TSC Meeting Notes 2024-02-08
Attendance:
Guests:
Li Ji, ILM
Christian Wieberg-Nielsen, Colorist, Storyline
Discussion:
Deep CVE bug fix - OIIO test suite issues are failing
Larry will verify further
Peter & Nick had discussed possible change to core so every exception can be caught so you can capture the true source of an error.
Christian
interested in how to get metadata from the camera into OpenEXR
GitHub security vulnerability reporting
Cary: anyone have any insight? People who filed the CVE had a blocked address so we did not receive the message, email not as reliable for CVE reports.
You have to be an administrator to accept a draft and turn it into a CVE, Cary will look into it further.
Need multiple administrators
fuzz reports go to openexr.org, but cve reports go to openexr.com ?
Cary made it all consistent a while back except for the fuzz reports. Should test if the openexr.org address is working.
Deep CVE bug
Peter is getting a repro, Kimball was able to repro
Kimball needs to update the checkfile test to catch the break reported by OIIO
As a repro, this fails:
iinfo -v --hash --stats testsuite/iinfo/src/tinydeep.exr
Kimball: Pointer unpack is causing this issue
OpenSUSE already cherry picked the fix into their next release but caught it in their tests before releasing
Deep file limits 2.5 gb
Peter: amplification attacks could be a risk if you can allocated a lot of memory for loading
PR 1616 - automate compression method detection - Phillipe lePrince
Kimball: shouldn't have automated detection
Peter: compile time trick, wouldn't have implemented it this way because it's a little difficult to reason about
Not built every time you build library, only when a new compression type added, done at cmake time but only if you ask it too.
Doesn't need to work for everybody
Kimball: went away from having float tables auto built. do that for configuration but we should be against such a mechanism if it something that doesn't change very often.
Peter: could do it with the CI , generate the files and inject back into system
But added 1000 lines of code to save writing 5 lines of code when adding new compression types.
cmake changes are large
Peter: could ask to take out the automation, leaving files as is and modifying them by hand
Would need to add a comment to cpp file as to what needs updating when adding compression type
Kimball: Add static assert in compression.cpp or compression.c to check the length of the enum against the compression types.
Peter: old c interface uses #define's instead of an enum so difficult to check
Peter: should be able to catch that in the test suite
Cary: what about std compression in the PR?
Peter: scanline implementation breaks with deep, single scanline would solve, compression step is just given raw data doesn't know which datatype it is dealing with (on C++ side, it's different on the C side). maybe special case handling of compression type just in the core then forward it.
Kimball: we already did that with ... (missed this) , handled in core then forwarded.
Blosc library performs differently when it knows if it has 4-byte vs 3-byte data.
Z-standard or LZMA have discrete chunk vs streaming mode, can keep a little bit of state around that helps the streaming. should make sure we are taking advantage of these capabilities.