CVE-2020-16587
Description
A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file.
Affected products
10- Academy Software Foundation/OpenEXRdescription
- osv-coords8 versionspkg:rpm/opensuse/openexr&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/openexr&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/openexr&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/openexr&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2pkg:rpm/suse/openexr&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/openexr&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/openexr&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/openexr&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5
< 2.2.1-lp151.4.15.1+ 7 more
- (no CPE)range: < 2.2.1-lp151.4.15.1
- (no CPE)range: < 2.2.1-lp152.7.8.1
- (no CPE)range: < 2.2.1-3.21.1
- (no CPE)range: < 2.2.1-3.21.1
- (no CPE)range: < 2.1.0-6.26.1
- (no CPE)range: < 2.1.0-6.26.1
- (no CPE)range: < 2.1.0-6.26.1
- (no CPE)range: < 2.1.0-6.26.1
Patches
Vulnerability mechanics
Root cause
"Off-by-one error in bounds check: `partNumber > parts.size()` instead of `partNumber >= parts.size()` allows access at an invalid index."
Attack vector
An attacker crafts a malicious EXR file with a part number in the chunk offset table that equals the number of parts (i.e., an index of `parts.size()`). When `chunkOffsetReconstruction` processes this file, the flawed comparison `partNumber > static_cast<int>(parts.size())` treats the invalid index as valid, leading to a heap-based buffer over-read or over-write. This can cause a denial of service via a crash or potentially more severe memory corruption.
Affected code
The vulnerability is in `OpenEXR/IlmImf/ImfMultiPartInputFile.cpp` in the `MultiPartInputFile::Data::chunkOffsetReconstruction` function. The bounds check for `partNumber` used `>` instead of `>=`, allowing an out-of-bounds index equal to `parts.size()` to pass validation.
What the fix does
The patch changes the comparison from `>` to `>=` on line 574 of `ImfMultiPartInputFile.cpp`. This ensures that a `partNumber` equal to `parts.size()` is correctly rejected as out of range, preventing access beyond the bounds of the `parts` vector. The fix closes the off-by-one error that allowed the heap buffer overflow.
Preconditions
- inputThe attacker must supply a crafted EXR file that sets a part number in the chunk offset table equal to the total number of parts declared in the file.
- configThe victim application must use a vulnerable version of OpenEXR (2.3.0) to open the malicious file.
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- lists.debian.org/debian-lts-announce/2021/07/msg00001.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2022/12/msg00022.htmlmitremailing-list
- github.com/AcademySoftwareFoundation/openexr/commit/8b5370c688a7362673c3a5256d93695617a4cd9amitre
- github.com/AcademySoftwareFoundation/openexr/issues/491mitre
News mentions
0No linked articles in our index yet.