From 48e5f65a7de405e77c74c2a01bd228ef35d18118 Mon Sep 17 00:00:00 2001
From: Cary Phillips <cary@ilm.com>
Date: Tue, 21 Apr 2026 18:34:39 -0700
Subject: [PATCH] Fix OOB read when expanding IDManifest prefix-compressed
 strings (#2377)

Validate each string has enough bytes for the 1- or 2-byte
common-prefix encoding before indexing. Prevents heap OOB read when
the previous string is long and the current entry is empty or too
short.

Made with Cursor

Signed-off-by: Cary Phillips <cary@ilm.com>
---
 src/lib/OpenEXR/ImfIDManifest.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/lib/OpenEXR/ImfIDManifest.cpp b/src/lib/OpenEXR/ImfIDManifest.cpp
index 3df9a930d..92b2734ca 100644
--- a/src/lib/OpenEXR/ImfIDManifest.cpp
+++ b/src/lib/OpenEXR/ImfIDManifest.cpp
@@ -337,6 +337,13 @@ IDManifest::init (const char* data, const char* endOfData)
         //
         // previous string had more than 255 characters?
         //
+        const size_t minPrefixLen =
+            stringList[i - 1].size () > 255 ? size_t (2) : size_t (1);
+        if (stringList[i].size () < minPrefixLen)
+        {
+            throw IEX_NAMESPACE::InputExc (
+                "IDManifest string too small for common prefix length");
+        }
         if (stringList[i - 1].size () > 255)
         {
             common = size_t (((unsigned char) (stringList[i][0])) << 8) +