OpenEXR Heap Write Overflow Vulnerability in HTJ2K Decoder Allowing Remote Code Execution

A heap write overflow vulnerability has been identified in OpenEXR versions 3.4.0 prior to 3.4.7. The issue arises in the HTJ2K decoder, where the channel width is improperly handled, allowing an attacker to craft an EXR file that exploits this flaw. When the channel width reaches 32768, the decoder's loop counter overflows, leading to out-of-bounds memory writes. This vulnerability can be exploited in any application that decodes EXR images, potentially allowing for remote code execution.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, with the AddressSanitizer reporting a write of size 2 bytes, right at the edge of a 65536-byte output buffer. Such heap write overflows can lead to remote code execution on the affected system.

Reproduction

The vulnerability can be reproduced by using a crafted EXR file with HTJ2K compression and a channel width of 32768. This file should be processed by an application that decodes EXR images. The out-of-bounds write can be triggered by the 'internal_exr_undo_ht' function in the OpenEXR library, which is called during the decoding process. The vulnerability can be demonstrated using a proof-of-concept program that reads the crafted EXR file and calls the vulnerable decoding function, resulting in a heap-buffer-overflow error.

Remediation

Users should upgrade to OpenEXR version 3.4.7 or later, where this vulnerability has been patched.