OpenEXR PIZ Decoder Signed 32-bit Integer Overflow (CVE-2020-34588) Analysis

Vulnerability Summary: Signed 32-bit Overflow in PIZ Decoder (CVE-2020-34588) Vulnerability Overview In the OpenEXR PIZ decoder function , the update of the pointer utilizes signed 32-bit arithmetic ( ). An attacker can craft specific , , and values to trigger an integer overflow and pointer wraparound. This causes the subsequent channel to be decoded from an incorrect address, resulting in out-of-bounds read/write (OOB Read/Write) operations rather than a simple crash. Affected Versions The following OpenEXR versions are affected: 3.1.0 - 3.1.13 3.2.0 - 3.2.6 3.3.0 - 3.3.8 3.4.0 - 3.4.8 Remediation The following measures are recommended to remediate this vulnerability: 1. Use 64-bit Arithmetic: Perform channel stride calculations using 64-bit arithmetic. 2. Overflow Checks: Reject any inputs that could cause an overflow before calculating . 3. Validate Footprint: Verify that the cumulative per-channel decoded footprint fits within the decompression buffer. 4. Strict Matching: Terminate decompression if the channel decoding layout does not strictly fit within the decompression buffer. Proof of Concept (POC) The screenshot provides the build commands and test file description used to reproduce the vulnerability: Build and Run Command (ASAN): Build and Run Command (Valgrind): POC File Description (Redzone-Oriented File): width: 6738862 height: 32 channel A: FLOAT, sampling 1 x 1 channel B: HALF, sampling 3355443 x 16 This configuration causes the address to wrap around, triggering a heap overflow.

Goal Reached Thanks to every supporter — we hit 100%!

OpenEXR PIZ Decoder Signed 32-bit Integer Overflow (CVE-2020-34588) Analysis

More from this source