OpenEXR Signed Integer Overflow Vulnerability in PXR24 Decompression Allowing Heap Corruption

A signed integer overflow vulnerability has been identified in OpenEXR versions 3.2.0 prior to 3.2.7, 3.3.0 prior to 3.3.9, and 3.4.0 prior to 3.4.9. The issue occurs in the PXR24 decompression function, where a width value is improperly handled, leading to undefined behavior and potential heap corruption. This vulnerability arises when the width value is large, causing a multiplication to overflow and bypass a bounds check, allowing excessive data to be written to an output buffer.

Impact

Exploitation of this vulnerability can cause a denial-of-service by crashing the application. Additionally, if the integer overflow is manipulated to bypass the bounds check, it could lead to a heap out-of-bounds write, potentially corrupting memory and allowing for code execution, depending on the memory allocator's behavior.

Reproduction

The vulnerability can be reproduced by compiling OpenEXR with Clang or GCC (without sanitizers) and using a crafted EXR file that exploits the signed integer overflow in the PXR24 compression. The overflow can be triggered by setting the width value in a way that the multiplication wraps around, allowing the subsequent bounds check to pass incorrectly. This can be done by creating an EXR file with specific header and chunk-size values that evade validation checks.

Remediation

Users should update to OpenEXR versions 3.2.7, 3.3.9, or 3.4.9, where this vulnerability has been fixed.