GHSA-qhpm-86v7-phmm

Suggest an improvement
Source
https://github.com/advisories/GHSA-qhpm-86v7-phmm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-qhpm-86v7-phmm/GHSA-qhpm-86v7-phmm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qhpm-86v7-phmm
Aliases
Published
2025-07-31T19:21:35Z
Modified
2025-08-01T13:29:06Z
Severity
  • 4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenEXR ScanLineProcess::run_fill NULL Pointer Write In "reduceMemory" Mode
Details

Summary

When reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target application with a NULL pointer dereference in a write operation.

Details

In the ScanLineProcess::run_fill function, implemented in src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp, the following code is used to write the fillValue in the sample buffer:

                switch (fills.type)
                {
                    case OPENEXR_IMF_INTERNAL_NAMESPACE::UINT:
                    {
                        unsigned int fillVal = (unsigned int) (fills.fillValue);
                        unsigned int* fillptr = static_cast<unsigned int*> (dest);

                        for ( int32_t s = 0; s < samps; ++s )
                            fillptr[s] = fillVal; // <--- POTENTIAL CRASH HERE
                        break;
                    }

However, when reduceMemory mode is enabled in the readDeepScanLine function in src/lib/OpenEXRUtil/ImfCheckFile.cpp, with large sample counts, the sample data will not be read, as shown below:

            // limit total number of samples read in reduceMemory mode
            //
            if (!reduceMemory ||
                fileBufferSize + bufferSize < gMaxBytesPerDeepScanline) // <--- CHECK ON LARGE SAMPLE COUNTS AND reduceMemory
            {
            // SNIP...
            try
                {
                    in.readPixels (y);
                }

Therefore, in those cases, the sample buffer would not be allocated, resulting in a potential write operation on a NULL pointer.

PoC

NOTE: please download the runfill_crash.exr file from the following link:

https://github.com/ShielderSec/poc/tree/main/CVE-2025-48073

  1. Compile the exrcheck binary in a macOS or GNU/Linux machine with ASAN.
  2. Open the runfill_crash.exr file with the following command:

    exrcheck -m runfill_crash.exr
    
  3. Notice that exrcheck crashes with ASAN stack-trace.

Impact

An attacker may cause a denial of service by crashing the application.

Database specific
{
    "nvd_published_at": "2025-07-31T21:15:28Z",
    "cwe_ids": [
        "CWE-476"
    ],
    "github_reviewed_at": "2025-07-31T19:21:35Z",
    "github_reviewed": true,
    "severity": "MODERATE"
}
References

Affected packages

PyPI / openexr

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.3.2
Fixed
3.3.3

Affected versions

3.*

3.3.2