A heap-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.cpp that can cause a denial of service via a crafted EXR file. https://github.com/AcademySoftwareFoundation/openexr/commit/6bb36714528a9563dd3b92720c5063a1284b86f8 https://github.com/AcademySoftwareFoundation/openexr/issues/494
External References: https://github.com/AcademySoftwareFoundation/openexr/commit/6bb36714528a9563dd3b92720c5063a1284b86f8 https://github.com/AcademySoftwareFoundation/openexr/issues/494
Created OpenEXR tracking bugs for this issue: Affects: fedora-all [bug 1929325]
Statement: This flaw is out of support scope for OpenEXR as shipped with Red Hat Enterprise Linux 6 and 7. For more information on Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata/ .
Flaw summary: TiledInputFile::rawTileData() did not validate the tile coordinates before reading from the tile buffer, which could lead to an out-of-bounds read during copyPixels(). The patch uses isValidTile() to correct this. Upstream patch: https://github.com/peterhillman/openexr/commit/a6512959ac823ac89027ef373deff6f386920bb9