SEGV exrmakepreview in ImfTiledOutputFile.cpp:458

[strongcourage]

Hi,

I found a crash due to a heap buffer overflow bug on exrmakepreview (the latest commit 9410823 on master).

PoC: /~https://github.com/strongcourage/PoCs/blob/master/openexr_9410823/PoC_hbo_writeTileData
Command: exrmakepreview -v $PoC /dev/null

ASAN says:

==22567==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e178 at pc 0x7f2f375c522a bp 0x7ffe478e5550 sp 0x7ffe478e5540
READ of size 8 at 0x60400000e178 thread T0
    #0 0x7f2f375c5229 in Imf_2_3::TileOffsets::operator()(int, int, int, int) (/home/dungnguyen/gueb-testing/openexr/obj-asan/OpenEXR/IlmImf/libIlmImf-2_3.so.24+0x13e229)
    #1 0x7f2f375a8eac in writeTileData /home/dungnguyen/gueb-testing/openexr/OpenEXR/IlmImf/ImfTiledOutputFile.cpp:458
    #2 0x7f2f375ae164 in Imf_2_3::TiledOutputFile::copyPixels(Imf_2_3::TiledInputFile&) /home/dungnguyen/gueb-testing/openexr/OpenEXR/IlmImf/ImfTiledOutputFile.cpp:1534
    #3 0x40307b in makePreview(char const*, char const*, int, float, bool) /home/dungnguyen/gueb-testing/openexr/OpenEXR/exrmakepreview/makePreview.cpp:176
    #4 0x402187 in main /home/dungnguyen/gueb-testing/openexr/OpenEXR/exrmakepreview/main.cpp:185
    #5 0x7f2f3659582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x402428 in _start (/home/dungnguyen/PoCs/openexr_9410823/exrmakepreview-asan+0x402428)

Thanks,
Manh Dung

[strongcourage]

This bug also causes exrstdattr crash.

[kdt3rd]

I am able to reproduce. thank you for the report

[kdt3rd]

This should be fixed and merged to master

[carnil]

CVE-2020-16589 seems to have been assigned for this issue.