Analysis updated 2026-05-18
Reproduce the ImageIO EXR heap overflow crash on an affected OS version for research purposes.
Study how an integer overflow in buffer size calculation leads to memory corruption.
Use as a reference example of arithmetic-related memory safety bugs.
| billy-ellis/exr-imageio-poc | autolearnmem/automem | buptwz/holmes-kb | |
|---|---|---|---|
| Stars | 32 | 32 | 32 |
| Language | Python | Python | Python |
| Setup difficulty | moderate | hard | moderate |
| Complexity | 3/5 | 5/5 | 3/5 |
| Audience | researcher | researcher | developer |
Figures from each repo's GitHub metadata at analysis time.
Only reproduces the crash on iOS/macOS versions prior to 26.5, requires an affected device or OS build.
This repository is a proof-of-concept demonstration for a security vulnerability that was found and fixed in Apple's ImageIO library on iOS and macOS 26.5. ImageIO is the system component that handles reading and writing image files on Apple devices. A proof-of-concept like this shows that a theoretical bug can be reliably triggered, but it is not a finished attack tool. The specific problem was an integer overflow inside a function called EXRReadPlugin::decodeBlockAppleEXR. EXR is a high-dynamic-range image format commonly used in film and visual effects work. When the function tried to compute the size of a memory buffer by multiplying an image's width and height together, those numbers could be so large that the multiplication would wrap around and produce a result of zero. A zero-size buffer would then be allocated, but the code would still try to fill it with the actual pixel data from the file, writing far more data than the buffer could hold. That type of error is called a heap overflow. An attacker could craft a specially made EXR image file that triggers this path. When ImageIO attempts to read that file, the overflow causes memory corruption and a crash. The repository includes a sample file and Python code that demonstrates this behavior, reproducing the crash on affected versions of the operating system. Apple addressed the bug in iOS/macOS 26.5. The author has also published a detailed technical write-up on their blog and a video explanation linked from the README. This repository serves as supporting material for that research, not as a standalone tool. The code is written in Python and is intentionally minimal. It exists to validate the bug report rather than to provide a polished library or application. If you are running an affected version of iOS or macOS, the appropriate response is to update your operating system. If you are a security researcher, this repository illustrates a class of memory-safety issue that arises when arithmetic is done on user-supplied values without overflow checks.
A proof-of-concept demonstrating a heap overflow vulnerability in Apple's ImageIO library that was fixed in iOS and macOS 26.5.
Mainly Python. The stack also includes Python.
License not stated in the README.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.