OpenEXR Memory Safety Vulnerability in Python Adapter Allowing Crashes and Potential Code Execution

A memory safety vulnerability has been identified in the OpenEXR Python adapter, specifically in versions 3.2.0 prior to 3.2.5, 3.3.0 prior to 3.3.6, and 3.4.0 prior to 3.4.3. This vulnerability arises from an integer overflow and unchecked memory allocation in the 'InputFile.channel()' and 'InputFile.channels()' methods. When these methods are used to process EXR files controlled by an attacker or to handle crafted Python objects, they can cause crashes and likely allow for code execution. The issue can lead to a heap overflow on 32-bit systems or a NULL dereference on 64-bit systems.

Impact

Exploitation of this vulnerability can result in a heap overflow on 32-bit systems, leading to memory corruption, or a NULL dereference on 64-bit systems, causing a crash.

Reproduction

The vulnerability can be reproduced by using the OpenEXR Python library to open an EXR file that has been crafted to exploit the integer overflow and unchecked allocation in the 'InputFile.channels()' method. This can be done by writing an EXR file with a header that includes a large channel width, which causes the allocation request to overflow and either corrupt the heap or dereference a NULL pointer.

Remediation

Users can upgrade to OpenEXR versions 3.2.5, 3.3.6, or 3.4.3, which include a patch for this vulnerability.