The PXR24 decompression function undo_pxr24_impl in OpenEXR (internal_pxr24.c) ignores the actual decompressed size (outSize) returned by exr_uncompress_buffer() and instead reads from the scratch buffer based solely on the expected size (uncompressed_size) derived from the header metadata.
Additionally, exr_uncompress_buffer() (compression.c:202) treats LIBDEFLATE_SHORT_OUTPUT (where the compressed stream decompresses to fewer bytes than expected) as a successful result rather than an error.
When these two issues are combined, an attacker can craft a PXR24 EXR file containing a valid but truncated zlib stream. As a result, the decoder reads uninitialized heap memory and incorporates it into the output pixel data.
This issue occurs due to the combination of two flaws.
else if (res == LIBDEFLATE_SHORT_OUTPUT)
{
/* TODO: is this an error? */
return EXR_ERR_SUCCESS;
}
libdeflate_zlib_decompress_ex() returns LIBDEFLATE_SHORT_OUTPUT when the compressed stream is successfully decompressed but the resulting output size is smaller than the provided output buffer size. In this case, the actual number of decompressed bytes is written to actual_out. However, the function does not treat this condition as an error and instead returns success.
rstat = exr_uncompress_buffer(
decode->context, compressed_data, comp_buf_size,
scratch_data, scratch_size, &outSize); // outSize = actual bytes written
if (rstat != EXR_ERR_SUCCESS) return rstat;
// outSize is never referenced afterwards.
// The loop below reads the entire scratch_data buffer based on
// uncompressed_size (the header-derived expected size).
for (int y = 0; y < decode->chunk.height; ++y) { ... }
After exr_uncompress_buffer() returns success, the code does not verify whether the actual decompressed size (outSize) matches the expected...
3.4.8Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:HVI:NVA:NSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N