OpenEXR Shift Exponent Overflow Vulnerability in IDManifest Parsing

A vulnerability exists in OpenEXR versions 3.0.0 prior to 3.0.5, 3.1.0 prior to 3.1.13, 3.2.0 prior to 3.2.8, 3.3.0 prior to 3.3.10, and 3.4.0 prior to 3.4.10. The issue arises in the 'readVariableLengthInteger()' function within 'ImfIDManifest.cpp', where the function decodes variable-length integers from untrusted EXR input without properly limiting the shift count. This oversight can lead to undefined behavior by allowing a left shift of 70 on a 64-bit value, potentially causing out-of-bounds reads when the corrupted value is used as a string-list length in subsequent parsing.

Impact

Exploitation of this vulnerability causes a shift exponent overflow, leading to undefined behavior. This can be observed as a runtime error when the shift value exceeds the limits of a 64-bit integer. However, the undefined behavior could be exploited to manipulate memory in a way that bypasses normal security protections, such as memory safety guarantees.

Reproduction

The vulnerability can be reproduced by building the OpenEXR library with the Clang compiler, enabling the Undefined Behavior Sanitizer (UBSan). After compiling the library, the 'harness.cpp' file can be used to trigger the vulnerability by constructing an 'IDManifest' directly from a crafted EXR file that exploits the improper handling of variable-length integers.

Remediation

Users can upgrade to OpenEXR versions 3.2.9, 3.3.11, or 3.4.11 to address this vulnerability.