OpenImageIO Heap Buffer Overflow Vulnerability in SGI RLE Decoder

A heap buffer overflow vulnerability has been identified in OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0. The issue arises in the SGI RLE decoding process, where the bounds checking is improperly handled. The OIIO_DASSERT macro, intended for assertions, is optimized away in release builds, leading to a lack of proper validation. This flaw allows a crafted .sgi file with RLE data exceeding the scanline width to overwrite heap memory, causing a crash. The vulnerability is present in the RLE decode loop of sgiinput.cpp, specifically lines 265 and 274.

Impact

Exploitation of this vulnerability leads to heap corruption and a crash when opening a malicious SGI image with any application that uses OpenImageIO release builds. This vulnerability bypasses the application's memory safety protections, potentially allowing for further exploitation.

Reproduction

The vulnerability can be reproduced by creating a .sgi file that includes RLE data with counts exceeding the width of the scanline. This can be done by crafting a file that exploits the RLE decoding loop's lack of proper bounds checking in release builds. Once the file is created, it can be opened with OpenImageIO, which will result in a crash due to the heap buffer overflow.

Remediation

Users should update to OpenImageIO versions 3.0.18.0, 3.1.13.0, or 3.2.0.2, where this vulnerability has been fixed.