cxxabiv1::failed_throw`

Other fixes:
* Fix a bug with re-reading a scanline file with a different set of
  channels.
* Only populate `CMAKE_DEBUG_POSTFIX` with `_d` if it is undefined,
  which makes it possible to set `CMAKE_DEBUG_POSTFIX=""`.

This version also bumps the auto-fetched version of OpenJPH to
0.24.5. OpenJPH 0.24.5 addresses these OSS-Fuzz issues:

* OSS-fuzz [456837230](https://issues.oss-fuzz.com/issues/456837230)
Crash in `ojph::local::param_cod::~param_cod`
* OSS-fuzz [456248580](https://issues.oss-fuzz.com/issues/456248580)
Null-dereference READ in `ojph::local::param_cod::~param_cod`
* OSS-fuzz [455374208](https://issues.oss-fuzz.com/issues/455374208)
Floating-point-exception in `ojph::local::tile::pre_alloc`
* OSS-fuzz [444963190](https://issues.oss-fuzz.com/issues/444963190)
Index-out-of-bounds in `ojph::local::param_qcd::read_qcc`
* OSS-fuzz [444889300](https://issues.oss-fuzz.com/issues/444889300)
Heap-buffer-overflow in `ojph::mem_infile::read`
* OSS-fuzz [444878558](https://issues.oss-fuzz.com/issues/444878558)
Segv on unknown address in `ojph::local::param_qcd::~param_qcd`
* OSS-fuzz [444878557](https://issues.oss-fuzz.com/issues/444878557)
Null-dereference READ in `ojph::local::param_qcd::~param_qcd`

### Merged Pull Requests:

* [2168](https://github.com/AcademySoftwareFoundation/openexr/pull/2168)
 Fix improper use of `Py_DECREF` in legacy python module
* [2166](https://github.com/AcademySoftwareFoundation/openexr/pull/2166)
Only define `CMAKE_DEBUG_POSTFIX` if it is not already defined
* [2164](https://github.com/AcademySoftwareFoundation/openexr/pull/2164)
check storage_mode when computing chunk sizes
* [2163](https://github.com/AcademySoftwareFoundation/openexr/pull/2163)
Check for image size overflow in legacy python module
* [2162](https://github.com/AcademySoftwareFoundation/openexr/pull/2162)
verify packed/unpacked size with uncompressed data
* [2161](https://github.com/AcademySoftwareFoundation/openexr/pull/2161)
ImfCheckFile: handle partial deep tiles
* [2160](https://github.com/AcademySoftwareFoundation/openexr/pull/2160)
Fix issues with negative coordinates and sampling != 0
* [2159](https://github.com/AcademySoftwareFoundation/openexr/pull/2159)
Fix memset in `exr_read_chunk` when nread is negative
* [2156](https://github.com/AcademySoftwareFoundation/openexr/pull/2156)
Fix handling of corrupt RLE data
* [2150](https://github.com/AcademySoftwareFoundation/openexr/pull/2150)
Fix bug with re-reading scanline file with a different set of channels


To generate a diff of this commit:
cvs rdiff -u -r1.73 -r1.74 pkgsrc/graphics/openexr/Makefile
cvs rdiff -u -r1.65 -r1.66 pkgsrc/graphics/openexr/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/openexr/Makefile
diff -u pkgsrc/graphics/openexr/Makefile:1.73 pkgsrc/graphics/openexr/Makefile:1.74
--- pkgsrc/graphics/openexr/Makefile:1.73       Sun Oct 19 18:22:09 2025
+++ pkgsrc/graphics/openexr/Makefile    Sun Nov 16 21:20:17 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.73 2025/10/19 18:22:09 wiz Exp $
+# $NetBSD: Makefile,v 1.74 2025/11/16 21:20:17 wiz Exp $
 
-DISTNAME=      openexr-3.4.2
+DISTNAME=      openexr-3.4.3
 CATEGORIES=    graphics
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=openexr/}
 GITHUB_PROJECT=        openexr

Index: pkgsrc/graphics/openexr/distinfo
diff -u pkgsrc/graphics/openexr/distinfo:1.65 pkgsrc/graphics/openexr/distinfo:1.66
--- pkgsrc/graphics/openexr/distinfo:1.65       Sun Oct 19 18:22:09 2025
+++ pkgsrc/graphics/openexr/distinfo    Sun Nov 16 21:20:17 2025
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.65 2025/10/19 18:22:09 wiz Exp $
+$NetBSD: distinfo,v 1.66 2025/11/16 21:20:17 wiz Exp $
 
-BLAKE2s (openexr-3.4.2.tar.gz) = 731c99ff574aa9ddffcdf43e51aedb3dffde82327e4c576971c680a478f3232a
-SHA512 (openexr-3.4.2.tar.gz) = 55d3d5de4a022b6ab5f5462fb2b833543d93d9a27d3b84282a2bc2ab99cef19caf96a90cd71a2da61ee36fe9ebc02922f4dbe799a60bb3ae7613bf683b68c742
-Size (openexr-3.4.2.tar.gz) = 25549460 bytes
+BLAKE2s (openexr-3.4.3.tar.gz) = 843d6bbee023f4e7c336fe15bb2ce7040630a24f3ceec2b313cbabf7ac83e809
+SHA512 (openexr-3.4.3.tar.gz) = 74675b981cc82b6b3144d9dd56df611031dcb2f3da91aeb46b41fc97ec94b9ea45cad10142e3f2d1cd29022b42351d057e1540bde519f4381e206076dc3a5dbb
+Size (openexr-3.4.3.tar.gz) = 25549651 bytes