OpenEXR DWA Lossy Decoder Heap Out-of-Bounds Write Vulnerability

A heap out-of-bounds write vulnerability has been identified in the DWA lossy decoder of OpenEXR versions 3.2.0 prior to 3.2.7, 3.3.0 prior to 3.3.9, and 3.4.0 prior to 3.4.9. The vulnerability arises because the decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. When the width is sufficiently large, this calculation can overflow, causing the decoder to operate on a wrapped pointer that points outside the allocated rowBlock backing store. This issue is reachable through the public decoder path and can be reproduced with a crafted scanline DWAA file using the 'exrcheck' tool.

Impact

Exploitation of this vulnerability leads to a write-side crash in the lossy DCT execution path, causing a segmentation fault due to a write memory access violation. This out-of-bounds write could potentially be exploited to overwrite memory locations, causing undefined behavior.

Reproduction

The vulnerability can be reproduced by building OpenEXR with AddressSanitizer enabled, using the 'exrcheck' tool to process a crafted DWAA file that triggers the signed integer overflow in the DWA lossy decoder. The AddressSanitizer will report the overflow and the subsequent out-of-bounds write, demonstrating the vulnerability.

Remediation

Users should upgrade to OpenEXR versions 3.2.7, 3.3.9, or 3.4.9, where this vulnerability has been fixed.