OpenEXR PIZ Decoder Signed Integer Overflow Vulnerability Leading to Out-of-Bounds Memory Access

A vulnerability exists in OpenEXR versions 3.1.0 prior to 3.2.7, 3.3.0 prior to 3.3.9, and 3.4.0 prior to 3.4.9. The issue arises in the PIZ decoding function 'internal_exr_undo_piz()', which improperly advances the wavelet pointer using signed 32-bit arithmetic. This flaw allows a crafted EXR file to cause an overflow, leading to out-of-bounds memory access. The wavelet decoding process operates in place, resulting in both out-of-bounds reads and writes. The vulnerability has been patched in versions 3.2.7, 3.3.9, and 3.4.9.

Impact

Exploitation of this vulnerability causes a signed integer overflow, allowing for out-of-bounds memory access during the PIZ decompression process. This includes both invalid reads and writes, which could lead to memory corruption, a process crash, or potentially more severe exploitation outcomes.

Reproduction

The vulnerability can be reproduced by building the 'exrcheck' tool with AddressSanitizer (ASAN) enabled. After compiling, 'exrcheck' can be run against a crafted EXR file that triggers the overflow. The AddressSanitizer will report the signed integer overflow and the resulting heap-buffer-overflow, indicating that the vulnerability has been successfully exploited. This can also be verified using Valgrind's 'memcheck' tool, which will show the invalid read and write operations caused by the overflow.

Remediation

Users should update to OpenEXR versions 3.2.7, 3.3.9, or 3.4.9.