GHSA-4r7w-q3jg-ff43

Опубликовано: 31 июл. 2025

Источник: github

Github: Прошло ревью

CVSS4: 6.8

Описание

OpenEXR Out of Bounds Heap Read due to Bad Pointer Arithmetic in LossyDctDecoder_execute

Summary

The OpenEXRCore code is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk.

Details

In the LossyDctDecoder_execute function (from src/lib/OpenEXRCore/internal_dwa_decoder.h, when SSE2 is enabled), the following code is used to copy data from the chunks:

// no-op conversion to linear for (int y = 8 * blocky; y < 8 * blocky + maxY; ++y) { __m128i* restrict dst = (__m128i *) chanData[comp]->_rows[y]; __m128i const * restrict src = (__m128i const *)&rowBlock[comp][(y & 0x7) * 8]; for (int blockx = 0; blockx < numFullBlocksX; ++blockx) { _mm_storeu_si128 (dst, _mm_loadu_si128 (src)); // src += 8 * 8; // <--- si128 pointer incremented as a uint16_t dst += 8; } }

The issue arises because the src pointer, which is a si128 pointer, is incremented by 8*8, as if it were a uint16_t pointer (64 * uint16_t == 128 bytes). In non-block aligned chunks (width/height not a multiple of 8), this can cause src to point past the boundaries of the chunk.

PoC

In order to reproduce the PoC with fidelity and avoid undefined behaviors, it is necessary to enable ASAN (and SSE2). Otherwise the out-of-bound read will not be detected until its side-effect causes a crash.

NOTE: please download the dwadecoder_crash.exr file from the following link:

https://github.com/ShielderSec/poc/tree/main/CVE-2025-48072

Compile the exrcheck binary in a macOS or GNU/Linux machine with ASAN.
Open the dwadecoder_crash.exr file with the following command:

exrcheck dwadecoder_crash.exr

Notice that exrcheck crashes with ASAN stack-trace.

==2297956==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x52500000a110 at pc 0x55e590db7bf1 bp 0x7fff948bb110 sp 0x7fff948bb108 READ of size 16 at 0x52500000a110 thread T0 #0 0x55e590db7bf0 in LossyDctDecoder_execute /root/openexr/src/lib/OpenEXRCore/internal_dwa_decoder.h:650:48 #1 0x55e590dae18d in DwaCompressor_uncompress /root/openexr/src/lib/OpenEXRCore/internal_dwa_compressor.h:1132:30 #2 0x55e590da9960 in internal_exr_undo_dwaa /root/openexr/src/lib/OpenEXRCore/internal_dwa.c:202:18 #3 0x55e590d42d03 in exr_uncompress_chunk /root/openexr/src/lib/OpenEXRCore/compression.c:516:14 #4 0x55e590dc3132 in exr_decoding_run /root/openexr/src/lib/OpenEXRCore/decoding.c:580:14 #5 0x55e590c7d78f in Imf_3_4::(anonymous namespace)::ScanLineProcess::run_decode(_priv_exr_context_t const*, int, Imf_3_4::FrameBuffer const*, int, int, std::vector<Imf_3_4::Slice, std::allocator<Imf_3_4::Slice>> const&) /root/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:585:23 #6 0x55e590c83ed7 in Imf_3_4::ScanLineInputFile::Data::readPixels(Imf_3_4::FrameBuffer const&, int, int) /root/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:499:21 #7 0x55e590c73c97 in Imf_3_4::ScanLineInputFile::readPixels(int, int) /root/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:306:12 #8 0x55e590c73c97 in Imf_3_4::InputFile::Data::readPixels(int, int) /root/openexr/src/lib/OpenEXR/ImfInputFile.cpp:446:20 #9 0x55e590c1f92f in Imf_3_4::InputFile::readPixels(int) /root/openexr/src/lib/OpenEXR/ImfInputFile.cpp:228:12 #10 0x55e590c1f92f in Imf_3_4::InputPart::readPixels(int) /root/openexr/src/lib/OpenEXR/ImfInputPart.cpp:70:11 #11 0x55e590c1f92f in bool Imf_3_4::(anonymous namespace)::readScanline<Imf_3_4::InputPart>(Imf_3_4::InputPart&, bool, bool) /root/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:239:20 #12 0x55e590c1f92f in Imf_3_4::(anonymous namespace)::readMultiPart(Imf_3_4::MultiPartInputFile&, bool, bool) /root/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:879:28 #13 0x55e590c155af in bool Imf_3_4::(anonymous namespace)::runChecks<char const*>(char const*&, bool, bool) /root/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:1132:21 #14 0x55e590c155af in Imf_3_4::checkOpenEXRFile(char const*, bool, bool, bool) /root/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:1796:19 #15 0x55e590ba5abe in exrCheck(char const*, bool, bool, bool, bool) /root/openexr/src/bin/exrcheck/main.cpp:96:16 #16 0x55e590ba6fbe in main /root/openexr/src/bin/exrcheck/main.cpp:164:29 #17 0x7f4259e2a1c9 in __libc_start_call_main csu/../sysdeps/npthttps://gitlab.com/qemu-project/qemu/-/issuesl/libc_start_call_main.h:58:16 #18 0x7f4259e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3 #19 0x55e590ac67d4 in _start (/root/openexr/_build_afl_asan/bin/exrcheck+0x1d87d4) (BuildId: 49c2658b2f9ddef9) 0x52500000a110 is located 752 bytes after 9504-byte region [0x525000007900,0x525000009e20) allocated by thread T0 here: #0 0x55e590b61623 in malloc (/root/openexr/_build_afl_asan/bin/exrcheck+0x273623) (BuildId: 49c2658b2f9ddef9) #1 0x55e590db11b1 in LossyDctDecoder_execute /root/openexr/src/lib/OpenEXRCore/internal_dwa_decoder.h:324:22 #2 0x55e590dae18d in DwaCompressor_uncompress /root/openexr/src/lib/OpenEXRCore/internal_dwa_compressor.h:1132:30 #3 0x55e590da9960 in internal_exr_undo_dwaa /root/openexr/src/lib/OpenEXRCore/internal_dwa.c:202:18 #4 0x55e590d42d03 in exr_uncompress_chunk /root/openexr/src/lib/OpenEXRCore/compression.c:516:14

Impact

An attacker could crash the application and in some scenarios also leak data, such as sensitive information or memory addresses that might be used to bypass exploitation mitigations like ASLR.

Ссылки

Пакеты

Наименование

OpenEXR

pip

Затронутые версииВерсия исправления

= 3.3.2

3.3.3

EPSS

Процентиль: 3%

0.00017

Низкий

6.8 Medium

CVSS4

CVE ID

CVE-2025-48072

Дефекты

CWE-125

Связанные уязвимости

CVE-2025-48072

CVSS3: 9.1

ubuntu

17 дней назад

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3.