OpenEXR: Integer overflow in the HTJ2K decoder leads to heap-buffer-overflow
Description
OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, an integer overflow in ht_undo_impl() in src/lib/OpenEXRCore/internal_ht.cpp leads to a heap-buffer overflow when decoding a crafted HTJ2K-compressed EXR file. decode->channels[i].width (int32_t) is multiplied by bytes_per_element in 32-bit signed arithmetic. With large widths (e.g., >= 536870912 for FLOAT data), this overflows, producing a corrupted offset that is later used for pointer arithmetic and can cause a heap out-of-bounds write. The same unchecked multiplication pattern appears in two other HTJ2K paths (bytes-per-line accumulation and pixel-line pointer advancement). As with related CVE-2026-34378 through CVE-2026-34589 fixes in other codecs, validating only after the multiplication is too late because the value may already be overflowed. This issue has been fixed in version 3.4.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Range: >=3.4.0, <=3.4.11
Patches
Vulnerability mechanics
Root cause
"Signed integer overflow in `width * bytes_per_element` multiplication in `ht_undo_impl()` leads to a corrupted pointer offset and heap-buffer-overflow."
Attack vector
An attacker crafts a malicious HTJ2K-compressed EXR file with a channel width of at least 536870912 for FLOAT data (bytes_per_element=4). When `ht_undo_impl()` computes `width * bytes_per_element` in 32-bit signed arithmetic, the product exceeds INT32_MAX, causing a signed integer overflow [CWE-190]. The corrupted offset is later used for pointer arithmetic, leading to a heap out-of-bounds write [ref_id=1]. No authentication is required; the file is delivered over the network or via any vector that causes the library to decode the crafted image.
Affected code
The vulnerability resides in `src/lib/OpenEXRCore/internal_ht.cpp` in the `ht_undo_impl()` function. At lines 188–189, `decode->channels[i].width` (int32_t) is multiplied by `decode->channels[i].bytes_per_element` (int8_t) using 32-bit signed arithmetic, and the overflowed result is stored in `raster_line_offset` and later used as a pointer offset at line 313. The same unchecked multiplication pattern appears in two other HTJ2K paths: bytes-per-line accumulation (line 213) and pixel-line pointer advancement (line 278).
What the fix does
The patch casts the operands to `size_t` (or `int64_t`) before multiplication at all three vulnerable locations in `internal_ht.cpp`. By promoting the 32-bit signed values to a wider unsigned or 64-bit type, the multiplication no longer wraps around INT32_MAX, preserving the correct offset. The advisory confirms that the fix eliminates the ASAN finding and passes all 63 core tests [ref_id=1].
Preconditions
- configThe library must be built without the debug assert at line 291 (i.e., with NDEBUG defined) that would otherwise mask the out-of-bounds write
- inputThe attacker supplies a crafted EXR file with a channel width >= 536870912 for FLOAT data
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.12mitrex_refsource_MISC
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-777r-f9x8-7r84mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.