OpenEXR Signed Integer Overflow Vulnerability in EXR File Parsing

A signed integer overflow vulnerability has been identified in OpenEXR versions 3.4.0 prior to 3.4.9. The issue arises from a missing bounds check on the dataWindow attribute in EXR file headers. This flaw allows an attacker to craft an EXR file that, when processed, triggers the overflow. By setting dataWindow.min.x to a large negative value, OpenEXRCore calculates an excessively wide image, which leads to the overflow during a signed integer multiplication. The resulting crash is caught by Undefined Behavior Sanitizer, indicating the presence of the vulnerability.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by terminating the process with a SIGILL signal, due to the signed integer overflow triggered during EXR file unpacking. This issue affects any application that uses OpenEXRCore to parse EXR files, including image editors, 3D renderers, and media processing tools.

Reproduction

To reproduce this vulnerability, take a valid single-part scanline EXR file with NONE compression and two channels (HALF + FLOAT). Modify the dataWindow.min.x field in the file header to a large negative value, such as -1,073,741,804. Then, feed the crafted file to an application that uses OpenEXRCore for EXR file parsing. The process will crash with a SIGILL signal, indicating the occurrence of the signed integer overflow.

Remediation

Users should update to OpenEXR version 3.4.9 or later, where this vulnerability has been fixed.