OpenEXR HTJ2K Decompression Signed Integer Overflow Vulnerability Allowing Heap Out-of-Bounds Write

A signed integer overflow vulnerability has been identified in OpenEXR versions 3.4.0 through 3.4.9, specifically within the HTJ2K decompression process. The issue arises in the 'ht_undo_impl()' function, where a bytes-per-line value is calculated using a 32-bit signed integer without any overflow protection. This vulnerability can be exploited by crafting an EXR file with 16,385 FLOAT channels at the maximum width of 32,767, causing the bytes-per-line value to exceed the integer limit and produce undefined behavior. On hosts that allow the necessary memory allocation, this wrapped negative value can be used to advance a pointer per scanline, leading to a heap out-of-bounds write. However, on memory-constrained hosts, the allocation fails before the vulnerable function is executed.

Impact

Exploitation of this vulnerability causes a signed integer overflow, which is undefined behavior under the C++ standard. This can lead to a heap out-of-bounds write, potentially allowing for memory corruption. However, this out-of-bounds write is dependent on the behavior of the memory allocator and was not demonstrated during testing.

Reproduction

The vulnerability can be reproduced by using the OpenEXR 'exrcheck' tool with a crafted EXR file that exploits the integer overflow in the HTJ2K decompression. This file should be prepared to include 16,385 FLOAT channels at the maximum width of 32,767. Alternatively, the vulnerability can be reproduced using a C++ harness compiled with undefined behavior sanitizer, which will directly expose the signed integer overflow error.

Remediation

Users can upgrade to OpenEXR version 3.4.10, which addresses this vulnerability by adding the necessary overflow guards in the HTJ2K decompression path.