An issue was discovered in OpenEXR before 2.5.2. An invalid tiled input file could cause invalid memory access in TiledInputFile::TiledInputFile() in IlmImf/ImfTiledInputFile.cpp, as demonstrated by a NULL pointer dereference. References: https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md https://github.com/AcademySoftwareFoundation/openexr/blob/master/SECURITY.md https://github.com/AcademySoftwareFoundation/openexr/pull/727 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.2
Created OpenEXR tracking bugs for this issue: Affects: fedora-all [bug 1852016] Created mingw-OpenEXR tracking bugs for this issue: Affects: fedora-all [bug 1852017]
In TiledInputFile::TiledInputFile() there's a catch block which would attempt to delete memory pointed to by NULL _data->tileBuffers pointers. The data is retrieved from an input stream that could accept an invalid tiled input file. This would cause a crash.
Statement: Versions of OpenEXR shipped with Red Hat Enterprise Linux 6, 7, and 8 are not affected by this flaw as the vulnerable code was introduced in newer versions of OpenEXR.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15304