OpenEXR Integer Overflow Vulnerability in DWA Decoder Pointer Arithmetic

A vulnerability exists in OpenEXR versions 3.4.0 prior to 3.4.9, 3.3.0 prior to 3.3.9, and 3.2.0 prior to 3.2.7. The issue arises in the DWA decoder's internal_dwa_compressor.h file, specifically at line 1040, where pointer arithmetic is performed using int32 arithmetic without proper casting to size_t. This oversight creates an integer overflow risk, particularly when the dataWindow width exceeds 536,870,912 for FLOAT channels. The overflow allows crafted EXR files to corrupt heap memory, leading to potential exploitation.

Impact

Exploitation of this vulnerability causes heap buffer corruption by overwriting memory. This out-of-bounds write is achieved through the integer overflow in the DWA decoder, creating a similar impact to other known vulnerabilities in the same decoder.

Reproduction

To reproduce this vulnerability, create a DWAA or DWAB compressed EXR file with a dataWindow width greater than 537 million pixels. When this file is opened, the DWA decoder will process the header and, due to the lack of a default image size limit, will not restrict the width. The integer overflow occurs in the pointer arithmetic, causing the out-of-bounds write that corrupts the heap.

Remediation

Users can upgrade to OpenEXR versions 3.2.8, 3.3.10, or 3.4.10, all of which include the necessary fix.