GHSA-vc68-257w-m432

Summary

The PXR24 decompression function undopxr24impl in OpenEXR (internalpxr24.c) ignores the actual decompressed size (outSize) returned by exruncompressbuffer() and instead reads from the scratch buffer based solely on the expected size (uncompressedsize) derived from the header metadata.

Additionally, exruncompressbuffer() (compression.c:202) treats LIBDEFLATESHORTOUTPUT (where the compressed stream decompresses to fewer bytes than expected) as a successful result rather than an error.

When these two issues are combined, an attacker can craft a PXR24 EXR file containing a valid but truncated zlib stream. As a result, the decoder reads uninitialized heap memory and incorporates it into the output pixel data.

Details

This issue occurs due to the combination of two flaws.

1. compression.c:202–205 — LIBDEFLATESHORTOUTPUT treated as success

   else if (res == LIBDEFLATE_SHORT_OUTPUT)
   {
       /* TODO: is this an error? */
       return EXR_ERR_SUCCESS;
   }
   

   libdeflatezlibdecompressex() returns LIBDEFLATESHORTOUTPUT when the compressed stream is successfully decompressed but the resulting output size is smaller than the provided output buffer size. In this case, the actual number of decompressed bytes is written to actualout. However, the function does not treat this condition as an error and instead returns success.

2. internal_pxr24.c:279–287 — outSize return value ignored

   rstat = exr_uncompress_buffer(
       decode->context, compressed_data, comp_buf_size,
       scratch_data, scratch_size, &outSize);   // outSize = actual bytes written
   
   if (rstat != EXR_ERR_SUCCESS) return rstat;
   
   // outSize is never referenced afterwards.
   // The loop below reads the entire scratch_data buffer based on
   // uncompressed_size (the header-derived expected size).
   for (int y = 0; y < decode->chunk.height; ++y) { ... }
   

   After exruncompressbuffer() returns success, the code does not verify whether the actual decompressed size (outSize) matches the expected size (uncompressedsize). The subsequent byte-plane reconstruction loop reads from the scratch buffer up to uncompressedsize bytes. As a result, the region between outSize and uncompressed_size consists of uninitialized heap memory, which is then read by the decoder.

Affected component - src/lib/OpenEXRCore/internalpxr24.c — undopxr24impl() (line 261–399) - src/lib/OpenEXRCore/compression.c — exruncompress_buffer() (line 202–205)

PoC

Please refer to the atta poc.zip ched archive file and proceed after extracting it.

1. git clone https://github.com/AcademySoftwareFoundation/openexr.git
2. mv poc openexr/
3. cd openexr
4. docker build -f poc/Dockerfile -t pxr24-poc .
5. docker run --rm pxr24-poc

<img width="858" height="155" alt="스크린샷 2026-03-15 오후 4 38 18" src="https://github.com/user-attachments/assets/ded9eab6-9b92-40f7-9a0d-7b00db7e6088" />

Impact

• Sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). Trigger Condition: Occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction.