When reading a deep scanline image with a large sample count in reduceMemory
mode, it is possible to crash a target application with a NULL pointer dereference in a write operation.
In the ScanLineProcess::run_fill
function, implemented in src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp
, the following code is used to write the fillValue
in the sample buffer:
switch (fills.type)
{
case OPENEXR_IMF_INTERNAL_NAMESPACE::UINT:
{
unsigned int fillVal = (unsigned int) (fills.fillValue);
unsigned int* fillptr = static_cast<unsigned int*> (dest);
for ( int32_t s = 0; s < samps; ++s )
fillptr[s] = fillVal; // <--- POTENTIAL CRASH HERE
break;
}
However, when reduceMemory
mode is enabled in the readDeepScanLine
function in src/lib/OpenEXRUtil/ImfCheckFile.cpp
, with large sample counts, the sample data will not be read, as shown below:
// limit total number of samples read in reduceMemory mode
//
if (!reduceMemory ||
fileBufferSize + bufferSize < gMaxBytesPerDeepScanline) // <--- CHECK ON LARGE SAMPLE COUNTS AND reduceMemory
{
// SNIP...
try
{
in.readPixels (y);
}
Therefore, in those cases, the sample buffer would not be allocated, resulting in a potential write operation on a NULL pointer.
NOTE: please download the runfill_crash.exr
file from the following link:
https://github.com/ShielderSec/poc/tree/main/CVE-2025-48073
exrcheck
binary in a macOS or GNU/Linux machine with ASAN.Open the runfill_crash.exr
file with the following command:
exrcheck -m runfill_crash.exr
Notice that exrcheck
crashes with ASAN stack-trace.
An attacker may cause a denial of service by crashing the application.
{ "nvd_published_at": "2025-07-31T21:15:28Z", "cwe_ids": [ "CWE-476" ], "github_reviewed_at": "2025-07-31T19:21:35Z", "github_reviewed": true, "severity": "MODERATE" }