OpenEXR Compression Vulnerability Leading to Buffer Overflow

A buffer overflow vulnerability has been identified in the OpenEXR file format when decoding images that use DWAA or DWAB compression. The issue arises from an incorrect assumption that all image channels share the same pixel type and size, and that the first four channels represent 'B', 'G', 'R', and 'A'. The vulnerability can be exploited by manipulating the channel data, such as by introducing duplicate or unknown channels, which can cause the decoding process to read beyond the allocated buffer. This vulnerability affects OpenEXR versions prior to 8.0.

Impact

Exploitation of this vulnerability can lead to a buffer overflow, which may allow for arbitrary code execution or cause a denial-of-service condition by crashing the application.

Reproduction

To reproduce this vulnerability, create an OpenEXR file using DWAA or DWAB compression that includes four channels. The first four channels should be set to a 4-byte pixel type, while additional channels can be added with a 2-byte EXR_HALF type. When this file is decoded, the buffer overflow will occur as the decoding process attempts to read more data than was allocated, based on the incorrect channel type assumptions.

Remediation

Users are advised to upgrade to OpenEXR version 8.0 or later.