OpenEXR CompositeDeepScanLine Integer Overflow Vulnerability Leading to Heap Out-of-Bounds Write

A vulnerability exists in OpenEXR's CompositeDeepScanLine component, specifically in versions 2.3.0 and later. The issue arises from an integer overflow in the per-pixel sample count accumulation, which wraps around and is then used to resize sample buffers. This flaw allows for a heap-based out-of-bounds write, potentially leading to memory corruption and remote code execution. The vulnerability can be exploited by crafting a multipart deep EXR file with large sample counts per pixel, using compression to reduce file size while increasing decoding pressure.

Impact

Exploitation of this vulnerability causes a heap-based out-of-bounds write during the decoding process, leading to a crash and denial-of-service condition. However, this type of heap corruption could also be leveraged for remote code execution.

Reproduction

The vulnerability can be reproduced by using a proof-of-concept (PoC) file created with a custom EXR writer that generates malicious sample counts. This file can then be read with a minimal EXR reader harness that simulates normal application behavior, such as opening an EXR file, iterating through its parts, and reading pixel data. The reader harness should be built with AddressSanitizer and UndefinedBehaviorSanitizer enabled, as this will expose the heap-buffer-overflow error caused by the vulnerability.

Remediation

Users can upgrade to OpenEXR versions 3.2.6, 3.3.8, or 3.4.6 to address this vulnerability.