While fuzzing openexr_exrcheck_fuzzer, Valgrind reports a conditional branch depending on uninitialized data inside generic_unpack. This indicates a use of uninitialized memory (CWE-457). The issue is reproducible with the current OSS-Fuzz harness and a single-file PoC.
Environment:
valgrind --tool=memcheck --track-origins=yesopenexr_exrcheck_fuzzer openexr 3.4.2 | commit fd657e8a41e157e5841c7cc2e2a5efe094b069a1 (grafted, HEAD -> main, origin/main, origin/HEAD)Function: generic_unpack
Possible root cause (based on observed symptoms): The unpacker is branching on bytes in a scratch buffer that were never written because the decode step didn’t fully populate it.
generic_unpack(). That function reads from the decompressed/expanded pixel buffer to scatter data into the framebuffer. A “conditional jump depends on uninitialised value(s)” means it’s consulting bytes in that buffer before they were written.exr_decoding_run().Valgrind Trace (top frames):
==454== Conditional jump or move depends on uninitialised value(s)
==454== at 0x4539BE: generic_unpack (in /out/openexr_exrcheck_fuzzer)
==454== by 0x44B85F: exr_decoding_run (in /out/openexr_exrcheck_fuzzer)
==454== by 0x38BC5F: Imf_4_0::(anonymous namespace)::TileProcess::run_decode(_priv_exr_context_t const*, int, Imf_4_0::FrameBuffer const*, std::__1::vector<Imf_4_0::Slice, std::__1::allocator<Imf_4_0::Slice> > const&) (in /out/openexr_exrcheck_fuzzer)
==454== by 0x388BE1: Imf_4_0::TiledInputFile::Data::readTiles(int, int, int, int, int, int) (in /out/openexr_exrcheck_fuzzer)
==454== by 0x388619: Imf_4_0::TiledInputFile::readTiles(int, int, int,...
3.3.63.4.3Exploitability
AV:LAC:LAT:NPR:NUI:NVulnerable System
VC:NVI:NVA:LSubsequent System
SC:NSI:NSA:N2.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P