OpenEXR Heap-Based Buffer Overflow Vulnerability in DWAA Decompression

A heap-based buffer overflow vulnerability has been identified in OpenEXR version 3.3.2. The issue arises during the reading of DWAA-packed scan-line EXR files, where maliciously crafted chunks lead to out-of-bounds memory access. This vulnerability is caused by improper pointer arithmetic in the 'LossyDctDecoder_execute' function, particularly when handling non-block aligned chunks. The flaw can be exploited to crash the application and potentially leak sensitive data or memory addresses, which could be used to circumvent exploitation mitigations like ASLR.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, which can lead to memory corruption, application crashes, and in some cases, unauthorized memory access or data leaks.

Reproduction

To reproduce this vulnerability, first compile the OpenEXR 'exrcheck' utility with AddressSanitizer (ASAN) enabled, on a macOS or GNU/Linux machine. After compiling, open a DWAA-packed EXR file, known to trigger the vulnerability, using the 'exrcheck' command. The application will crash, and ASAN will provide a stack trace indicating a heap-buffer-overflow error, demonstrating the out-of-bounds read caused by the vulnerability.

Remediation

Users can upgrade to OpenEXR version 3.3.3, which addresses this vulnerability by fixing the pointer arithmetic issue that led to the buffer overflow.