OpenEXR Out-of-Bounds Read Vulnerability in IDManifest Prefix Expansion

A high-severity out-of-bounds read vulnerability has been identified in OpenEXR versions 3.0.0 prior to 3.0.6, 3.1.0 prior to 3.1.14, 3.2.0 prior to 3.2.9, 3.3.0 prior to 3.3.11, and 3.4.0 prior to 3.4.11. The vulnerability arises in the IDManifest::init() function, where the code reconstructs strings from a prefix-compressed representation. If the preceding string exceeds 255 bytes, the subsequent string is expected to start with a 2-byte prefix length. However, the implementation fails to verify that the current string contains at least two bytes, leading to an out-of-bounds read. This flaw can be exploited to leak heap memory or cause a process crash by manipulating the prefix length derived from an empty string.

Impact

Exploitation of this vulnerability causes a heap-based out-of-bounds read, which can lead to memory leaks or process crashes. In debug builds, the error is caught by the C++ standard library, but in optimized production builds, the out-of-bounds access occurs without any bounds checking, reading one byte past the end of an empty string's allocated buffer. This read can be controlled to leak adjacent heap memory or disrupt the process by causing an out-of-range exception.

Reproduction

The vulnerability can be reproduced by building OpenEXR with the Clang C++ compiler, using the AddressSanitizer and UndefinedBehaviorSanitizer. After compiling the OpenEXR library with these sanitizers enabled, the vulnerable IDManifest::init() function can be tested with a crafted input that includes a string longer than 255 bytes followed by an empty string. This input triggers the out-of-bounds read by exploiting the prefix length handling in the string reconstruction process.

Remediation

Users should update to OpenEXR versions 3.2.9, 3.3.11, or 3.4.11.