Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-qhpm-86v7-phmm

Опубликовано: 31 июл. 2025
Источник: github
Github: Прошло ревью
CVSS4: 4.6

Описание

OpenEXR ScanLineProcess::run_fill NULL Pointer Write In "reduceMemory" Mode

Summary

When reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target application with a NULL pointer dereference in a write operation.

Details

In the ScanLineProcess::run_fill function, implemented in src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp, the following code is used to write the fillValue in the sample buffer:

switch (fills.type) { case OPENEXR_IMF_INTERNAL_NAMESPACE::UINT: { unsigned int fillVal = (unsigned int) (fills.fillValue); unsigned int* fillptr = static_cast<unsigned int*> (dest); for ( int32_t s = 0; s < samps; ++s ) fillptr[s] = fillVal; // <--- POTENTIAL CRASH HERE break; }

However, when reduceMemory mode is enabled in the readDeepScanLine function in src/lib/OpenEXRUtil/ImfCheckFile.cpp, with large sample counts, the sample data will not be read, as shown below:

// limit total number of samples read in reduceMemory mode // if (!reduceMemory || fileBufferSize + bufferSize < gMaxBytesPerDeepScanline) // <--- CHECK ON LARGE SAMPLE COUNTS AND reduceMemory { // SNIP... try { in.readPixels (y); }

Therefore, in those cases, the sample buffer would not be allocated, resulting in a potential write operation on a NULL pointer.

PoC

NOTE: please download the runfill_crash.exr file from the following link:

https://github.com/ShielderSec/poc/tree/main/CVE-2025-48073

  1. Compile the exrcheck binary in a macOS or GNU/Linux machine with ASAN.
  2. Open the runfill_crash.exr file with the following command:
exrcheck -m runfill_crash.exr
  1. Notice that exrcheck crashes with ASAN stack-trace.

Impact

An attacker may cause a denial of service by crashing the application.

Ссылки

Пакеты

Наименование

OpenEXR

pip
Затронутые версииВерсия исправления

= 3.3.2

3.3.3

EPSS

Процентиль: 16%
0.00051
Низкий

4.6 Medium

CVSS4

CVE ID

CVE-2025-48073

Дефекты

CWE-476

Связанные уязвимости

ubuntu логотип

CVE-2025-48073

CVSS3: 6.2
ubuntu
5 месяцев назад

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, when reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target application with a NULL pointer dereference in a write operation. This is fixed in version 3.3.3.

redhat логотип

CVE-2025-48073

CVSS3: 3.3
redhat
5 месяцев назад

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, when reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target application with a NULL pointer dereference in a write operation. This is fixed in version 3.3.3.

nvd логотип

CVE-2025-48073

CVSS3: 6.2
nvd
5 месяцев назад

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, when reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target application with a NULL pointer dereference in a write operation. This is fixed in version 3.3.3.

debian логотип

CVE-2025-48073

CVSS3: 6.2
debian
5 месяцев назад

OpenEXR provides the specification and reference implementation of the ...

EPSS

Процентиль: 16%
0.00051
Низкий

4.6 Medium

CVSS4

CVE ID

CVE-2025-48073

Дефекты

CWE-476