OpenImageIO Heap Buffer Overflow Vulnerability in RLE Decoder

A heap buffer overflow vulnerability has been identified in OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0. The issue arises in the Softimage PIC RLE decoder, specifically in the mixed RLE path (line 469) and pure RLE path (line 345), where the run length is not properly clamped to the remaining scanline width before writing pixels. This oversight allows a crafted .pic file to cause a heap overflow of up to 65,535 bytes. While the raw packet path (line 403) includes the necessary bounds check, the RLE paths do not, leading to the vulnerability.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, with the potential to overwrite memory and control the execution flow of the program. The overflow size and the data written can be controlled by the attacker.

Reproduction

The vulnerability can be reproduced by using a crafted .pic file that exploits the RLE decoding paths in OpenImageIO. The file should be created to include a run length value that exceeds the width of the scanline, such as 256 bytes for a 16-byte scanline buffer, causing a 240-byte heap overflow. This can be done using a script that generates a valid Softimage PIC header with malicious RLE data. The overflow can be confirmed using AddressSanitizer (ASAN) to detect the heap-buffer-overflow write.

Remediation

Users can upgrade to OpenImageIO versions 3.0.18.0 or 3.1.13.0 to address this vulnerability.