2401801 – (CVE-2025-59731) CVE-2025-59731 FFmpeg: Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress

Bug 2401801 (CVE-2025-59731) - CVE-2025-59731 FFmpeg: Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress

Summary: CVE-2025-59731 FFmpeg: Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress

Keywords:
Status:	NEW
Alias:	CVE-2025-59731
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2401825 2401832 2401843 2401848 2401852 2401855
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-06 09:01 UTC by OSIDB Bzimport
Modified:	2025-10-06 10:44 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-06 09:01:45 UTC

When decoding an OpenEXR file that uses DWAA or DWAB compression, the specified raw length of run-length-encoded data is not checked when using it to calculate the output data.

We read rle_raw_size from the input file at [0], we decompress and decode into the buffer td->rle_raw_data of size rle_raw_size at [1], and then at [2] we will access entries in this buffer up to (td->xsize - 1) * (td->ysize - 1) + rle_raw_size / 2, which may exceed rle_raw_size.




We recommend upgrading to version 8.0 or beyond.

Note You need to log in before you can comment on or make changes to this bug.