explaingit

billy-ellis/exr-imageio-poc

Analysis updated 2026-05-18

32PythonAudience · researcherComplexity · 3/5Setup · moderate

TLDR

A proof-of-concept demonstrating a heap overflow vulnerability in Apple's ImageIO library that was fixed in iOS and macOS 26.5.

Mindmap

mindmap
  root((repo))
    What it does
      Demonstrates ImageIO heap overflow
      Provides crash reproduction
    Root cause
      Integer overflow
      Buffer size miscalculation
    Use cases
      Security research
      Vulnerability study
    Audience
      Security researchers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Reproduce the ImageIO EXR heap overflow crash on an affected OS version for research purposes.

USE CASE 2

Study how an integer overflow in buffer size calculation leads to memory corruption.

USE CASE 3

Use as a reference example of arithmetic-related memory safety bugs.

What is it built with?

Python

How does it compare?

billy-ellis/exr-imageio-pocautolearnmem/automembuptwz/holmes-kb
Stars323232
LanguagePythonPythonPython
Setup difficultymoderatehardmoderate
Complexity3/55/53/5
Audienceresearcherresearcherdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Only reproduces the crash on iOS/macOS versions prior to 26.5, requires an affected device or OS build.

License not stated in the README.

In plain English

This repository is a proof-of-concept demonstration for a security vulnerability that was found and fixed in Apple's ImageIO library on iOS and macOS 26.5. ImageIO is the system component that handles reading and writing image files on Apple devices. A proof-of-concept like this shows that a theoretical bug can be reliably triggered, but it is not a finished attack tool. The specific problem was an integer overflow inside a function called EXRReadPlugin::decodeBlockAppleEXR. EXR is a high-dynamic-range image format commonly used in film and visual effects work. When the function tried to compute the size of a memory buffer by multiplying an image's width and height together, those numbers could be so large that the multiplication would wrap around and produce a result of zero. A zero-size buffer would then be allocated, but the code would still try to fill it with the actual pixel data from the file, writing far more data than the buffer could hold. That type of error is called a heap overflow. An attacker could craft a specially made EXR image file that triggers this path. When ImageIO attempts to read that file, the overflow causes memory corruption and a crash. The repository includes a sample file and Python code that demonstrates this behavior, reproducing the crash on affected versions of the operating system. Apple addressed the bug in iOS/macOS 26.5. The author has also published a detailed technical write-up on their blog and a video explanation linked from the README. This repository serves as supporting material for that research, not as a standalone tool. The code is written in Python and is intentionally minimal. It exists to validate the bug report rather than to provide a polished library or application. If you are running an affected version of iOS or macOS, the appropriate response is to update your operating system. If you are a security researcher, this repository illustrates a class of memory-safety issue that arises when arithmetic is done on user-supplied values without overflow checks.

Copy-paste prompts

Prompt 1
Explain how the integer overflow in decodeBlockAppleEXR leads to a heap overflow.
Prompt 2
Walk me through how this crafted EXR file triggers the ImageIO vulnerability.
Prompt 3
Summarize what versions of iOS and macOS are affected and how Apple fixed it.

Frequently asked questions

What is exr-imageio-poc?

A proof-of-concept demonstrating a heap overflow vulnerability in Apple's ImageIO library that was fixed in iOS and macOS 26.5.

What language is exr-imageio-poc written in?

Mainly Python. The stack also includes Python.

What license does exr-imageio-poc use?

License not stated in the README.

How hard is exr-imageio-poc to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is exr-imageio-poc for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.