Quangio

Name of the Vulnerable Software and Affected Versions OpenEXR versions 3.1.0 through 3.2.6, versions prior to 3.3.9, and versions prior to 3.4.9 Description OpenEXR, an image storage format used in the motion picture industry, contains a flaw in the `internal exr undo piz()` function. Specifically, the function uses signed 32-bit arithmetic to advance a wavelet pointer, which can lead to integer overflow and wrap-around when processing a crafted EXR file. This results in out-of-bounds reads and writes during wavelet decoding, as the function operates in place. Recommendations Update OpenEXR to version 3.2.7 or later. Update OpenEXR to version 3.3.9 or later. Update OpenEXR to version 3.4.9 or later.

Name of the Vulnerable Software and Affected Versions OpenEXR versions 3.2.0 through 3.2.6, 3.3.9, and 3.4.9 Description OpenEXR, an image storage format used in the motion picture industry, contains a flaw in the DWA lossy decoder. Specifically, the decoder uses signed 32-bit arithmetic to create temporary block pointers, which can overflow for large image widths. This overflow leads to out-of-bounds writes to memory outside the allocated row block, potentially leading to crashes or other unexpected behavior. Recommendations Update to OpenEXR version 3.2.7 or later. Update to OpenEXR version 3.3.9 or later. Update to OpenEXR version 3.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** OpenEXR versions prior to 3.2.6 OpenEXR versions prior to 3.3.8 OpenEXR versions prior to 3.4.6 **Description** OpenEXR, a file format used in the motion picture industry, has an issue in the `CompositeDeepScanLine::readPixels` function. The function accumulates per-pixel totals in a vector named `total sizes`. When handling attacker-controlled large counts across multiple parts, the `total sizes[ptr]` value wraps around due to modulo 2^32 arithmetic. This wrapped total is then used to determine the size of the `samples[channel]` buffer, leading to an undersized buffer. Subsequent write operations in the `generic unpack deep pointers` function can then overrun this buffer. **Recommendations** Update to OpenEXR version 3.2.6 or later. Update to OpenEXR version 3.3.8 or later. Update to OpenEXR version 3.4.6 or later.