CVE-2026-27622: OpenEXR's CompositeDeepScanLine integer-overflow leads to heap OOB write

Function: CompositeDeepScanLine::readPixels, reachable from high-level multipart deep read flows (MultiPartInputFile + DeepScanLineInputPart + CompositeDeepScanLine).

Vulnerable lines (src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp):

• total_sizes[ptr] += counts[j][ptr]; (line ~511)
• overall_sample_count += total_sizes[ptr]; (line ~514)
• samples[channel].resize (overall_sample_count); (line ~535)

Impact: 32-bit sample-count accumulation wrap leads to undersized allocation, then decode writes with true sample volume, causing heap OOB write in generic_unpack_deep_pointers (src/lib/OpenEXRCore/unpack.c:1374) (DoS/Crash, memory corruption/RCE).

Attack scenario:

• Attacker provides multipart deep EXR with many parts and very large sample counts per pixel.
• Uses compression (RLE/ZIPS) to keep file size relatively small vs decode pressure.
• The overflow happens in composite sample accounting (unsigned int), while pointer progression for decode uses larger counters and reaches out-of-bounds.

Tested on: OpenEXR 4.0.0-dev (commit 83449669402080874b25ff1fa740649a9e6ea064) but this code has existed since v2.3.0