OpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)

Summary

The PXR24 decompression function undo_pxr24_impl in OpenEXR (internal_pxr24.c) ignores the actual decompressed size (outSize) returned by exr_uncompress_buffer() and instead reads from the scratch buffer based solely on the expected size (uncompressed_size) derived from the header metadata.

Additionally, exr_uncompress_buffer() (compression.c:202) treats LIBDEFLATE_SHORT_OUTPUT (where the compressed stream decompresses to fewer bytes than expected) as a successful result rather than an error.

When these two issues are combined, an attacker can craft a PXR24 EXR file containing a valid but truncated zlib stream. As a result, the decoder reads uninitialized heap memory and incorporates it into the output pixel data.

Details

This issue occurs due to the combination of two flaws.

1. compression.c:202–205 — LIBDEFLATE_SHORT_OUTPUT treated as success

else if (res == LIBDEFLATE_SHORT_OUTPUT)
{
    /* TODO: is this an error? */
    return EXR_ERR_SUCCESS;
}

libdeflate_zlib_decompress_ex() returns LIBDEFLATE_SHORT_OUTPUT when the compressed stream is successfully decompressed but the resulting output size is smaller than the provided output buffer size. In this case, the actual number of decompressed bytes is written to actual_out. However, the function does not treat this condition as an error and instead returns success.

2. internal_pxr24.c:279–287 — outSize return value ignored

rstat = exr_uncompress_buffer(
    decode->context, compressed_data, comp_buf_size,
    scratch_data, scratch_size, &outSize);   // outSize = actual bytes written

if (rstat != EXR_ERR_SUCCESS) return rstat;

// outSize is never referenced afterwards.
// The loop below reads the entire scratch_data buffer based on
// uncompressed_size (the header-derived expected size).
for (int y = 0; y < decode->chunk.height; ++y) { ... }

After exr_uncompress_buffer() returns success, the code does not verify whether the actual decompressed size (outSize) matches the expected size (uncompressed_size). The subsequent byte-plane reconstruction loop reads from the scratch buffer up to uncompressed_size bytes. As a result, the region between outSize and uncompressed_size consists of uninitialized heap memory, which is then read by the decoder.

Affected component

• src/lib/OpenEXRCore/internal_pxr24.c — undo_pxr24_impl() (line 261–399)
• src/lib/OpenEXRCore/compression.c — exr_uncompress_buffer() (line 202–205)

PoC

Please refer to the atta
poc.zip
ched archive file and proceed after extracting it.

1. git clone https://github.com/AcademySoftwareFoundation/openexr.git
2. mv poc openexr/
3. cd openexr
4. docker build -f poc/Dockerfile -t pxr24-poc .
5. docker run --rm pxr24-poc

Impact

• Sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure).
  Trigger Condition: Occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction.