An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp. References: https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md https://github.com/AcademySoftwareFoundation/openexr/blob/master/SECURITY.md https://github.com/AcademySoftwareFoundation/openexr/pull/730 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.2
Created OpenEXR tracking bugs for this issue: Affects: fedora-all [bug 1852012] Created mingw-OpenEXR tracking bugs for this issue: Affects: fedora-all [bug 1852013]
There's a case in which DeepScanLineInputFile::DeepScanLineInputFile() could fail to initialize a header, then free some heap memory (_data) without throwing an exception. Thus, upon the next deference of the heap memory, this would cause a use-after-free when passed to readLineOffsets(). This would likely result in a crash.
Statement: The versions of OpenEXR shipped with Red Hat Enterprise Linux 6, 7, and 8 are not affected by this flaw as the affected code was introduced in a newer version of OpenEXR.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15305